chore(docs): Streamline for integration into docs.opendesk.eu

feat(helmfile): Allow custom/self-signed ca-certificates
fix(nextcloud): Support IPv4 only clusters
2025-12-06 23:41:43 +01:00 · 2024-11-05 08:44:03 +01:00 · 2024-10-28 08:58:05 +01:00 · 2024-10-26 08:02:49 +00:00 · 2024-10-15 16:21:55 +00:00 · 2024-10-15 16:21:55 +00:00
42 changed files with 581 additions and 84 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,7 +4,7 @@
 ---
 include:
  - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
-    ref: "v2.4.2"
+    ref: "v2.4.3"
    file:
      - "ci/common/automr.yml"
      - "ci/common/lint.yml"
@@ -514,7 +514,7 @@ avscan-prepare:
          CONTAINER_IMAGE: ""
          CONTAINER_REGISTRY: ""
          CONTAINER_TAG: ""
-          DATABASE_MIRROR: "https://registry.open-de.sk/repository/clamavdb.c3sl.ufpr.br"
+          DATABASE_MIRROR: "https://gitlab.opencode.de/bmi/opendesk/tooling/clamav-db-mirror/-/raw/main"
      EOF
    - >
      yq '.images
--- a/README.md
+++ b/README.md
@@ -8,16 +8,16 @@ SPDX-License-Identifier: Apache-2.0

 <!-- TOC -->
 * [Overview](#overview)
+* [Upgrades](#upgrades)
 * [Requirements](#requirements)
 * [Getting started](#getting-started)
 * [Advanced customization](#advanced-customization)
-* [Development](#development)
-* [Releases](#releases)
 * [Components](#components)
+* [Releases](#releases)
 * [Feedback](#feedback)
+* [Development](#development)
 * [License](#license)
 * [Copyright](#copyright)
-* [Footnotes](#footnotes)
 <!-- TOC -->

 # Overview
@@ -31,8 +31,8 @@ openDesk currently features the following functional main components:
 | -------------------- | --------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.67](https://github.com/element-hq/element-desktop/releases/tag/v1.11.67)        | [For the most recent release](https://element.io/user-guide)                                                                         |
 | Diagram editor       | CryptPad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                      | [For the most recent release](https://docs.cryptpad.org/en/)                                                                         |
-| File management      | Nextcloud                   | [29.0.7](https://nextcloud.com/de/changelog/#29-0-7)                                  | [SNextcloud 29](https://docs.nextcloud.com/)                                                                                         |
-| Groupware            | OX App Suite                | [8.28](https://documentation.open-xchange.com/appsuite/releases/8.28/)                | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/ |
+| File management      | Nextcloud                   | [29.0.7](https://nextcloud.com/de/changelog/#29-0-7)                                  | [Nextcloud 29](https://docs.nextcloud.com/)                                                                                         |
+| Groupware            | OX App Suite                | [8.28](https://documentation.open-xchange.com/appsuite/releases/8.28/)                | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.4/)        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                    |
 | Portal & IAM         | Nubus                       | [1.0](https://www.univention.de/produkte/nubus/)                                      | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                            |
 | Project management   | OpenProject                 | [14.6.1](https://www.openproject.org/docs/release-notes/14-6-1/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                          |
@@ -46,13 +46,23 @@ This documentation aims to give you all that is needed to set up your own instan

 Basic knowledge of Kubernetes and DevOps processes is required though.

+# Upgrades
+
+You want to upgrade an existing openDesk installation?
+
+⟶ Visit our detailed documentation about [Updates & Upgrades](./docs/migrations.md).
+
 # Requirements

-⟶ Visit our detailed [Requirements](./docs/requirements.md) overview.
+You want to understand what is required to install openDesk yourself?
+
+⟶ Visit our [Requirements](./docs/requirements.md) overview.

 # Getting started

-⟶ Visit our detailed [Getting started](./docs/getting-started.md) guide.
+You would like to install openDesk in your own infrastructure?
+
+⟶ Visit our detailed [Getting started guide](./docs/getting-started.md).

 # Advanced customization

@@ -63,9 +73,9 @@ Basic knowledge of Kubernetes and DevOps processes is required though.
 - [Monitoring](./docs/monitoring.md)
 - [Theming](./docs/theming.md)

-# Development
+# Components

-⟶ To understand the repository contents from a developer perspective please read the [Development](./docs/development.md) guide.
+More information on openDesk's components and their integration can be found in our detailed [Component docs](./docs/components.md).

 # Releases

@@ -80,11 +90,7 @@ in the files from the release's git-tag:
 - `./helmfile/environments/default/images.yaml`
 - `./helmfile/environments/default/charts.yaml`

-⟶ Visit our detailed [Workflow](./docs/workflow.md) docs.
-
-# Components
-
-⟶ Visit our detailed [Component](./docs/components.md) docs.
+Find more information in our [Workflow documentation](./docs/workflow.md).

 # Feedback

@@ -96,6 +102,10 @@ please use the [issues within this project](https://gitlab.opencode.de/bmi/opend
 If you want to address other topics, please check the section
 ["Rückmeldungen und Beteiligung" in the OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung) of the [openDesk Info Repository](https://gitlab.opencode.de/bmi/opendesk/info).

