Merge pull request opencloud-eu#63 from Tim-herbie/feature/support-secrets

butonic · web-flow · commit a2e32e695927 · 2025-06-30T11:55:26.000+02:00
Add support for existing secrets and replace plaintext values with secrets
diff --git a/charts/opencloud/Chart.yaml b/charts/opencloud/Chart.yaml
@@ -10,7 +10,7 @@ maintainers:
     email: info@opencloud.eu
     url: https://opencloud.eu
 type: application
-version: 0.2.0
+version: 0.2.1
 # renovate: datasource=docker depName=opencloudeu/opencloud-rolling
 appVersion: latest
 kubeVersion: ""
diff --git a/charts/opencloud/README.md b/charts/opencloud/README.md
@@ -250,6 +250,7 @@ This will prepend `my-registry.com/` to all image references in the chart. For e
 | `opencloud.logColor` | Enable log color | `false` |
 | `opencloud.logPretty` | Enable pretty logging | `false` |
 | `opencloud.insecure` | Insecure mode (for self-signed certificates) | `true` |
+| `opencloud.existingSecret` | Name of the existing secret | `` |
 | `opencloud.adminPassword` | Admin password | `admin` |
 | `opencloud.createDemoUsers` | Create demo users | `false` |
 | `opencloud.resources` | CPU/Memory resource requests/limits | `{}` |
@@ -261,12 +262,14 @@ This will prepend `my-registry.com/` to all image references in the chart. For e
 | `opencloud.smtp.host` | SMTP host | `` |
 | `opencloud.smtp.port` | SMTP port | `587` |
 | `opencloud.smtp.sender` | SMTP sender | `` |
+| `opencloud.smtp.existingSecret` | Name of the existing secret | `` |
 | `opencloud.smtp.username` | SMTP username | `` |
 | `opencloud.smtp.password` | SMTP password | `` |
 | `opencloud.smtp.insecure` | SMTP insecure | `false` |
 | `opencloud.smtp.authentication` | SMTP authentication | `plain` |
 | `opencloud.smtp.encryption` | SMTP encryption | `starttls` |
 | `opencloud.storage.s3.internal.enabled` | Enable internal MinIO instance | `true` |
+| `opencloud.storage.s3.internal.existingSecret` | Name of the existing secret | `` |
 | `opencloud.storage.s3.internal.rootUser` | MinIO root user | `opencloud` |
 | `opencloud.storage.s3.internal.rootPassword` | MinIO root password | `opencloud-secret-key` |
 | `opencloud.storage.s3.internal.bucketName` | MinIO bucket name | `opencloud-bucket` |
@@ -279,6 +282,7 @@ This will prepend `my-registry.com/` to all image references in the chart. For e
 | `opencloud.storage.s3.external.enabled` | Enable external S3 | `false` |
 | `opencloud.storage.s3.external.endpoint` | External S3 endpoint URL | `""` |
 | `opencloud.storage.s3.external.region` | External S3 region | `default` |
+| `opencloud.storage.s3.external.existingSecret` | Name of the existing secret | `` |
 | `opencloud.storage.s3.external.accessKey` | External S3 access key | `""` |
 | `opencloud.storage.s3.external.secretKey` | External S3 secret key | `""` |
 | `opencloud.storage.s3.external.bucket` | External S3 bucket | `""` |
@@ -297,6 +301,7 @@ By default the chart deploys an internal keycloak. It can be disabled and replac
 | `keycloak.internal.image.tag` | Keycloak image tag | `26.1.4` |
 | `keycloak.internal.image.pullPolicy` | Image pull policy | `IfNotPresent` |
 | `keycloak.internal.replicas` | Number of replicas | `1` |
+| `keycloak.internal.existingSecret` | Name of the existing secret | `` |
 | `keycloak.internal.adminUser` | Admin user | `admin` |
 | `keycloak.internal.adminPassword` | Admin password | `admin` |
 | `keycloak.internal.realm` | Realm name | `openCloud` |
@@ -327,6 +332,7 @@ keycloak:
 | --------- | ----------- | ------- |
 | `postgres.enabled` | Enable PostgreSQL | `true` |
 | `postgres.database` | Database name | `keycloak` |
+| `postgres.existingSecret` | Name of the existing secret | `` |
 | `postgres.user` | Database user | `keycloak` |
 | `postgres.password` | Database password | `keycloak` |
 | `postgres.resources` | CPU/Memory resource requests/limits | `{}` |
@@ -349,9 +355,8 @@ keycloak:
 | `onlyoffice.persistence.enabled` | Enable persistence | `true` |
 | `onlyoffice.persistence.size` | Size of the persistent volume | `2Gi` |
 | `onlyoffice.resources` | CPU/Memory resource requests/limits | `{}` |
-| `onlyoffice.config.coAuthoring.token.enable.request.inbox` | Enable token for incoming requests | `true` |
-| `onlyoffice.config.coAuthoring.token.enable.request.outbox` | Enable token for outgoing requests | `true` |
-| `onlyoffice.config.coAuthoring.token.enable.browser` | Enable token for browser requests | `true` |
+| `onlyoffice.config.coAuthoring.secret.existingSecret` | Name of the existing secret | `` |
+| `onlyoffice.config.coAuthoring.secret.session.string` | Session string for onlyoffice | `` |
 | `onlyoffice.collaboration.enabled` | Enable collaboration service | `true` |
 
