chore(release): 0.5.37 [skip ci]

## [0.5.37](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.36...v0.5.37) (2023-11-12) ### Bug Fixes * **openproject:** Add bootstrapping of Nextcloud filestore ([1971dfb](1971dfbded))
fix(openproject): Add bootstrapping of Nextcloud filestore
2025-12-06 15:31:38 +01:00 · 2023-11-12 15:54:06 +00:00 · 2023-11-12 15:52:22 +00:00
10 changed files with 126 additions and 3 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -384,6 +384,18 @@ openproject-deploy:
  variables:
    COMPONENT: "openproject"

+openproject-bootstrap-deploy:
+  stage: "component-deploy-stage-2"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || ($DEPLOY_OPENPROJECT != "no" && $DEPLOY_NEXTCLOUD != "no"))
+      when: "always"
+  variables:
+    COMPONENT: "openproject-bootstrap"
+
 jitsi-deploy:
  stage: "component-deploy-stage-1"
  extends: ".deploy-common"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## [0.5.37](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.36...v0.5.37) (2023-11-12)
+
+
+### Bug Fixes
+
+* **openproject:** Add bootstrapping of Nextcloud filestore ([1971dfb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1971dfbded21d16909e889ba6d19ff9cf3e4cb20))
+
 ## [0.5.36](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.35...v0.5.36) (2023-11-10)


--- a/helmfile.yaml
+++ b/helmfile.yaml
@@ -20,6 +20,7 @@ helmfiles:
  - path: "helmfile/apps/openproject/helmfile.yaml"
  - path: "helmfile/apps/xwiki/helmfile.yaml"
  - path: "helmfile/apps/provisioning/helmfile.yaml"
+  - path: "helmfile/apps/openproject-bootstrap/helmfile.yaml"

 missingFileHandler: "Error"

--- a/helmfile/apps/openproject-bootstrap/helmfile.yaml
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml
@@ -0,0 +1,36 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
+---
+repositories:
+  # openDesk OpenProject Bootstrap
+  # Source: Set when repo is managed on Open CoDE
+  - name: "opendesk-openproject-bootstrap-repo"
+    oci: true
+    # yamllint disable rule:line-length
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-openproject-bootstrap" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+
+releases:
+  - name: "opendesk-openproject-bootstrap"
+    chart: "opendesk-openproject-bootstrap-repo/opendesk-openproject-bootstrap"
+    version: "1.2.1"
+    wait: true
+    waitForJobs: true
+    values:
+      - "values.yaml"
+      - "values.gotmpl"
+    installed: {{ .Values.openproject.enabled }}
+    timeout: 900
+
+commonLabels:
+  deploy-stage: "component-2"
+  component: "opendesk-openproject-bootstrap"
+...
--- a/helmfile/apps/openproject-bootstrap/values.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.gotmpl
@@ -0,0 +1,34 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  registry: "{{ .Values.global.imageRegistry }}"
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry }}
+  repository: "{{ .Values.images.openprojectBootstrap.repository }}"
+  tag: "{{ .Values.images.openprojectBootstrap.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+
+config:
+  openproject:
+    fileshareName: "Nextcloud at {{ .Values.global.domain }}"
+    admin:
+      username: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
+      password: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
+  nextcloud:
+    admin:
+      username: "nextcloud"
+      password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
+...
--- a/helmfile/apps/openproject-bootstrap/values.yaml
+++ b/helmfile/apps/openproject-bootstrap/values.yaml
@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+job:
+  enabled: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "OnRootMismatch"
+...
--- a/helmfile/apps/openproject/values.gotmpl
+++ b/helmfile/apps/openproject/values.gotmpl
@@ -57,6 +57,8 @@ ingress:

 environment:
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
+  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
+  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -70,7 +70,7 @@ images:
  keycloakBootstrap:
    repository: "souvap/tooling/images/ansible"
    tag: "4.10.0@sha256:89d8212c20e03b0fd079e08afaf3247c1b96b380c4db1b572d68d0b4a6abc0ac"
-    # @supplier: "Univention"
+    # @supplier: "openDesk DevSecOps"
  keycloakExtensionHandler:
    repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
    tag: "latest@sha256:e67bdfc655e43b7fb83b025e13f949b04fdd98e089b33401275d03e340e03e2e"
@@ -122,12 +122,16 @@ images:
    # @supplier: "Nextcloud Community"
  openproject:
    repository: "openproject/open_desk"
-    tag: "dev@sha256:ca5b843fd7f0687617ce3038a52fd6ac73fb4e9db7b762b8ac7d5090f168f0b1"
+    tag: "dev@sha256:732b5d0efe9fc64fe411c9d8143ec3f4a3c731d03c0caddb5fa4c614ff426e8d"
    # @supplier: "OpenProject"
  openprojectInitDb:
    repository: "postgres"
    tag: "13@sha256:ced3ba927f4cf06e03eac7760f426a95367076fb31fe4e31b679f82d119a3519"
    # @supplier: "OpenProject"
+  openprojectBootstrap:
+    repository: "souvap/tooling/images/opendesk-openproject-bootstrap"
+    tag: "1.1.1@sha256:09da76a9b645b3dbe5c181061f7829f82f239e7d17f7e115218a32870f7a955e"
+    # @supplier: "openDesk DevSecOps"
  openxchangeBootstrap:
    repository: "alpine/k8s"
    tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
--- a/helmfile/environments/default/persistence.yaml
+++ b/helmfile/environments/default/persistence.yaml
@@ -12,7 +12,7 @@ persistence:
    matrixNeoDateFixBot: "1Gi"
    minio: "1Gi"
    nextcloud:
-      main: "1.2Gi"
+      main: "2Gi"
      data: "10Gi"
    postfix: "1Gi"
    postgresql: "1Gi"
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -63,6 +63,8 @@ secrets:
    metricsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum | quote }}
  openproject:
    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_admin_user" | sha1sum | quote }}
+    apiAdminUsername: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_api_admin_username" | sha1sum | quote }}
+    apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_api_admin_password" | sha1sum | quote }}
  collabora:
    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "collabora" "collabora_admin_user" | sha1sum | quote }}
  jitsi: