feat(helmfile): Add template support for annotations

2025-12-06 07:21:36 +01:00 · 2024-12-10 16:58:09 +00:00
16 changed files with 213 additions and 13 deletions
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -70,6 +70,9 @@ ingress:
      acl admin_url path_beg /cool/adminws/
      acl admin_url path_beg /browser/dist/admin/admin.html
      http-request deny if admin_url
+   {{- with .Values.annotations.collabora.ingress }}
+   {{ . | toYaml | nindent 4 }}
+   {{- end }}
  enabled: {{ .Values.ingress.enabled }}
  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
@@ -82,7 +85,8 @@ ingress:
      hosts:
        - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"

-podAnnotations: {}
+podAnnotations:
+  {{ .Values.annotations.collabora.pod | toYaml | nindent 2 }}

 podSecurityContext:
  fsGroup: 100
--- a/helmfile/apps/cryptpad/values.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/values.yaml.gotmpl
@@ -39,6 +39,9 @@ ingress:
  enabled: {{ .Values.ingress.enabled }}
  annotations:
    nginx.org/websocket-services: "cryptpad"
+   {{- with .Values.annotations.cryptpad.ingress }}
+   {{ . | toYaml | nindent 4 }}
+   {{- end }}
  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
@@ -53,7 +56,8 @@ ingress:
 persistence:
  enabled: false

-podAnnotations: {}
+podAnnotations:
+  {{ .Values.annotations.jitsiKeycloakAdapter.pod | toYaml | nindent 2 }}

 podSecurityContext:
  fsGroup: 4001
--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -136,8 +136,11 @@ ingress:
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
+  annotations:
+    {{ .Values.annotations.element.ingress | toYaml | nindent 4 }}

-podAnnotations: {}
+podAnnotations:
+  {{ .Values.annotations.element.pod | toYaml | nindent 2 }}

 podSecurityContext:
  enabled: true
@@ -148,6 +151,14 @@ replicaCount: {{ .Values.replicas.element }}
 resources:
  {{ .Values.resources.element | toYaml | nindent 2 }}

+service:
+  annotations:
+    {{ .Values.annotations.element.service | toYaml | nindent 4 }}
+
+serviceAccount:
+  annotations:
+    {{ .Values.annotations.element.serviceAccount | toYaml | nindent 4 }}
+
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}

--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
@@ -42,7 +42,8 @@ image:
  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}

-podAnnotations: {}
+podAnnotations:
+  {{ .Values.annotations.matrixUserVerificationService.pod | toYaml | nindent 2 }}

 podSecurityContext:
  enabled: true
@@ -53,4 +54,12 @@ replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
 resources:
  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}

+service:
+  annotations:
+    {{ .Values.annotations.matrixUserVerificationService.service | toYaml | nindent 4 }}
+
+serviceAccount:
+  annotations:
+    {{ .Values.annotations.matrixUserVerificationService.serviceAccount | toYaml | nindent 4 }}
+
 ...
--- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
@@ -44,6 +44,9 @@ ingress:
    nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.element }}"
    nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.element }}s"
    nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.element }}s"
+    {{- with .Values.annotations.synapseWeb.ingress }}
+    {{ . | toYaml | nindent 4 }}
+    {{- end }}
  host: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
@@ -51,7 +54,8 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-podAnnotations: {}
+podAnnotations:
+  {{ .Values.annotations.synapseWeb.pod | toYaml | nindent 2 }}

 podSecurityContext:
  enabled: true
@@ -62,4 +66,12 @@ replicaCount: {{ .Values.replicas.synapseWeb }}
 resources:
  {{ .Values.resources.synapseWeb | toYaml | nindent 2 }}

+service:
+  annotations:
+    {{ .Values.annotations.synapseWeb.service | toYaml | nindent 4 }}
+
+serviceAccount:
+  annotations:
+    {{ .Values.annotations.synapseWeb.serviceAccount | toYaml | nindent 4 }}
+
 ...
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -161,6 +161,8 @@ federation:
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
+    annotations:
+      {{ .Values.annotations.synapse.ingress | toYaml | nindent 6 }}

 global:
  domain: {{ .Values.global.domain | quote }}
@@ -179,7 +181,8 @@ persistence:
  size: {{ .Values.persistence.size.synapse | quote }}
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}

-podAnnotations: {}
+podAnnotations:
+  {{ .Values.annotations.synapse.pod | toYaml | nindent 2 }}

 podSecurityContext:
  enabled: true
@@ -194,6 +197,14 @@ replicaCount: {{ .Values.replicas.synapse }}
 resources:
  {{ .Values.resources.synapse | toYaml | nindent 2 }}