+# Development
+
+If you want to join or contribute to the development of openDesk please read the [Development guide](./docs/development.md).
+
 # License

 This project uses the following license: Apache-2.0
@@ -103,11 +113,3 @@ This project uses the following license: Apache-2.0
 # Copyright

 Copyright (C) 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-
-# Footnotes
-
-[^1]: Nubus is the Cloud Portal and IAM from Univention.
-It is currently integrated as a product preview within openDesk therefore, not all resources like documentation
-and structured release notes are available, while the
-[source code can already be found on Open CoDE](https://gitlab.opencode.de/bmi/opendesk/component-code/crossfunctional/univention).
-Please find updates regarding the Nubus at https://nubus.io.
--- a/cspell.json
+++ b/cspell.json
@@ -74,7 +74,9 @@
        "filestore",
        "trashbin",
        "bootstrap",
-        "configurability"
+        "configurability",
+        "selfsigned",
+        "truststore"
    ],
    "ignoreWords": [],
    "import": []
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -2,6 +2,7 @@
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
+
 <h1>CI/CD</h1>

 This page covers openDesk deployment automation via Gitlab CI.
--- a/docs/components.md
+++ b/docs/components.md
@@ -3,6 +3,7 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
+
 <h1>Components</h1>

 This section covers the internal system requirements and external service requirements for productive use.
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -2,8 +2,10 @@
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
+
 <h1>Debugging</h1>

+<!-- TOC -->
 * [Disclaimer](#disclaimer)
 * [Enable debugging](#enable-debugging)
 * [Adding containers to a pod for debugging purposes](#adding-containers-to-a-pod-for-debugging-purposes)
@@ -14,6 +16,8 @@ SPDX-License-Identifier: Apache-2.0
  * [Nextcloud](#nextcloud)
  * [OpenProject](#openproject)
  * [PostgreSQL](#postgresql)
+  * [Keycloak](#keycloak)
+<!-- TOC -->

 # Disclaimer

@@ -31,11 +35,16 @@ environments, you should use them thoughtfully and carefully if needed.

 # Enable debugging

-Set `debug.enable` to `true` in [`debug.yaml`](../helmfile/environments/default/debug.yaml) to set the
-component's log level to debug, and it gets some features like:
- The `/admin` console is routed for Keycloak.
- An ingress for `http://minio-console.<your_domain>` is configured.
-and set the log level for components to "Debug".
+Check the openDesk [`debug.yaml`](../helmfile/environments/default/debug.yaml) and set for your deployment
+```
+debug:
+  enable: true
+```
+
+This will result in:
+- setting most component's log level to debug
+- making the Keycloak admin console available by default at `https://id.<your_domain>/admin/`
+- configured the ingress for `http://minio-console.<your_domain>`

 > **Note**<br>
 > When enabling debug mode and updating your deployment, you must manually delete all jobs before updating. In debug mode, we keep the jobs, and some job fields are immutable, leading to a deployment failure.
@@ -176,3 +185,19 @@ While you will find all details in the [psql subsection](https://www.postgresql.
 - `\c <databasename>`: Connect to `<databasename>`
 - `\dt`: List (describe) tables within the currently connected database
 - `\q`: Quit the client
+
+## Keycloak
+
+Keycloak is the gateway to integrate other authentication management systems or applications. It can be desired to
+avoid enabling debug mode for the whole platform when you just need to look into Keycloak.
+
+That can easily be achieved in two steps:
+
+1. Updating the value for `KC_LOG_LEVEL` in the related configmap `ums-keycloak`.
+```shell
+export NAMESPACE=<your_namespace>
+export CONFIGMAP_NAME=ums-keycloak
+kubectl patch -n ${NAMESPACE} configmap ${CONFIGMAP_NAME} --type merge -p '{"data":{"KC_LOG_LEVEL":"DEBUG"}}'
+```
+
+2. Restart the Keycloak Pod(s).
--- a/docs/development.md
+++ b/docs/development.md
@@ -7,8 +7,9 @@ SPDX-License-Identifier: Apache-2.0
 <h1>Developing openDesk deployment automation</h1>

 Active development on the deployment is currently only available for project members.
-However, contributions will be possible using the CLA process.
+However, contributions are possible using the [CLA](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/CONTRIBUTING.md?ref_type=heads) process.

