# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH # SPDX-License-Identifier: Apache-2.0 --- global: collaborationServerSecret: value: {{ .Values.secrets.notes.collaborationSecret | quote }} existingSecret: name: {{ .Values.externalSecrets.notes.collaborationSecret.name | quote }} key: {{ .Values.externalSecrets.notes.collaborationSecret.key | quote }} fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}" imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} tlsSecretName: {{ .Values.ingress.tls.secretName | quote }} yProviderApiKey: value: {{ .Values.secrets.notes.collaborationSecret | quote }} existingSecret: name: {{ .Values.externalSecrets.notes.collaborationSecret.name | quote }} key: {{ .Values.externalSecrets.notes.collaborationSecret.key | quote }} fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}" tlsSecretName: {{ .Values.ingress.tls.secretName | quote }} fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}" tlsSecretName: {{ .Values.ingress.tls.secretName | quote }} backend: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesBackend.registry | quote }} repository: {{ .Values.images.notesBackend.repository | quote }} pullPolicy: "IfNotPresent" tag: {{ .Values.images.notesBackend.tag | quote }} ingress: annotations: "nginx.ingress.kubernetes.io/proxy-body-size": "{{ .Values.ingress.parameters.bodySize.notes }}" "nginx.ingress.kubernetes.io/proxy-read-timeout": "{{ .Values.ingress.parameters.bodyTimeout.notes }}" "nginx.ingress.kubernetes.io/proxy-send-timeout": "{{ .Values.ingress.parameters.bodyTimeout.notes }}" {{- if .Values.annotations.notesBackend.ingress }} {{ .Values.annotations.notesBackend.ingress | toYaml | nindent 6 }} {{- end }} ingressClassName: {{ .Values.ingress.ingressClassName }} ingressAdmin: enabled: false annotations: {{ .Values.annotations.notesBackend.ingressAdmin | toYaml | nindent 6 }} ingressClassName: {{ .Values.ingress.ingressClassName }} replicaCount: {{ .Values.replicas.notesBackend }} configuration: ai: apiKey: value: {{ .Values.ai.apiKey }} existingSecret: name: {{ .Values.externalSecrets.ai.apiKey.name | quote }} key: {{ .Values.externalSecrets.ai.apiKey.key | quote }} baseUrl: {{ .Values.ai.endpoint }} model: {{ .Values.ai.model | quote }} aws: endpointUrl: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }} s3AccessKeyId: value: {{ .Values.objectstores.notes.username }} existingSecret: name: {{ .Values.externalSecrets.objectstores.notes.s3AccessKeyId.name | quote }} key: {{ .Values.externalSecrets.objectstores.notes.s3AccessKeyId.key | quote }} s3SecretAccessKey: value: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }} existingSecret: name: {{ .Values.externalSecrets.objectstores.notes.s3SecretAccessKey.name | quote }} key: {{ .Values.externalSecrets.objectstores.notes.s3SecretAccessKey.key | quote }} storageBucketName: {{ .Values.objectstores.notes.bucket }} collaboration: apiUrl: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }} wsUrl: {{ printf "wss://%s.%s/collaboration/ws/" .Values.global.hosts.notes .Values.global.domain | quote }} database: host: {{ .Values.databases.notes.host | quote }} name: {{ .Values.databases.notes.name | quote }} password: value: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }} existingSecret: name: {{ .Values.externalSecrets.databases.notes.password.name | quote }} key: {{ .Values.externalSecrets.databases.notes.password.key | quote }} port: {{ .Values.databases.notes.port | quote }} user: value: {{ .Values.databases.notes.username | quote }} existingSecret: name: {{ .Values.externalSecrets.databases.notes.user.name | quote }} key: {{ .Values.externalSecrets.databases.notes.user.key | quote }} email: brandName: "openDesk" from: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.mailDomain | default .Values.global.domain }}" host: "postfix" port: "25" logoImage: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }} user: value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }} existingSecret: name: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.name | quote }} key: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.key | quote }} password: value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }} existingSecret: name: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.name | quote }} key: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.key | quote }} oidc: enabled: true rpClientId: value: "opendesk-notes" rpClientSecret: value: {{ .Values.secrets.keycloak.clientSecret.notes | quote }} existingSecret: name: {{ .Values.externalSecrets.keycloak.clientSecret.notes.name | quote }} key: {{ .Values.externalSecrets.keycloak.clientSecret.notes.key | quote }} opJWKSEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs" opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth" opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token" opUserEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo" opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout" rpScopes: "openid opendesk-notes-scope" loginRedirectUrl: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }} loginRedirectUrlFailure: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }} logoutRedirectUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }} redirectAllowedHosts: {{ printf "https://%s.