sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-09 00:38:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ed0096a9195635eea035547f22eaed45cd9a8a0d
opendesk/docs/external-secrets.md
Axel Lender ed0096a919 feat(helm): Template support for XWiki external secrets 
Signed-off-by: Axel Lender <lender@b1-systems.de>
2025-10-10 12:43:00 +02:00

3.3 KiB
Raw Blame History

External Secrets

This document covers how to utilise external secrets and special requirements.

General

For most components when set the external secret will supersede e.g. a password in a values.yaml file.

The file external_secrets.yaml lists all possible references to external secrets that are currently implemented in openDesk.

Components

This section covers information and special requirements to external secrets that some Helm Charts expect.

MinIO

Like described in the upstream values.yaml credentials and information about a user in external secrets listed in usersExistingSecrets have to be formatted as follows:

stringData:
  username1: |
    username=test-username
    password=test-password
    disabled=false
    policies=readwrite,consoleAdmin,diagnostics
    setPolicies=fa

Further we need the credentials introduced at MinIO in various other components that didn't implement the special format from MinIO. Hence we have to create key-value-pairs of the passwords for them.

Cassandra

Cassandra is pre-populated with information regarding Dovecot with a cql script. The openDesk default initDB setting is configured as follows:

  initUserData.cql: >
    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.username | quote }};
    ALTER ROLE {{ .Values.databases.dovecotDictmap.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotDictmapUser "''" | squote }} AND LOGIN = true;
    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotDictmap.name | quote }} TO {{ .Values.databases.dovecotDictmap.username | quote }};
    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotACL.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
    ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};

This has to be adapted into a secret that also holds a cql script and is named in initDBSecret.

XWiki

Properties listed in the file of the external secret will overwrite plain values.

Like described in the upstream values.yaml credentials and information about a user in external secrets listed in propertiesSecret have to be formatted as follows:

stringData:
  propertiesFile: |
    propertie1=propertie1Value
    propertie2=propertie2Value
    propertie3=propertie3Value
Reference in New Issue View Git Blame Copy Permalink