+<!-- TOC -->
 * [Overview](#overview)
 * [Default branch, `develop` and other branches](#default-branch-develop-and-other-branches)
 * [External artifacts - `charts.yaml` and `images.yaml`](#external-artifacts---chartsyaml-and-imagesyaml)
@@ -18,6 +19,7 @@ However, contributions will be possible using the CLA process.
  * [Mirroring](#mirroring)
    * [Get new artifacts mirrored](#get-new-artifacts-mirrored)
 * [Creating new charts/images](#creating-new-chartsimages)
+<!-- TOC -->

 # Overview

--- a/docs/enhanced-configuration.md
+++ b/docs/enhanced-configuration.md
@@ -13,3 +13,4 @@ The following enhanced configuration use cases are described in separate documen
 - [Federation with external identity provider](./enhanced-configuration/idp-federation.md)
 - [Matrix federation](./enhanced-configuration/matrix-federation.md)
 - [Groupware migration from M365 to openDesk](./enhanced-configuration/groupware-migration.md)
+- [Self-signed certificate and custom Certificate Authority (CA)](enhanced-configuration/self-signed-certificates.md)
--- a/docs/enhanced-configuration/groupware-migration.md
+++ b/docs/enhanced-configuration/groupware-migration.md
@@ -1,10 +1,11 @@
-r<!--
+<!--
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->

 <h1>Migration from M365 with audriga migration service and master authentication</h1>

+<!-- TOC -->
 * [Context](#context)
 * [Prerequisites](#prerequisites)
  * [Prepare M365 tenant for access](#prepare-m365-tenant-for-access)
@@ -17,8 +18,7 @@ SPDX-License-Identifier: Apache-2.0
    * [Add multiple user accounts via CSV file](#add-multiple-user-accounts-via-csv-file)
  * [Start the migration](#start-the-migration)
  * [Monitor migration status](#monitor-migration-status)
-
-# Context
+<!-- TOC -->

 Most organizations already have email accounts on various platforms that need to be migrated to openDesk. This document describes the migration from M365 accounts to openDesk using the [audriga Migration Service](https://www.audriga.com) in combination with the master authentication option in openDesk. Other source platforms are also supported, and their migrations work in a similar manner.

--- a/docs/enhanced-configuration/idp-federation.md
+++ b/docs/enhanced-configuration/idp-federation.md
@@ -5,6 +5,7 @@ SPDX-License-Identifier: Apache-2.0

 <h1>Federation with external identity provider (IdP)</h1>

+<!-- TOC -->
 * [Context](#context)
 * [Prerequisites](#prerequisites)
  * [User accounts](#user-accounts)
@@ -17,8 +18,7 @@ SPDX-License-Identifier: Apache-2.0
    * [Separate realm](#separate-realm)
    * [OIDC Client](#oidc-client)
  * [openDesk IdP](#opendesk-idp)
-
-# Context
+<!-- TOC -->

 Most organizations already have an Identity and Access Management (IAM) system with an identity provider (IdP) for single sign-on to internal or external web applications.

--- a/docs/enhanced-configuration/matrix-federation.md
+++ b/docs/enhanced-configuration/matrix-federation.md
@@ -12,8 +12,6 @@ SPDX-License-Identifier: Apache-2.0
  * [Separate Matrix domain](#separate-matrix-domain)
 <!-- TOC -->

-# Context
-
 The Element chat application and its server component Synapse are based on the Matrix protocol,
 that supports federation with other Matrix servers to communicate with the users with accounts on these servers.

--- a/docs/enhanced-configuration/self-signed-certificates.md
+++ b/docs/enhanced-configuration/self-signed-certificates.md
@@ -0,0 +1,72 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Self-signed certificate and custom Certificate Authority (CA)</h1>
+
+<!-- TOC -->
+* [Use case](#use-case)
+* [Configuration](#configuration)
+  * [Option 1: Bring Your Own Certificate](#option-1-bring-your-own-certificate)
+  * [Option 2: Use cert-manager.io](#option-2-use-cert-managerio)
+<!-- TOC -->
+
+Deploying openDesk into an environment with custom public key infrastructure (PKI) that is usually not part of
+public certificate authority chains or deploying openDesk into a local cluster without ACME challenge.
+
+# Configuration
+
+There are two options to address the use case.
+
+## Option 1: Bring Your Own Certificate
+
+This option is useful, when you have your own PKI in your environment which is trusted by all clients that should
+access openDesk.
+
+1. Disable cert-manager.io certificate resource creation:
+
+    ```yaml
+    certificates:
+      enabled: false
+    ```
+
+1. Enable mount of self-signed certificates:
+
+    ```yaml
+    certificate:
+      selfSigned: true
+    ```
+
+1. Create a Kubernetes secret named `opendesk-certificates-tls` of type `kubernetes.io/tls` containing either a valid
+wildcard certificate or a certificate with [all required subdomains](../../helmfile/environments/default/global.yaml)
+set as SANs (Subject Alternative Name).
+
+1. Create a Kubernetes secret with name `opendesk-certificates-ca-tls` of type `kubernetes.io/tls` containing the custom
+CA certificate as X.509 encoded (`ca.crt`) and as jks trust store (`truststore.jks`).
+
+1. Create a Kubernetes secret with name `opendesk-certificates-keystore-jks` with key `password` and as value the jks
+trust store password.
+
+## Option 2: Use cert-manager.io
+
+This option is useful, when you do not have a trusted certificate available and can't fetch a certificate from
+Let’s Encrypt.
+
+1. Create self-signed cert-manager.io Cluster Issuer:
+    ```yaml
+    apiVersion: "cert-manager.io/v1"
+    kind: "ClusterIssuer"
+    metadata:
+      name: "selfsigned-issuer"
+    spec:
+      selfSigned: {}
+    ```
+
+1. Enable mount and creation of self-signed certificates:
+    ```yaml
+    certificate:
+      issuerRef:
+        name: "selfsigned-issuer"
+      selfSigned: true
+    ```
--- a/docs/enhanced-configuration/separate-mail-matrix-domain.md
+++ b/docs/enhanced-configuration/separate-mail-matrix-domain.md
@@ -5,6 +5,7 @@ SPDX-License-Identifier: Apache-2.0