 If you use Traefik and enable OnlyOffice, this chart will automatically create a `Middleware`
@@ -369,6 +374,7 @@ This ensures the `X-Forwarded-Proto: https` header is added as required by OnlyO
 | `collabora.image.repository` | Collabora image repository | `collabora/code` |
 | `collabora.image.tag` | Collabora image tag | `24.04.13.2.1` |
 | `collabora.image.pullPolicy` | Image pull policy | `IfNotPresent` |
+| `collabora.existingSecret` | Name of the existing secret | `` |
 | `collabora.adminUser` | Admin user | `admin` |
 | `collabora.adminPassword` | Admin password | `admin` |
 | `collabora.ssl.enabled` | Enable SSL | `true` |
@@ -402,7 +408,7 @@ The following HTTPRoutes are created when `httpRoute.enabled` is set to `true`:
    - Port: 9200
    - Headers: Removes Permissions-Policy header to prevent browser console errors
 
-2. **Keycloak HTTPRoute** (when `keycloak.enabled` is `true`):
+2. **Keycloak HTTPRoute** (when `keycloak.internal.enabled` is `true`):
    - Hostname: `global.domain.keycloak`
    - Service: `{{ release-name }}-keycloak`
    - Port: 8080
diff --git a/charts/opencloud/files/onlyoffice/local.json.gotmpl b/charts/opencloud/files/onlyoffice/local.json.gotmpl
@@ -15,23 +15,9 @@
         "outbox": {
           "header": "Authorization"
         }
-      },
-      "secret": {
-        "inbox": {
-          "string": "{{ .Values.onlyoffice.config.coAuthoring.secret.inbox.string }}"
-        },
-        "outbox": {
-          "string": "{{ .Values.onlyoffice.config.coAuthoring.secret.outbox.string }}"
-        },
-        "session": {
-          "string": "{{ .Values.onlyoffice.config.coAuthoring.secret.session.string }}"
-        }
       }
     }
   },
-  "rabbitmq": {
-    "url": "{{ .Values.onlyoffice.config.rabbitmq.url }}"
-  },
   "FileConverter": {
     "converter": {
       "inputLimits": [
diff --git a/charts/opencloud/templates/NOTES.txt b/charts/opencloud/templates/NOTES.txt
@@ -14,8 +14,7 @@ IMPORTANT: This is a development deployment. For production use, you MUST change
 3. PostgreSQL: user: keycloak, password: keycloak
 4. MinIO: rootUser: opencloud, rootPassword: opencloud-secret-key
 5. OnlyOffice Database: sql.dbUser: onlyoffice, sql.dbPass: onlyoffice
-6. OnlyOffice Secret Keys: secret.inbox/outbox/session.string: B8LjkNqGxn6gf8bkuBUiMwyuCFwFddnu
-7. RabbitMQ: url: amqp://guest:guest@localhost
+6. RabbitMQ: url: amqp://guest:guest@localhost
 
 Using default credentials in production environments poses significant security risks.
 