+service:
+  annotations:
+    {{ .Values.annotations.synapse.service | toYaml | nindent 4 }}
+
+serviceAccount:
+  annotations:
+    {{ .Values.annotations.synapse.serviceAccount | toYaml | nindent 4 }}
+
 tls:
  secretName: {{ if .Values.global.matrixDomain }}"opendesk-certificates-synapse-tls"{{ else }}"opendesk-certificates-tls"{{ end }}
 ...
--- a/helmfile/apps/element/values-well-known.yaml.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -44,8 +44,11 @@ ingress:
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
+  annotations:
+    {{ .Values.annotations.elementWellKnown.ingress | toYaml | nindent 4 }}

-podAnnotations: {}
+podAnnotations:
+  {{ .Values.annotations.elementWellKnown.pod | toYaml | nindent 2 }}

 podSecurityContext:
  enabled: true
@@ -56,4 +59,11 @@ replicaCount: {{ .Values.replicas.wellKnown }}
 resources:
  {{ .Values.resources.wellKnown | toYaml | nindent 2 }}

+service:
+  annotations:
+    {{ .Values.annotations.elementWellKnown.service | toYaml | nindent 4 }}
+
+serviceAccount:
+  annotations:
+    {{ .Values.annotations.elementWellKnown.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -75,6 +75,10 @@ jitsi:
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    ingress:
      enabled: {{ .Values.ingress.enabled }}
+      annotations:
+        {{- with .Values.annotations.jitsi.ingress }}
+        {{ . | toYaml | nindent 8 }}
+        {{- end }}
      ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
      hosts:
        - host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
@@ -102,6 +106,8 @@ jitsi:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }}
+    podAnnotations:
+      {{ .Values.annotations.jitsi.pod | toYaml | nindent 6 }}
  prosody:
    image:
      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -151,6 +157,8 @@ jitsi:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.prosody | toYaml | nindent 8 }}
+    podAnnotations:
+      {{ .Values.annotations.prosody.pod | toYaml | nindent 6 }}
  jicofo:
    replicaCount: {{ .Values.replicas.jicofo }}
    image:
@@ -174,6 +182,8 @@ jitsi:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
+    podAnnotations:
+      {{ .Values.annotations.jicofo.pod | toYaml | nindent 6 }}
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    # The `useNodeIP` option provided by the upstream charts does not support all relevant scenarios, but since
@@ -202,6 +212,8 @@ jitsi:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.jvb | toYaml | nindent 8 }}
+    podAnnotations:
+      {{ .Values.annotations.jvb.pod | toYaml | nindent 6 }}
  jibri:
    replicaCount: {{ .Values.replicas.jibri }}
    image:
@@ -218,10 +230,16 @@ jitsi:
      # Chart does not allow to template more
      capabilities:
        add: ["SYS_ADMIN"]
+    podAnnotations:
+      {{ .Values.annotations.jibri.pod | toYaml | nindent 6 }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
+  serviceAccount:
+    annotations:
+      {{ .Values.annotations.jitsi.serviceAccount | toYaml | nindent 6 }}
+

 patchJVB:
  configuration:
@@ -248,10 +266,15 @@ patchJVB:
    repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
    tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}

-podAnnotations: {}
+podAnnotations:
+  {{ .Values.annotations.cryptpad.pod | toYaml | nindent 2 }}

 replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}

 resources:
  {{ .Values.resources.jitsiKeycloakAdapter | toYaml | nindent 2 }}
+
+serviceAccount:
+  annotations:
+    {{ .Values.annotations.jitsiPatchJVB.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -13,6 +13,13 @@ global:

 additionalAnnotations:
  intents.otterize.com/service-name: "opendesk-nextcloud-php"
+  {{- with .Values.annotations.nextcloudManagement.all }}
+  {{ . | toYaml | nindent 2}}
+  {{- end }}
+
+serviceAccount:
+  annotations:
+    {{ .Values.annotations.nextcloudManagement.serviceAccount | toYaml | nindent 4 }}

