feat(helmfile): Test external secrets

Signed-off-by: Axel Lender <lender@b1-systems.de>

docs/external-secrets.md

@@ -0,0 +1,38 @@
+<!--
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>External Secrets</h1>
+
+This document covers how to utilise external secrets and special requirements.
+
+<!-- TOC -->
+* [General](#general)
+* [Components](#components)
+  * [Notes](#notes)
+<!-- TOC -->
+
+# General
+
+For most components when set the external secret will supersede e.g. a password in a `values.yaml` file.
+
+The file [`external_secrets.yaml`](/helmfile/environments/default/external_secrets.yaml.gotmpl) lists all possible references to external secrets that are currently implemented in openDesk.
+
+# Components
+
+This section covers information and special requirements to external secrets that some Helm Charts expect.
+
+## Notes
+
+There are some values that consist of more than just one secret part.
+
+```yaml
+backend:
+  configuration:
+    django:
+      superuserEmail:
+        value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
+    redisUrl:
+      value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
+```

helmfile/apps/notes/values.yaml.gotmpl

@@ -4,8 +4,14 @@
 global:
   collaborationServerSecret:
     value: {{ .Values.secrets.notes.collaborationSecret | quote }}
+    existingSecret:
+      name: {{ .Values.externalSecrets.notes.collaborationSecret.name | quote }}
+      key: {{ .Values.externalSecrets.notes.collaborationSecret.key | quote }}
   yProviderApiKey:
     value: {{ .Values.secrets.notes.collaborationSecret | quote }}
+    existingSecret:
+      name: {{ .Values.externalSecrets.notes.collaborationSecret.name | quote }}
+      key: {{ .Values.externalSecrets.notes.collaborationSecret.key | quote }}
   fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
   tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
 
@@ -35,14 +41,23 @@ backend:
     ai:
       apiKey:
         value: {{ .Values.ai.apiKey }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.ai.apiKey.name | quote }}
+          key: {{ .Values.externalSecrets.ai.apiKey.key | quote }}
       baseUrl: {{ .Values.ai.endpoint }}
       model: {{ .Values.ai.model | quote }}
     aws:
       endpointUrl: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
       s3AccessKeyId:
         value: {{ .Values.objectstores.notes.username }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.objectstores.notes.s3AccessKeyId.name | quote }}
+          key: {{ .Values.externalSecrets.objectstores.notes.s3AccessKeyId.key | quote }}
       s3SecretAccessKey:
         value: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.objectstores.notes.s3SecretAccessKey.name | quote }}
+          key: {{ .Values.externalSecrets.objectstores.notes.s3SecretAccessKey.key | quote }}
       storageBucketName: {{ .Values.objectstores.notes.bucket }}
     collaboration:
       apiUrl: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
@@ -52,9 +67,15 @@ backend:
       name: {{ .Values.databases.notes.name | quote }}
       password:
         value: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.databases.notes.password.name | quote  }}
+          key: {{ .Values.externalSecrets.databases.notes.password.key | quote }}
       port: {{ .Values.databases.notes.port | quote }}
       user:
         value: {{ .Values.databases.notes.username | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.databases.notes.user.name | quote }}
+          key: {{ .Values.externalSecrets.databases.notes.user.key | quote }}
     email:
       brandName: "openDesk"
       from: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
@@ -63,14 +84,23 @@ backend:
       logoImage: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }}
       user:
         value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.name | quote }}
+          key: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.key | quote }}
       password:
         value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.name | quote }}
+          key: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.key | quote }}
     oidc:
       enabled: true
       rpClientId:
         value: "opendesk-notes"
       rpClientSecret:
         value: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.keycloak.clientSecret.notes.name | quote }}
+          key: {{ .Values.externalSecrets.keycloak.clientSecret.notes.key | quote }}
       opJWKSEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
       opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
       opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
@@ -87,14 +117,26 @@ backend:
     django:
       secretKey:
         value: {{ .Values.secrets.notes.djangoSecretKey }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.notes.django.secretKey.name | quote }}
+          key: {{ .Values.externalSecrets.notes.django.secretKey.key | quote }}
       createSuperuser: true
       superuserEmail:
         value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.notes.django.superuserEmail.name | quote }}
+          key: {{ .Values.externalSecrets.notes.django.superuserEmail.key | quote }}
       superuserPassword:
         value: {{ .Values.secrets.notes.superuser }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.notes.django.superuserPassword.name | quote }}
+          key: {{ .Values.externalSecrets.notes.django.superuserPassword.key | quote }}
     frontendTheme: "openDesk"
     redisUrl:
       value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
+      existingSecret:
+        name: {{ .Values.externalSecrets.notes.redisUrl.name | quote }}
+        key: {{ .Values.externalSecrets.notes.redisUrl.key | quote }}
   extraEnvVars:
     - name: "FRONTEND_HOMEPAGE_FEATURE_ENABLED"
       value: "False"

helmfile/environments/default/external_secrets.yaml.gotmpl

@@ -0,0 +1,55 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+# The variables set in this file are required to upgrade components to their "Enterprise" product variant.
+---
+externalSecrets:
+  ai:
+    apiKey:
+      name: "a"
+      key: "aiapikey"
+  databases:
+    notes:
+      password:
+        name: "a"
+        key: "notesDatabasePassword"
+      user:
+        name: "a"
+        key: "notesDatabaseUser"
+  keycloak:
+    clientSecret:
+      notes:
+        name: "a"
+        key: "keycloaknotes"
+  notes:
+    collaborationSecret:
+      name: "a"
+      key: "notesCollaborationSecret"
+    django:
+      secretKey:
+        name: "a"
+        key: "notesDjangoSecretKey"
+      superuserEmail:
+        name: "a"
+        key: "notessuperuserEmail"
+      superuserPassword:
+        name: "a"
+        key: "notessuperuserPassword"
+    redisUrl:
+      name: "a"
+      key: "notesredisurl"
+  objectstores:
+    notes:
+      s3AccessKeyId:
+        name: "a"
+        key: "objectstoresNotesS3AccessKeyId"
+      s3SecretAccessKey:
+        name: "a"
+        key: "objectstoresNotesS3SecretAccessKey"
+  postfix:
+    opendeskSystemPassword:
+      name: "a"
+      key: "postfixopendeskSystemPassword"
+    opendeskSystemUsername:
+      name: "a"
+      key: "postfixopendeskSystemUsername"
+...