feat(helm): Update upstream version

Signed-off-by: Axel Lender <lender@b1-systems.de>

docs/external-secrets.md

@@ -0,0 +1,38 @@
+<!--
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>External Secrets</h1>
+
+This document covers how to utilise external secrets and special requirements.
+
+<!-- TOC -->
+* [General](#general)
+* [Components](#components)
+  * [XWiki](#xwiki)
+<!-- TOC -->
+
+# General
+
+For most components when set the external secret will supersede e.g. a password in a `values.yaml` file.
+
+The file [`external_secrets.yaml`](/helmfile/environments/default/external_secrets.yaml.gotmpl) lists all possible references to external secrets that are currently implemented in openDesk.
+
+# Components
+
+This section covers information and special requirements to external secrets that some Helm Charts expect.
+
+## XWiki
+
+Properties listed in the file of the external secret will overwrite plain values.
+
+Like described in the [upstream `values.yaml`](https://github.com/xwiki-contrib/xwiki-helm/blob/master/charts/xwiki/values.yaml#L435) credentials and information about a user in external secrets listed in `propertiesSecret` have to be formatted as follows:
+
+```yaml
+stringData:
+  propertiesFile: |
+    propertie1=propertie1Value
+    propertie2=propertie2Value
+    propertie3=propertie3Value
+```

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -20,17 +20,23 @@ imagePullSecrets:
   {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
 
 javaOpts:
-  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense .Values.enterpriseKeys.xwiki.proApplicationslicense }}
-  - "-Dlicenses={{ .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense }},{{ .Values.enterpriseKeys.xwiki.proApplicationslicense }}"
-  {{- end }}
   {{- if .Values.certificate.selfSigned }}
   - "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks"
   - "-Djavax.net.ssl.trustStoreType=jks"
-  - {{ printf "%s=%s" "-Djavax.net.ssl.trustStorePassword" .Values.secrets.certificates.password | quote }}
+  {{- end }}
+
+javaOptsSecrets:
+  {{- if .Values.certificate.selfSigned }}
+  trustStorePassword:
+    option: "-Djavax.net.ssl.trustStorePassword="
+    value: {{ .Values.secrets.certificates.password }}
+    secret:
+      name: {{ .Values.externalSecrets.certificates.password.name | quote }}
+      key: {{ .Values.externalSecrets.certificates.password.key | quote }}
   {{- end }}
 
 externalDB:
-  {{- if eq .Values.databases.xwiki.type "mariadb" }}
+   {{- if eq .Values.databases.xwiki.type "mariadb" }}
   password: {{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword | quote }}
   {{- else }}
   password: {{ .Values.databases.xwiki.password | default .Values.secrets.postgresql.xwikiUser | quote }}
@@ -39,7 +45,18 @@ externalDB:
   user: {{ .Values.databases.xwiki.username | quote }}
   host: {{ printf "%s:%d" .Values.databases.xwiki.host .Values.databases.xwiki.port | quote }}
   customKeyRef:
+    {{- if or (.Values.externalSecrets.mariadb.rootPassword.name) (.Values.externalSecrets.postgresql.xwikiUser.name) }}
+    enabled: true
+    {{- else }}
     enabled: false
+    {{- end }}
+    {{- if eq .Values.databases.xwiki.type "mariadb" }}
+    name: {{ .Values.externalSecrets.mariadb.rootPassword.name | quote }}
+    key: {{ .Values.externalSecrets.mariadb.rootPassword.key | quote }}
+    {{- else }}
+    name: {{ .Values.externalSecrets.postgresql.xwikiUser.name | quote }}
+    key: {{ .Values.externalSecrets.postgresql.xwikiUser.key | quote }}
+    {{- end }}
 