@@ -29,12 +28,12 @@ The following services have been deployed:
    - S3 Storage: {{ if .Values.opencloud.storage.s3.external.enabled }}{{ .Values.opencloud.storage.s3.external.endpoint }}{{ else if .Values.opencloud.storage.s3.internal.enabled }}MinIO ({{ include "opencloud.minio.fullname" . }}){{ else }}Not configured{{ end }}
    - S3 Bucket: {{ if .Values.opencloud.storage.s3.external.enabled }}{{ .Values.opencloud.storage.s3.external.bucket }}{{ else if .Values.opencloud.storage.s3.internal.enabled }}{{ .Values.opencloud.storage.s3.internal.bucketName }}{{ else }}Not configured{{ end }}
 
-{{- if .Values.keycloak.enabled }}
+{{- if .Values.keycloak.internal.enabled }}
 2. Keycloak (Authentication):
    - Service: {{ include "opencloud.keycloak.fullname" . }}
    - Port: 8080
-   - Username: {{ .Values.keycloak.adminUser }}
-   - Password: {{ .Values.keycloak.adminPassword }}
+   - Username: {{ .Values.keycloak.internal.adminUser }}
+   - Password: {{ .Values.keycloak.internal.adminPassword }}
 {{- end }}
 
 {{- if .Values.opencloud.storage.s3.internal.enabled }}
@@ -61,7 +60,7 @@ All HTTPRoutes are configured to use the Gateway named "{{ .Values.httpRoute.gat
 
 Make sure the Gateway exists and is properly configured to accept traffic for the following domains:
 - OpenCloud: {{ include "opencloud.domain" . }} (Service: {{ include "opencloud.opencloud.fullname" . }}, Port: 9200)
-{{- if .Values.keycloak.enabled }}
+{{- if .Values.keycloak.internal.enabled }}
 - Keycloak: {{ include "opencloud.keycloak.domain" . }} (Service: {{ include "opencloud.keycloak.fullname" . }}, Port: 8080)
 {{- end }}
 {{- if .Values.opencloud.storage.s3.internal.enabled }}
@@ -77,7 +76,7 @@ to expose these services externally.
 