%s/*" .Values.global.hosts.notes .Values.global.domain | quote }} essentialClaims: "email" fullnameFields: "given_name,family_name" shortnameField: "given_name" django: secretKey: value: {{ .Values.secrets.notes.djangoSecretKey }} existingSecret: name: {{ .Values.externalSecrets.notes.django.secretKey.name | quote }} key: {{ .Values.externalSecrets.notes.django.secretKey.key | quote }} createSuperuser: true superuserEmail: value: {{ printf "default.admin@%s" .Values.global.domain | quote }} existingSecret: name: {{ .Values.externalSecrets.notes.django.superuserEmail.name | quote }} key: {{ .Values.externalSecrets.notes.django.superuserEmail.key | quote }} superuserPassword: value: {{ .Values.secrets.notes.superuser }} existingSecret: name: {{ .Values.externalSecrets.notes.django.superuserPassword.name | quote }} key: {{ .Values.externalSecrets.notes.django.superuserPassword.key | quote }} frontendTheme: "openDesk" redisUrl: value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7" existingSecret: name: {{ .Values.externalSecrets.notes.redisUrl.name | quote }} key: {{ .Values.externalSecrets.notes.redisUrl.key | quote }} extraEnvVars: - name: "FRONTEND_HOMEPAGE_FEATURE_ENABLED" value: "False" - name: "FRONTEND_FOOTER_FEATURE_ENABLED" value: "False" containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true privileged: false runAsUser: 1001 runAsGroup: 1001 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }} podAnnotations: {{ .Values.annotations.notesBackend.pod | toYaml | nindent 4 }} podAnnotationsCreateUser: {{ .Values.annotations.notesBackend.createUserJob | toYaml | nindent 4 }} podAnnotationsMigrate: {{ .Values.annotations.notesBackend.migrateJob | toYaml | nindent 4 }} podSecurityContext: enabled: true fsGroup: 1000 fsGroupChangePolicy: "Always" resources: {{ .Values.resources.notesBackend | toYaml | nindent 4 }} service: annotations: {{ .Values.annotations.notesBackend.service | toYaml | nindent 6 }} extraVolumes: - name: "customization-volume" configMap: name: "impress-customization" {{- if .Values.certificate.selfSigned }} - name: "trusted-cert-secret-volume" secret: secretName: "opendesk-certificates-ca-tls" items: - key: "ca.crt" path: "ca-certificates.crt" {{- end }} extraVolumeMounts: - name: "customization-volume" mountPath: "/app/impress/configuration/theme/default.json" subPath: "theme.json" {{- if .Values.certificate.selfSigned }} - name: "trusted-cert-secret-volume" mountPath: "/usr/local/lib/python3.13/site-packages/certifi/cacert.pem" subPath: "ca-certificates.crt" {{- end }} frontend: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesFrontend.registry | quote }} repository: {{ .Values.images.notesFrontend.repository | quote }} pullPolicy: "IfNotPresent" tag: {{ .Values.images.notesFrontend.tag | quote }} ingress: enabled: true annotations: {{ .Values.annotations.notesFrontend.ingress | toYaml | nindent 6 }} ingressClassName: {{ .Values.ingress.ingressClassName }} ingressMedia: enabled: true annotations: {{ .Values.annotations.notesFrontend.ingressMedia | toYaml | nindent 6 }} ingressClassName: {{ .Values.ingress.ingressClassName }} configuration: objectStoreHost: {{ printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain | quote }} resources: {{ .Values.resources.notesFrontend | toYaml | nindent 4 }} containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true privileged: false runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }} podAnnotations: {{ .Values.annotations.notesFrontend.pod | toYaml | nindent 4 }} podSecurityContext: enabled: true fsGroup: 1000 fsGroupChangePolicy: "Always" service: annotations: {{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }} serviceMedia: annotations: {{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }} extraVolumes: - name: "customization-volume" configMap: name: "impress-customization" extraVolumeMounts: - name: "customization-volume" mountPath: "/usr/share/nginx/html/runtime-env.js" subPath: "runtime-env.js" y-provider: image: registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.notesYProvider.registry | quote }} repository: {{ .Values.images.notesYProvider.repository | quote }} pullPolicy: "IfNotPresent" tag: {{ .Values.images.notesYProvider.tag }} replicaCount: 1 debug: true {{- if .Values.certificate.selfSigned }} extraEnvVars: - name: "NODE_EXTRA_CA_CERTS" value: "/etc/ssl/certs/cacert.pem" extraVolumes: - name: "trusted-cert-secret-volume" secret: secretName: "opendesk-certificates-ca-tls" items: - key: "ca.crt" path: "ca-certificates.crt" extraVolumeMounts: - name: "trusted-cert-secret-volume" mountPath: "/etc/ssl/certs/cacert.pem" subPath: "ca-certificates.crt" {{- end }} containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true privileged: false runAsUser: 1001 runAsGroup: 1001 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }} ingressCollaborationApi: annotations: {{ .Values.annotations.notesYProvider.ingressCollaborationAPI | toYaml | nindent 6 }} ingressClassName: {{ .Values.ingress.ingressClassName }} ingressCollaborationWs: annotations: {{ .Values.annotations.notesYProvider.ingressCollaborationWS | toYaml | nindent 6 }} ingressClassName: {{ .Values.ingress.ingressClassName }} podAnnotations: {{ .Values.annotations.notesYProvider.pod | toYaml | nindent 4 }} podSecurityContext: enabled: true fsGroup: 1001 fsGroupChangePolicy: "Always" service: annotations: {{ .Values.annotations.notesYProvider.service | toYaml | nindent 6 }} ...