 <h1>Separate domains for mail and or Matrix </h1>

+<!-- TOC -->
 * [Context](#context)
 * [Example configuration](#example-configuration)
  * [Mail domain](#mail-domain)
@@ -13,8 +14,7 @@ SPDX-License-Identifier: Apache-2.0
    * [Webserver](#webserver)
      * [Content Security Policy](#content-security-policy)
      * [.well-known](#well-known)
-
-# Context
+<!-- TOC -->

 As communication over mail and chat can go beyond the borders of your openDesk installation, you may want to use different domains for the mail and/or Matrix.

--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -3,43 +3,67 @@ SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlic
 SPDX-License-Identifier: Apache-2.0
 -->

-<h1>Upgrade migrations</h1>
+<h1>Updates & Upgrades</h1>

+<!-- TOC -->
 * [Disclaimer](#disclaimer)
-* [Releases upgrades](#releases-upgrades)
+* [openDesk supported upgrade path](#opendesk-supported-upgrade-path)
+* [Releases upgrade details](#releases-upgrade-details)
  * [From v0.9.0](#from-v090)
-    * [Changed openDesk defaults](#changed-opendesk-defaults)
-      * [Removal of unnecessary OX-Profiles in Nubus](#removal-of-unnecessary-ox-profiles-in-nubus)
-      * [Matrix ID localpart update](#matrix-id-localpart-update)
-      * [File-share configurability](#file-share-configurability)
-      * [Updated default subdomains in `global.hosts`](#updated-default-subdomains-in-globalhosts)
-      * [Updated `global.imagePullSecrets`](#updated-globalimagepullsecrets)
-      * [Dedicated group for access to the UDM REST API](#dedicated-group-for-access-to-the-udm-rest-api)
+    * [Pre-upgrade: Manual steps](#pre-upgrade-manual-steps)
+      * [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus)
+      * [Configuration Cleanup: Updated `global.imagePullSecrets`](#configuration-cleanup-updated-globalimagepullsecrets)
+      * [Changed openDesk defaults: Matrix ID](#changed-opendesk-defaults-matrix-id)
+      * [Changed openDesk defaults: File-share configurability](#changed-opendesk-defaults-file-share-configurability)
+      * [Changed openDesk defaults: Updated default subdomains in `global.hosts`](#changed-opendesk-defaults-updated-default-subdomains-in-globalhosts)
+      * [Changed openDesk defaults: Dedicated group for access to the UDM REST API](#changed-opendesk-defaults-dedicated-group-for-access-to-the-udm-rest-api)
    * [Automated migrations](#automated-migrations)
-      * [Manual cleanup](#manual-cleanup)
+    * [Post-upgrade: Manual steps](#post-upgrade-manual-steps)
+      * [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component)
+      * [Optional Cleanup](#optional-cleanup)
  * [From v0.8.1](#from-v081)
    * [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
    * [Updated customizable template attributes](#updated-customizable-template-attributes)
    * [`migrations` S3 bucket](#migrations-s3-bucket)
 * [Related components and artifacts](#related-components-and-artifacts)
  * [Development](#development)
+<!-- TOC -->

 # Disclaimer

-With openDesk 1.0, we aim to offer hassle-free updates. Though some situations may require manual interaction, these are described in this document.
+With openDesk 1.0, we aim to offer hassle-free updates/upgrades.
+
+But openDesk requires a defined upgrade path that is described in the section [openDesk supported upgrade path](#opendesk-supported-upgrade-path).
+
+Some upgrades even require manual interaction, which are referenced in the aforementioned section and described further down this document.

 > **Known limitations:**<br>
 > We assume that the PV reclaim policy is set to `delete`, resulting in PVs getting deleted as soon as the related PVC was deleted; we will not address explicit deletion for PVs.

-# Releases upgrades
+# openDesk supported upgrade path
+
+When updating your openDesk installation you have to install the releases listed below in the sequential order from
+the lowest version number you are already on to the more current version you are looking to install.
+
+Explanation of the table's columns:
+- *Coming from*: Check the column for the release you are currently on.
+- *Mandatory release*: Defines which release(s) support the upgrade from your currently installed version.
+- *Automatic migration*: Summary of, or link to openDesk's automatic migration details.
+- *Manual activities*: Reference to required manual steps to upgrade your openDesk installation to the *Mandatory release*.
+
+| Coming from   | Mandatory (minimum) release | Automatic migration                                                                                                                                           | Manual activities             |
+| ------------- | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- |
+| v0.9.0        | v1.x.x                      | [run_2.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_2.py) | See [From v0.9.0](#from-v090) |
+| v0.8.1        | v0.9.0                      | Initializes migration system                                                                                                                                  | See [From v0.8.1](#from-v081)     |
+| not supported | v0.8.1                      | First release that supporting updates                                                                                                                         |                               |
+
+# Releases upgrade details

 ## From v0.9.0

-Before openDesk 1.0, we faced significant changes in some components and the overall platform configuration. Therefore, please review the
+### Pre-upgrade: Manual steps

-### Changed openDesk defaults
-
-#### Removal of unnecessary OX-Profiles in Nubus
+#### Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus

 > **Warning**<br>
 > The upgrade will fail if you do not address this section for your current deployment.
@@ -66,7 +90,20 @@ You can review and update other accounts as follows:
    - "Login disabled" if the user should not use the Groupware module.
  - Update the user account with the green "SAVE" button at the top of the page.