 securityContext:
   enabled: true
@@ -70,16 +87,11 @@ customConfigs:
     xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
     ## Enable the synchronization of the LDAP profile picture
     xwiki.authentication.ldap.update_photo: 1
-    {{ if .Values.debug.enabled }}
-    ## Password of "superadmin" user, disables account if not password is set
-    xwiki.superadminpassword: {{ .Values.secrets.xwiki.superadminpassword | quote }}
-    {{ end }}
     ## LDAP Server configuration
     xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
     xwiki.authentication.ldap.port: 389
     ## Authentication to the LDAP server
     xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,{{ .Values.ldap.baseDn }}"
-    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
     ## Base DN used for searching for users
     xwiki.authentication.ldap.base_DN: "{{ .Values.ldap.baseDn }}"
     ## Allow short update cycles of the LDAP group cache
@@ -99,7 +111,6 @@ customConfigs:
     oidc.logoutMechanism: "rpInitiated"
     oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk"
     oidc.scope: "openid,opendesk-xwiki-scope"
-    oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
     oidc.skipped: false
     oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
     oidc.user.subjectFormater: "${oidc.user.opendesk_username._lowerCase}"
@@ -111,12 +122,38 @@ customConfigs:
     url.trustedDomains: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     workplaceServices.navigationEndpoint: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
     workplaceServices.base: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-    workplaceServices.portalSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
     openoffice.serverType: "0"
     openoffice.autoStart: "false"
     openoffice.homePath: "/tmp"
     notifications.emails.live.graceTime: "5"
 
+customConfigsSecrets:
+  xwiki.cfg:
+    {{ if .Values.debug.enabled }}
+    ## Password of "superadmin" user, disables account if not password is set
+    xwiki.superadminpassword:
+      value: {{ .Values.secrets.xwiki.superadminpassword | quote }}
+      secret:
+        name: {{ .Values.externalSecrets.xwiki.xwikiSuperadminpassword.name | quote }}
+        key: {{ .Values.externalSecrets.xwiki.xwikiSuperadminpassword.key | quote }}
+    {{ end }}
+    xwiki.authentication.ldap.bind_pass:
+      value: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
+      secret:
+        name: {{ .Values.externalSecrets.nubus.ldapSearch.xwiki.name | quote }}
+        key: {{ .Values.externalSecrets.nubus.ldapSearch.xwiki.key | quote }}
+  xwiki.properties:
+    oidc.secret:
+      value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
+      secret:
+        name: {{ .Values.externalSecrets.keycloak.clientSecret.xwiki.name | quote }}
+        key: {{ .Values.externalSecrets.keycloak.clientSecret.xwiki.key | quote }}
+    workplaceServices.portalSecret:
+      value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+      secret:
+        name: {{ .Values.externalSecrets.centralnavigation.apiKey.name | quote }}
+        key: {{ .Values.externalSecrets.centralnavigation.apiKey.key | quote }}
+
 ingress:
   enabled: {{ .Values.ingress.enabled }}
   className: {{ .Values.ingress.ingressClassName | quote }}
@@ -218,6 +255,14 @@ properties:
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
     "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
   "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.title": "Wissen - $!tdoc.displayTitle - {{ .Values.theme.texts.productName }}"
+  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense .Values.enterpriseKeys.xwiki.proApplicationslicense }}
+  "licenses": "{{ .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense }},{{ .Values.enterpriseKeys.xwiki.proApplicationslicense }}"
+  {{- end }}
+
+## Properties listed in the secret file will overwrite plain values
+propertiesSecret:
+  name: {{ .Values.externalSecrets.xwiki.propertiesSecret.name | quote }}
+  key: {{ .Values.externalSecrets.xwiki.propertiesSecret.key | quote }}
 
 cluster:
   replicas: {{ .Values.replicas.xwiki }}

helmfile/environments/default/charts.yaml.gotmpl

@@ -535,6 +535,6 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "xwiki"
-    version: "1.4.4"
+    version: "1.5.4"
     verify: false
 ...

helmfile/environments/default/external_secrets.yaml.gotmpl

@@ -0,0 +1,40 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+externalSecrets:
+  centralnavigation:
+    apiKey:
+      name: ~
+      key: ~
+  certificates:
+    password:
+      name: ~
+      key: ~
+  keycloak:
+    clientSecret:
+      xwiki:
+        name: ~
+        key: ~
+  nubus:
+    ldapSearch:
+      xwiki:
+        name: ~
+        key: ~
+  mariadb:
+    rootPassword:
+      name: ~
+      key: ~
+  postgresql:
+    xwikiUser:
+      name: ~
+      key: ~
+  xwiki:
+    xwikiSuperadminpassword:
+      name: ~
+      key: ~
+    propertiesSecret:
+      name: ~
+      key: ~
+...