sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-09 00:38:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
1fd7cd7d348a3e3ea35bdc91a0ed22cd1386e758
opendesk/docs/external-secrets.md
Axel Lender 1fd7cd7d34 feat(nubus): Add templating support for Nubus 
Signed-off-by: Axel Lender <lender@b1-systems.de>
2025-10-10 12:43:00 +02:00

4.0 KiB
Raw Blame History

External Secrets

This document covers how to utilise external secrets and special requirements.

General

⚠ ATTENTION: This feature is still in early development. For now you can't simply replace plain secrets with external secrets because some secrets are used several components where some maybe don't support external secrets by now.

For most components when set the external secret will supersede e.g. a password in a values.yaml file.

The file external_secrets.yaml lists all possible references to external secrets that are currently implemented in openDesk.

Components

This section covers information and special requirements to external secrets that some Helm Charts expect.

Cassandra

Cassandra is pre-populated with information regarding Dovecot with a cql script. The openDesk default initDB setting is configured as follows:

  initUserData.cql: >
    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.username | quote }};
    ALTER ROLE {{ .Values.databases.dovecotDictmap.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotDictmapUser "''" | squote }} AND LOGIN = true;
    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotDictmap.name | quote }} TO {{ .Values.databases.dovecotDictmap.username | quote }};
    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotACL.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
    ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};

This has to be adapted into a secret that also holds a cql script and is named in initDBSecret.

Keycloak

The Keycloak bootstrap chart exepcts a special format for the admin credentials. The following example shows the format with the openDesk default values:

stringData:
  admin.yaml: |
    username: "kcadmin"
    password: "{{ .Values.secrets.keycloak.adminPassword }}"

MinIO

Like described in the upstream values.yaml credentials and information about a user in external secrets listed in usersExistingSecrets have to be formatted as follows:

stringData:
  username1: |
    username=test-username
    password=test-password
    disabled=false
    policies=readwrite,consoleAdmin,diagnostics
    setPolicies=false

Further we need the credentials introduced at MinIO in various other components that didn't implement the special format from MinIO. Hence we have to create key-value-pairs of the passwords for them.

XWiki

Properties listed in the file of the external secret will overwrite plain values.

Licenses can also be given via properties and require the format licenses=<EnterpriseLicense>,<Applicationslicense>.

Like described in the upstream values.yaml credentials and information about a user in external secrets listed in propertiesSecret have to be formatted as follows:

stringData:
  propertiesFile: |
    propertie1=propertie1Value
    propertie2=propertie2Value
    propertie3=propertie3Value
Reference in New Issue View Git Blame Copy Permalink