-#### Matrix ID localpart update
+#### Configuration Cleanup: Updated `global.imagePullSecrets`
+
+Without using a custom registry, you can pull all the openDesk images without authentication.
+Thus defining not existing imagePullSecrets creates unnecessary errors, so we removed them.
+
+You can keep the current settings by setting the `external-registry` in your custom environment values:
+
+```yaml
+global:
+  imagePullSecrets:
+    - "external-registry"
+```
+
+#### Changed openDesk defaults: Matrix ID

 Until 0.9.0 openDesk used the LDAP entryUUID of a user to generate the user's Matrix ID. Due to restrictions on the
 Matrix protocol, an update of a Matrix ID is not possible; therefore, it was technically convenient to use the UUID
@@ -99,7 +136,7 @@ functional:
       useImmutableIdentifierForLocalpart: true
 ```

-#### File-share configurability
+#### Changed openDesk defaults: File-share configurability

 Now, we provide some configurability regarding the sharing capabilities of the Nextcloud component.

@@ -118,7 +155,7 @@ functional:
         activeByDefault: false
 ```

-#### Updated default subdomains in `global.hosts`
+#### Changed openDesk defaults: Updated default subdomains in `global.hosts`

 We have streamlined the subdomain names in openDesk to be more user-friendly and to avoid the use of specific
 product names.
@@ -174,20 +211,7 @@ In case you would like to update an existing deployment to the new hostnames, pl
  - In Nextcloud: *Administration* > *OpenProject* > *OpenProject server*
    - Update the *OpenProject host* to `projects.<your_domain>`

-#### Updated `global.imagePullSecrets`
-
-Without using a custom registry, you can pull all the openDesk images without authentication.
-Thus defining not existing imagePullSecrets creates unnecessary errors, so we removed them.
-
-You can keep the current settings by setting the `external-registry` in your custom environment values:
-
-```yaml
-global:
-  imagePullSecrets:
-    - "external-registry"
-```
-
-#### Dedicated group for access to the UDM REST API
+#### Changed openDesk defaults: Dedicated group for access to the UDM REST API

 Prerequisite: You allow the use of the [IAM's API](https://docs.software-univention.de/developer-reference/5.0/en/udm/rest-api.html)
 with the following settings:
@@ -216,7 +240,26 @@ The permissions required to execute the migrations can be found in the migration

 The actual actions are described as code comments in the related run module [`run_2.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_2.py).

-#### Manual cleanup
+### Post-upgrade: Manual steps
+
+#### Configuration Improvement: Separate user permission for using Video Conference component
+
+With openDesk 1.0 the user permission for authenticated access to the Chat and Video Conference components was split into two separate permissions.
+
+Therefore the newly added *Video Conference* permission has to be added to users that should have continued access to the component.
+
+This can be done as IAM admin:
+- Open the *user* module.
+- Select all users that should get the permission for *Video Conference* using the select box left from the users entry.
+- In top bar of the user table click on *Edit*.
+- Select the *openDesk* section the the left-hand menu.
+- Check the check box for *Video Conference* and the directly below check box for *Overwrite*.
+- Click on the green *Save* button on top of the screen to apply the change.
+
+> **Hint**<br>
+> If you have a lot of users andd want to update (almost) all them, you can select all users by clicking the check box in the user's table header and then de-selecting the users you do not want to update.
+
+#### Optional Cleanup

 We do not execute possible cleanup steps as part of the migrations POST stage. So you might want to remove the no longer used PVCs after a successful upgrade:

--- a/docs/requirements.md
+++ b/docs/requirements.md
@@ -2,6 +2,7 @@
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
+
 <h1>Requirements</h1>

 This section covers the internal system requirements and external service requirements for productive use.
--- a/docs/scaling.md
+++ b/docs/scaling.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0

 <h1>Scaling</h1>

-This document should cover the ability to scale apps.
+This document covers the ability to scale applications.

 # Horizontal scalability

--- a/docs/security-context.md
+++ b/docs/security-context.md
@@ -2,8 +2,10 @@
 SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
+
 <h1>Kubernetes Security Context</h1>

+<!-- TOC -->
 * [Container Security Context](#container-security-context)
  * [allowPrivilegeEscalation](#allowprivilegeescalation)
  * [capabilities](#capabilities)
@@ -14,6 +16,7 @@ SPDX-License-Identifier: Apache-2.0
  * [readOnlyRootFilesystem](#readonlyrootfilesystem)
  * [runAsNonRoot](#runasnonroot)
 * [Status quo](#status-quo)
+<!-- TOC -->

 # Container Security Context

--- a/docs/theming.md
+++ b/docs/theming.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0

 <h1>Theming</h1>

-This document will cover the theming options for an openDesk deployment.
+This document covers the theming options for an openDesk deployment.