 Example domains for your ingress configuration:
 - OpenCloud: {{ include "opencloud.domain" . }} (Service: {{ include "opencloud.opencloud.fullname" . }}, Port: 9200)
-{{- if .Values.keycloak.enabled }}
+{{- if .Values.keycloak.internal.enabled }}
 - Keycloak: {{ include "opencloud.keycloak.domain" . }} (Service: {{ include "opencloud.keycloak.fullname" . }}, Port: 8080)
 {{- end }}
 {{- if .Values.opencloud.storage.s3.internal.enabled }}
diff --git a/charts/opencloud/templates/collabora/deployment.yaml b/charts/opencloud/templates/collabora/deployment.yaml
@@ -38,9 +38,23 @@ spec:
                 --o:welcome.enable=false \
                 --o:net.frame_ancestors={{ include "opencloud.domain" . }}
             - name: username
-              value: "{{ .Values.collabora.admin.user | default "admin" }}"
+              valueFrom:
+                secretKeyRef:
+                  name: {{- if .Values.collabora.existingSecret }}
+                          {{ .Values.collabora.existingSecret }}
+                        {{- else }}
+                          {{ include "opencloud.fullname" . }}-collabora
+                        {{- end }}
+                  key: username
             - name: password
-              value: "{{ .Values.collabora.admin.password | default "admin" }}"
+              valueFrom:
+                secretKeyRef:
+                  name: {{- if .Values.collabora.existingSecret }}
+                          {{ .Values.collabora.existingSecret }}
+                        {{- else }}
+                          {{ include "opencloud.fullname" . }}-collabora
+                        {{- end }}
+                  key: password
           ports:
             - containerPort: 9980
               name: http
diff --git a/charts/opencloud/templates/collabora/secrets.yaml b/charts/opencloud/templates/collabora/secrets.yaml
@@ -0,0 +1,10 @@
+{{- if and (not .Values.collabora.existingSecret) .Values.collabora.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "opencloud.fullname" . }}-collabora
+type: Opaque
+stringData:
+  username: {{ .Values.collabora.username }}
+  password: {{ .Values.collabora.password }}
+{{- end }}
diff --git a/charts/opencloud/templates/gateway/gateway.yaml b/charts/opencloud/templates/gateway/gateway.yaml
@@ -42,7 +42,7 @@ spec:
           selector:
             matchLabels:
               kubernetes.io/metadata.name: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
-    {{- if .Values.keycloak.enabled }}
+    {{- if .Values.keycloak.internal.enabled }}
     {{- if .Values.global.tls.enabled }}
     - name: keycloak-https
     {{- else }}
diff --git a/charts/opencloud/templates/keycloak/deployment.yaml b/charts/opencloud/templates/keycloak/deployment.yaml
@@ -52,15 +52,43 @@ spec:
             - name: KC_DB_URL
               value: jdbc:postgresql://{{ include "opencloud.postgres.fullname" . }}:5432/{{ .Values.postgres.database }}
             - name: KC_DB_USERNAME
-              value: {{ .Values.postgres.user }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{- if .Values.postgres.existingSecret }}
+                          {{ .Values.postgres.existingSecret }}
+                        {{- else }}
+                          {{ include "opencloud.postgres.fullname" . }}
+                        {{- end }}
+                  key: username
             - name: KC_DB_PASSWORD
-              value: {{ .Values.postgres.password }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{- if .Values.postgres.existingSecret }}
+                          {{ .Values.postgres.existingSecret }}
+                        {{- else }}
+                          {{ include "opencloud.postgres.fullname" . }}
+                        {{- end }}
+                  key: password
             - name: KC_FEATURES
               value: impersonation
             - name: KEYCLOAK_ADMIN
-              value: {{ .Values.keycloak.internal.adminUser }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{- if .Values.keycloak.internal.existingSecret }}
+                          {{ .Values.keycloak.internal.existingSecret }}
+                        {{- else }}
+                          {{ include "opencloud.keycloak.fullname" . }}
+                        {{- end }}
+                  key: adminUser
             - name: KEYCLOAK_ADMIN_PASSWORD
-              value: {{ .Values.keycloak.internal.adminPassword }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{- if .Values.keycloak.internal.existingSecret }}
+                          {{ .Values.keycloak.internal.existingSecret }}
+                        {{- else }}
+                          {{ include "opencloud.keycloak.fullname" . }}
+                        {{- end }}
+                  key: adminPassword
             {{- if .Values.keycloak.internal.cors.enabled }}
             - name: KC_SPI_CORS_ENABLED
               value: "true"
diff --git a/charts/opencloud/templates/keycloak/secrets.yaml b/charts/opencloud/templates/keycloak/secrets.yaml