 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -51,6 +51,14 @@ exporter:
 aio:
  additionalAnnotations:
    intents.otterize.com/service-name: "opendesk-nextcloud"
+    {{- with .Values.annotations.nextcloud.all }}
+    {{ . | toYaml | nindent 4 }}
+    {{- end }}
+
+  serviceAccount:
+    annotations:
+      {{ .Values.annotations.nextcloud.serviceAccount | toYaml | nindent 6 }}
+
  configuration:
    cache:
      auth:
@@ -123,11 +131,15 @@ aio:
      nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.nextcloud }}"
      nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.nextcloud }}s"
      nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.nextcloud }}s"
+      {{- with .Values.annotations.nextcloud.ingress }}
+        {{ . | toYaml | nindent 8 }}
+      {{- end }}
    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
    host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
    tls:
      secretName: {{ .Values.ingress.tls.secretName | quote }}
-  podAnnotations: {}
+  podAnnotations:
+    {{ .Values.annotations.nextcloud.podAnnotations | toYaml | nindent 6 }}
  podSecurityContext:
    fsGroup: 101
  prometheus:
--- a/helmfile/apps/opendesk-migrations-post/values.yaml.gotmpl
+++ b/helmfile/apps/opendesk-migrations-post/values.yaml.gotmpl
@@ -3,7 +3,12 @@
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-podAnnotations: {}
+podAnnotations:
+  {{ .Values.annotations.migrationsPost.pod | toYaml | nindent 2 }}
+
+serviceAccount:
+  annotations:
+    {{ .Values.annotations.migrationsPost.serviceAccount | toYaml | nindent 4 }}

 migrations:
  stage: "POST"
--- a/helmfile/apps/opendesk-migrations-pre/values.yaml.gotmpl
+++ b/helmfile/apps/opendesk-migrations-pre/values.yaml.gotmpl
@@ -3,7 +3,12 @@
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-podAnnotations: {}
+podAnnotations:
+  {{ .Values.annotations.migrationsPre.pod | toYaml | nindent 2 }}
+
+serviceAccount:
+  annotations:
+    {{ .Values.annotations.migrationsPre.serviceAccount | toYaml | nindent 4 }}

 migrations:
  stage: "PRE"
--- a/helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl
@@ -72,4 +72,10 @@ podSecurityContext:
  fsGroup: 1000
  fsGroupChangePolicy: "OnRootMismatch"

+additionalAnnotations:
+  {{ .Values.annotations.openprojectBootstrap.all | toYaml | nindent 2 }}
+
+podAnnotations:
+  {{ .Values.annotations.openprojectBootstrap.pod | toYaml | nindent 2 }}
+
 ...
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -118,7 +118,8 @@ memcached:
 persistence:
  enabled: false

-podAnnotations: {}
+podAnnotations:
+  {{ .Values.annotations.openproject.pod | toYaml | nindent 2 }}

 postgresql:
  bundled: false
@@ -164,6 +165,10 @@ openproject:
      admin: "openproject_admin"
  useTmpVolumes: true

+serviceAccount:
+  annotations:
+    {{ .Values.annotations.openproject.serviceAccount | toYaml | nindent 4 }}
+
 ingress:
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.ingress.parameters.bodySize.openproject }}"
@@ -172,6 +177,9 @@ ingress:
    nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.openproject }}"
    nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.openproject }}s"
    nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.openproject }}s"
+    {{- with .Values.annotations.openproject.ingress }}
+    {{ . | toYaml | nindent 4 }}
+    {{- end }}
  host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
--- a/helmfile/environments/default/annotations.yaml
+++ b/helmfile/environments/default/annotations.yaml
@@ -0,0 +1,73 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+annotations:
+  collabora:
+    ingress: ~
+    pod: ~
+  cryptpad:
+    ingress: ~
+    pod: ~
+  element:
+    ingress: ~
+    pod: ~
+    service: ~
+    serviceAccount: ~
+  elementWellKnown:
+    ingress: ~
+    pod: ~
+    service: ~
+    serviceAccount: ~
+  jicofo:
+    pod: ~
+  jitsi:
+    ingress: ~
+    pod: ~
+    serviceAccount: ~
+  jitsiKeycloakAdapter:
+    pod: ~
+  jitsiPatchJVB:
+    serviceAccount: ~
+  jvb:
+    pod: ~
+  prosody:
+    pod: ~
+  matrixUserVerificationService:
+    pod: ~
+    service: ~
+    serviceAccount: ~
+  migrationsPre:
+    pod: ~
+    serviceAccount: ~
+  migrationsPost:
+    pod: ~
+    serviceAccount: ~
+  nextcloudManagement:
+    all: ~
+    serviceAccount: ~
+  nextcloud:
+    all: ~
+    ingress: ~
+    serviceAccount: ~
+  openproject:
+    ingress: ~
+    pod: ~
+    serviceAccount: ~
+  openprojectBootstrap:
+    all: ~
+    pod: ~
+  synapse:
+    ingress: ~
+    pod: ~
+    service: ~
+    serviceAccount: ~
+  synapseWeb:
+    ingress: ~
+    pod: ~
+    service: ~
+    serviceAccount: ~
+  # XWiki has no annotation support.
+  # xwiki:
+  #   pod: ~
+
+...
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -53,7 +53,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
    name: "collabora-online"
-    version: "1.1.21"
+    version: "1.1.26"
    verify: true
  cryptpad:
    # providerCategory: "Supplier"