 <!-- TOC -->
 * [Settings](#settings)
--- a/docs/workflow.md
+++ b/docs/workflow.md
@@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0

 <h1>Technical development and release workflow</h1>

+<!-- TOC -->
 * [Scope](#scope)
 * [Roles and responsibilities](#roles-and-responsibilities)
 * [Deployment automation](#deployment-automation)
@@ -29,6 +30,7 @@ SPDX-License-Identifier: Apache-2.0
      * [Commit messages / Conventional Commits](#commit-messages--conventional-commits)
      * [Verified commits](#verified-commits)
 * [Footnotes](#footnotes)
+<!-- TOC -->

 # Scope

--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -47,6 +47,22 @@ extraEnvVars:
      secretKeyRef:
        name: "matrix-neodatefix-bot-account"
        key: "access_token"
+{{- if .Values.certificate.selfSigned }}
+  - name: "NODE_EXTRA_CA_CERTS"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -114,6 +114,27 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}

+{{- if .Values.certificate.selfSigned }}
+extraEnvVars:
+  - name: "REQUESTS_CA_BUNDLE"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+  - name: "SSL_CERT_FILE"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+  - name: "SSL_CERT_DIR"
+    value: "/etc/ssl/certs"
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 federation:
  enabled: {{ .Values.functional.externalServices.matrix.federation.enabled }}
  ingress:
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -28,6 +28,25 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}

+
+{{- if .Values.certificate.selfSigned }}
+extraEnvVars:
+  - name: "DENO_CERT"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}

--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -1,4 +1,5 @@
 {{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -131,6 +132,23 @@ podSecurityContext:
 debug:
  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}

+{{- if .Values.certificate.selfSigned }}
+extraEnvVars:
+  - name: "FS_IMPORT_CA_CERTIFICATES"
+    value: "true"
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloud.registry | quote }}
  repository: {{ .Values.images.nextcloud.repository | quote }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -1,4 +1,5 @@
 {{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -67,7 +68,7 @@ aio:
          value: "nextcloud_user"
        password:
          value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
-    trustedProxies: {{ join " " .Values.cluster.networking.cidr | quote }}
+    trustedProxy: {{ join " " .Values.cluster.networking.cidr | quote }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
@@ -87,6 +88,24 @@ aio:
    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
  debug:
    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
+  {{- if .Values.certificate.selfSigned }}
+  extraEnvVars:
+    - name: "FS_IMPORT_CA_CERTIFICATES"
+      value: "true"
+  {{- end }}
+  {{- if .Values.certificate.selfSigned }}
+  extraVolumes:
+    - name: "trusted-cert-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "ca.crt"
+            path: "ca-certificates.crt"
+  extraVolumeMounts:
+    - name: "trusted-cert-secret-volume"
+      mountPath: "/etc/ssl/certs/ca-certificates.crt"
+      subPath: "ca-certificates.crt"
+  {{- end }}
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloud.registry | quote }}
    repository: {{ .Values.images.nextcloud.repository | quote }}
--- a/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
@@ -20,6 +20,23 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.intercom | toYaml | nindent 4 }}

+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+extraEnvVars:
+  - name: "NODE_EXTRA_CA_CERTS"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+{{- end }}
+
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -161,6 +161,35 @@ minio:

 # Nubus services which use customer supplied services
 keycloak:
+  {{- if .Values.certificate.selfSigned }}
+  extraVolumes:
+    - name: "trusted-cert-crt-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "ca.crt"
+            path: "ca-certificates.crt"
+    - name: "trusted-cert-jks-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "truststore.jks"
+            path: "truststore.jks"
+  extraVolumeMounts:
+    - name: "trusted-cert-crt-secret-volume"
+      mountPath: "/etc/ssl/certs/ca-certificates.crt"
+      subPath: "ca-certificates.crt"
+    - name: "trusted-cert-jks-secret-volume"
+      mountPath: "/etc/ssl/certs/truststore.jks"
+      subPath: "truststore.jks"
+  extraEnvVars:
+    - name: "KC_HTTPS_TRUST_STORE_FILE"
+      value: "/etc/ssl/certs/truststore.jks"
+    - name: "KC_HTTPS_TRUST_STORE_PASSWORD"
+      value: {{ .Values.secrets.certificates.password | quote }}
+    - name: "KC_HTTPS_TRUST_STORE_TYPE"
+      value: "jks"
+  {{- end }}
  keycloak:
    auth:
      username: "kcadmin"
@@ -179,6 +208,7 @@ keycloak:
        key: "keycloakDatabasePassword"
  config:
    exposeAdminConsole: {{ .Values.debug.enabled }}
+    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}