@@ -0,0 +1,10 @@
+{{- if and (not .Values.keycloak.internal.existingSecret) .Values.keycloak.internal.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "opencloud.keycloak.fullname" . }}
+type: Opaque
+stringData:
+  adminUser: {{ .Values.keycloak.internal.adminUser }}
+  adminPassword: {{ .Values.keycloak.internal.adminPassword }}
+{{- end }}
diff --git a/charts/opencloud/templates/minio/deployment.yaml b/charts/opencloud/templates/minio/deployment.yaml
@@ -49,9 +49,23 @@ spec:
           args: ["server", "--console-address", ":9001", "/data"]
           env:
             - name: MINIO_ROOT_USER
-              value: {{ .Values.opencloud.storage.s3.internal.rootUser | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{- if .Values.opencloud.storage.s3.internal.existingSecret }}
+                          {{ .Values.opencloud.storage.s3.internal.existingSecret }}
+                        {{- else }}
+                          {{ include "opencloud.minio.fullname" . }}
+                        {{- end }}
+                  key: rootUser
             - name: MINIO_ROOT_PASSWORD
-              value: {{ .Values.opencloud.storage.s3.internal.rootPassword | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{- if .Values.opencloud.storage.s3.internal.existingSecret }}
+                          {{ .Values.opencloud.storage.s3.internal.existingSecret }}
+                        {{- else }}
+                          {{ include "opencloud.minio.fullname" . }}
+                        {{- end }}
+                  key: rootPassword
           ports:
             - name: api
               containerPort: 9000
diff --git a/charts/opencloud/templates/minio/secrets.yaml b/charts/opencloud/templates/minio/secrets.yaml
@@ -0,0 +1,10 @@
+{{- if and (not .Values.opencloud.storage.s3.internal.existingSecret) .Values.opencloud.storage.s3.internal.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "opencloud.minio.fullname" . }}
+type: Opaque
+stringData:
+  rootUser: {{ .Values.opencloud.storage.s3.internal.rootUser }}
+  rootPassword: {{ .Values.opencloud.storage.s3.internal.rootPassword }}
+{{- end }}
diff --git a/charts/opencloud/templates/onlyoffice/deployment.yaml b/charts/opencloud/templates/onlyoffice/deployment.yaml
@@ -39,11 +39,25 @@ spec:
             - name: DB_USER
               value: "{{ .Values.onlyoffice.config.coAuthoring.sql.dbUser | default "onlyoffice" }}"
             - name: JWT_SECRET
-              value: "{{ .Values.onlyoffice.config.coAuthoring.secret.session.string | default "B8LjkNqGxn6gf8bkuBUiMwyuCFwFddnu" }}"
+              valueFrom:
+                secretKeyRef:
+                  name: {{- if .Values.onlyoffice.config.coAuthoring.secret.existingSecret }}
+                          {{ .Values.onlyoffice.config.coAuthoring.secret.existingSecret }}
+                        {{- else }}
+                          {{ include "opencloud.fullname" . }}-onlyoffice
+                        {{- end }}
+                  key: sessionSecret
             - name: JWT_HEADER
               value: "Authorization"
             - name: AMQP_URI
-              value: "{{ .Values.onlyoffice.config.rabbitmq.url | default "amqp://guest:guest@localhost" }}"
+              valueFrom:
+                secretKeyRef:
+                  name: {{- if .Values.onlyoffice.config.rabbitmq.existingSecret }}
+                          {{ .Values.onlyoffice.config.rabbitmq.existingSecret }}
+                        {{- else }}
+                          {{ include "opencloud.fullname" . }}-rabbitmq
+                        {{- end }}
+                  key: url
           ports:
             - containerPort: 80
               name: http
diff --git a/charts/opencloud/templates/onlyoffice/secrets.yaml b/charts/opencloud/templates/onlyoffice/secrets.yaml
@@ -0,0 +1,19 @@
+{{- if and (not .Values.onlyoffice.config.coAuthoring.secret.existingSecret) .Values.onlyoffice.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "opencloud.fullname" . }}-onlyoffice
+type: Opaque
+stringData:
+  sessionSecret: {{ .Values.onlyoffice.config.coAuthoring.secret.session.string }}
+{{- end }}
+---
+{{- if and (not .Values.onlyoffice.config.rabbitmq.existingSecret) .Values.onlyoffice.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "opencloud.fullname" . }}-rabbitmq
+type: Opaque
+stringData:
+  url: {{ .Values.onlyoffice.config.rabbitmq.url }}
+{{- end }}
diff --git a/charts/opencloud/templates/opencloud/deployment.yaml b/charts/opencloud/templates/opencloud/deployment.yaml
diff --git a/charts/opencloud/templates/opencloud/secrets.yaml b/charts/opencloud/templates/opencloud/secrets.yaml
diff --git a/charts/opencloud/templates/postgres/deployment.yaml b/charts/opencloud/templates/postgres/deployment.yaml
diff --git a/charts/opencloud/templates/postgres/secrets.yaml b/charts/opencloud/templates/postgres/secrets.yaml
diff --git a/charts/opencloud/values.yaml b/charts/opencloud/values.yaml