 nubusGuardian:
  provisioning:
--- a/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
@@ -287,6 +287,38 @@ nubusPortalConsumer:
      type: "RuntimeDefault"
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsPortalConsumer | toYaml | nindent 6 }}
+  {{- if .Values.certificate.selfSigned }}
+  extraVolumes:
+    - name: "trusted-cert-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "ca.crt"
+            path: "ca-certificates.crt"
+          - key: "ca.crt"
+            path: "cacert.pem"
+  extraVolumeMounts:
+    - name: "trusted-cert-secret-volume"
+      mountPath: "/etc/ssl/certs/ca-certificates.crt"
+      subPath: "ca-certificates.crt"
+  waitForDependency:
+    extraVolumeMounts:
+      - name: "trusted-cert-secret-volume"
+        readOnly: true
+        mountPath: "/etc/ssl/certs/ca-certificates.crt"
+        subPath: "ca-certificates.crt"
+      - name: "trusted-cert-secret-volume"
+        readOnly: true
+        mountPath: "/usr/local/lib/python3.7/dist-packages/certifi/cacert.pem"
+        subPath: "cacert.pem"
+    extraEnvVars:
+      - name: "REQUESTS_CA_BUNDLE"
+        value: "/etc/ssl/certs/ca-certificates.crt"
+      - name: "DEFAULT_CA_BUNDLE_PATH"
+        value: "/etc/ssl/certs/ca-certificates.crt"
+      - name: "SSL_CERT_FILE"
+        value: "/etc/ssl/certs/ca-certificates.crt"
+  {{- end }}

 nubusUdmListener:
  containerSecurityContext:
@@ -333,6 +365,34 @@ nubusPortalServer:
  replicaCount: {{ .Values.replicas.umsPortalServer }}
  resources:
    {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
+  {{- if .Values.certificate.selfSigned }}
+  extraVolumes:
+    - name: "trusted-cert-crt-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "ca.crt"
+            path: "ca-certificates.crt"
+          - key: "ca.crt"
+            path: "cacert.pem"
+  extraVolumeMounts:
+    - name: "trusted-cert-crt-secret-volume"
+      readOnly: true
+      mountPath: "/etc/ssl/certs/ca-certificates.crt"
+      subPath: "ca-certificates.crt"
+    - name: "trusted-cert-crt-secret-volume"
+      readOnly: true
+      mountPath: "/usr/local/lib/python3.7/dist-packages/certifi/cacert.pem"
+      subPath: "cacert.pem"
+    - name: "trusted-cert-crt-secret-volume"
+      readOnly: true
+      mountPath: "/usr/lib/python3/dist-packages/botocore/cacert.pem"
+      subPath: "cacert.pem"
+    - name: "trusted-cert-crt-secret-volume"
+      readOnly: true
+      mountPath: "/usr/lib/python3/dist-packages/certifi/cacert.pem"
+      subPath: "cacert.pem"
+  {{- end }}

 nubusLdapNotifier:
  containerSecurityContext:
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -532,4 +532,18 @@ podSecurityContext:
 resources:
  {{ .Values.resources.opendeskKeycloakBootstrap | toYaml | nindent 2 }}

+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 ...
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -72,6 +72,20 @@ containerSecurityContext:

 podAnnotations: {}

+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 podSecurityContext:
  enabled: true
  fsGroup: 1000
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -287,6 +287,30 @@ appsuite:
      com.openexchange.smime.test: "true"
      # Other
      com.openexchange.secret.secretSource: "\"<user-id> + '@' + <context-id> + '/' + <random>\""
+      {{- if .Values.certificate.selfSigned }}
+      # Selfsigned
+      com.openexchange.net.ssl.default.truststore.enabled: "false"
+      com.openexchange.net.ssl.custom.truststore.enabled: "true"
+      com.openexchange.net.ssl.custom.truststore.path: "/etc/ssl/certs/truststore.jks"
+      com.openexchange.net.ssl.custom.truststore.password: {{ .Values.secrets.certificates.password | quote }}
+      {{- end }}
+    {{- if .Values.certificate.selfSigned }}
+    extraEnv:
+    - name: "JAVA_OPTS_APPEND"
+      value: {{ printf "%s %s=%s" "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks -Djavax.net.ssl.trustStoreType=jks" "-Djavax.net.ssl.trustStorePassword" (.Values.secrets.certificates.password | quote) | quote }}
+    extraVolumes:
+      - name: "trusted-cert-secret-volume"
+        secret:
+          secretName: "opendesk-certificates-ca-tls"
+          items:
+            - key: "truststore.jks"
+              path: "truststore.jks"
+            - key: "ca.crt"
+              path: "ca-certificates.crt"
+    extraMounts:
+      - name: "trusted-cert-secret-volume"
+        mountPath: "/etc/ssl/certs/"
+    {{- end }}
    secretProperties:
      com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
      com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
--- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
@@ -4,6 +4,20 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.oxConnector.registry | quote }}
  repository: {{ .Values.images.oxConnector.repository | quote }}
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -44,6 +44,20 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.openprojectBootstrap | toYaml | nindent 4 }}

+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openprojectBootstrap.registry | quote }}
  repository: {{ .Values.images.openprojectBootstrap.repository | quote }}
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -87,6 +87,23 @@ environment:
  {{- if .Values.enterprise.openproject.token }}
  OPENPROJECT_ENTERPRISE__TOKEN: {{ .Values.enterprise.openproject.token | quote }}
  {{- end }}
+  {{- if .Values.certificate.selfSigned }}
+  SSL_CERT_FILE: "/etc/ssl/certs/ca-certificates.crt"
+  {{- end }}
+
+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}

 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openproject.registry | quote }}
--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
@@ -56,5 +56,13 @@ issuerRef:
 cleanup:
  keepRessourceOnDelete: {{ .Values.debug.cleanup.keepRessourceOnDelete }}

+selfSigned:
+  enabled: {{ .Values.certificate.selfSigned }}
+  keystores:
+    jks:
+      enabled: true
+      password:
+        value: {{ .Values.secrets.certificates.password | quote }}
+
 wildcard: {{ .Values.certificate.wildcard }}
 ...
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -201,4 +201,16 @@ startupProbe:
 statefulset:
  replicaCount: {{ .Values.replicas.minio }}

+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "public.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/certs/CAs"
+{{- end }}
 ...
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -11,6 +11,14 @@ image:

 imagePullSecrets: {{ .Values.global.imagePullSecrets }}

+
+{{- if .Values.certificate.selfSigned }}
+javaOpts:
+  - "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks"
+  - "-Djavax.net.ssl.trustStoreType=jks"
+  - {{ printf "%s=%s" "-Djavax.net.ssl.trustStorePassword" .Values.secrets.certificates.password | quote }}
+{{- end }}
+
 externalDB:
  password: {{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword | quote }}
  database: {{ .Values.databases.xwiki.name | quote }}
@@ -199,4 +207,19 @@ service:
 volumePermissions:
  enabled: true

+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "truststore.jks"
+          path: "truststore.jks"
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs"
+{{- end }}
+
 ...
--- a/helmfile/environments/default/certificate.yaml
+++ b/helmfile/environments/default/certificate.yaml
@@ -1,3 +1,4 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -5,4 +6,5 @@ certificate:
  issuerRef:
    name: "letsencrypt-prod"
  wildcard: false
+  selfSigned: false
 ...
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -14,7 +14,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates"
    name: "opendesk-certificates"
-    version: "2.1.3"
+    version: "3.1.0"
    verify: true
  clamav:
    # providerCategory: "Platform"
--- a/helmfile/environments/default/global.generated.yaml
+++ b/helmfile/environments/default/global.generated.yaml
@@ -3,5 +3,5 @@
 ---
 global:
  systemInformation:
-    releaseVersion: "v1.0.0"
+    releaseVersion: "v1.0.1"
 ...
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -235,7 +235,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.2.2@sha256:90f8e64ef9156c87dbd9befef99c6e3222f87daa393231d393d728c5b64506ee"
+    tag: "2.2.3@sha256:b5e36b4922b50be96ecdd8628d8124880251da5b2e98cfa5b12cf1ef715d042f"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -403,7 +403,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.7.4@sha256:23976c92c1b9f366b04e5e17fb52912b624720e3a97f5fee0da43afe75a6645e"
+    tag: "1.7.5@sha256:cc38d339abea18dc3644b7764d7be13798956161d1c87e34b26b5d8b7a11edc6"
  nubusOpenPolicyAgent:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -451,7 +451,7 @@ images:
    # upstreamRepository: "nubus/images/portal-frontend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-portal-update"
-    tag: "1.8.0@sha256:5ae4d38d67aab0678e227d45737a4113382015225ef317dde1fbe8574689449e"
+    tag: "1.8.1@sha256:dd2c8e16b57d5b2a97f465b15e108231782e3ee2df1cc07cee0388459bf40e1c"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -119,4 +119,6 @@ secrets:
    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-neodatefix-bot" "password" | sha1sum | quote }}
  matrixUserVerificationService:
    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-user-verification-service" "password" | sha1sum | quote }}
+  certificates:
+    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "certificates" "password" | sha1sum | quote }}
 ...
--- a/helmfile/files/theme/portalStylesheet.css
+++ b/helmfile/files/theme/portalStylesheet.css
Author	SHA1	Message	Date
openDesk Bot	f1202f5fa5	chore(docs): Streamline for integration into docs.opendesk.eu	2024-11-05 08:44:03 +01:00
Dominik Kaminski	c71faf5e80	feat(helmfile): Allow custom/self-signed ca-certificates	2024-10-28 08:58:05 +01:00
Dominik Kaminski	b25ada1f60	fix(nextcloud): Support IPv4 only clusters	2024-10-26 08:02:49 +00:00
Thorsten Roßner	3b3679bab1	fix(nubus): Enable Keycloak debug mode logging; add Keycloak specific section to debugging.md	2024-10-15 16:21:55 +00:00
Thorsten Roßner	a86c0afdbb	fix(docs): Update and streamline README.md and migrations.md.	2024-10-15 16:21:55 +00:00
Thorsten Roßner	bc0ca8b4c1	fix(nextcloud): Trusted Proxy setting.	2024-10-15 16:21:17 +00:00
Thorsten Roßner	901b1f529e	fix(nubus): Update external portal links and login screen background.	2024-10-15 16:30:13 +02:00