Add secret generation to main helm chart.

charts/ocis/ci/values_greater_equal_1.25.0.yaml

@@ -1,5 +1,4 @@
 ---
-
 ingress:
   enabled: true
   ingressClassName: some-ingress
@@ -137,3 +136,6 @@ services:
       finalizers: []
       selectorLabels:
         selector1: foobar
+
+secretRefs:
+  notificationsSmtpSecretRef: "smtp-secret"

charts/ocis/ci/values_pre_1.25.0.yaml

@@ -1,5 +1,4 @@
 ---
-
 ingress:
   enabled: true
   ingressClassName: some-ingress
@@ -133,3 +132,6 @@ services:
       finalizers: []
       selectorLabels:
         selector1: foobar
+
+secretRefs:
+  notificationsSmtpSecretRef: "smtp-secret"

charts/ocis/docs/values-desc-table.adoc

@@ -46,26 +46,26 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"graph"`
+`""`
 | Reference to an existing graph config.
 | configRefs.storageusersConfigRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"storage-users"`
+`""`
 | Reference to an existing storage-users config.
 | configRefs.webThemeAssetsConfigRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
 `""`
-| Optional reference to an existing web theme assets config. Will be mounted to /var/lib/ocis/web/assets/themes/owncloud/assets for Web. Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI.
+| Optional reference to an existing web theme assets config. Will be mounted to /var/lib/ocis/web/assets/themes/owncloud/assets for Web. Does not get autogenerated. Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI.
 | configRefs.webThemeConfigRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
 `""`
-| Optional reference to an existing web theme config. Will be mounted to /var/lib/ocis/web/assets/themes/owncloud for Web. Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI.
+| Optional reference to an existing web theme config. Will be mounted to /var/lib/ocis/web/assets/themes/owncloud for Web. Does not get autogenerated. Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI.
 | debug.profiling
 a| [subs=-attributes]
 +bool+
@@ -874,91 +874,91 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"admin-user"`
+`""`
 | Reference to an existing admin user secret (see xref:{secrets}[Secrets]). Not used if `features.externalUserManagement.enabled` equals `true`.
 | secretRefs.gdprExportClientSecretRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"gdpr-export-client-secret"`
+`""`
 | Reference to an existing keycloak client secret, used for the GDPR export. Only used if features.externalUserManagement.gdprExport.enabled equals true.
 | secretRefs.idpSecretRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"idp-secrets"`
+`""`
 | Reference to an existing IDP secret (see xref:{secrets}[Secrets]). Not used if `features.externalUserManagement.enabled` equals `true`.
 | secretRefs.jwtSecretRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"jwt-secret"`
+`""`
 | Reference to an existing JWT secret (see xref:{secrets}[Secrets]).
 | secretRefs.ldapCaRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"ldap-ca"`
+`""`
 | Reference to an existing LDAP certificate authority secret (see xref:{secrets}[Secrets])
 | secretRefs.ldapCertRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"ldap-cert"`
+`""`
 | Reference to an existing LDAP cert secret (see xref:{secrets}[Secrets]). Not used if `features.externalUserManagement.enabled` equals `true`.
 | secretRefs.ldapSecretRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"ldap-bind-secrets"`
+`""`
 | Reference to an existing LDAP bind secret (see xref:{secrets}[Secrets]).
 | secretRefs.machineAuthApiKeySecretRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"machine-auth-api-key"`
+`""`
 | Reference to an existing machine auth api key secret (see xref:{secrets}[Secrets])
 | secretRefs.messagingSystemCaRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"messaging-system-ca"`
+`""`
 | Reference to an existing messaging system certificate authority secret (see xref:{secrets}[Secrets])
 | secretRefs.notificationsSmtpSecretRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"notifications-smtp-secret"`
+`""`
 | Reference to an existing SMTP email server settings secret (see xref:{secrets}[Secrets]). Not used if `features.emailNotifications.enabled` equals `false`.
 | secretRefs.s3CredentialsSecretRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"s3-credentials-secret"`
-| Reference to an existing s3 secret (see xref:{secrets}[Secrets])
+`""`
+| Reference to an existing s3 secret (see xref:{secrets}[Secrets]) If not filled in, will attempt to use values in `.storageusers.storageBackend.s3.driverConfig.s3ng` instead.
 | secretRefs.storagesystemJwtSecretRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"storage-system-jwt-secret"`
+`""`
 | Reference to an existing storage-system JWT secret (see xref:{secrets}[Secrets])
 | secretRefs.storagesystemSecretRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"storage-system"`
+`""`
 | Reference to an existing storage-system secret (see xref:{secrets}[Secrets])
 | secretRefs.thumbnailsSecretRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"thumbnails-transfer-secret"`
+`""`
 | Reference to an existing thumbnails transfer secret (see xref:{secrets}[Secrets])
 | secretRefs.transferSecretSecretRef
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"transfer-secret"`
+`""`
 | Reference to an existing transfer secret (see xref:{secrets}[Secrets])
 | securityContext.fsGroup
 a| [subs=-attributes]

charts/ocis/docs/values.adoc.yaml

@@ -463,55 +463,67 @@ ingress:
 
 # References to ConfigMaps.
 # The ConfigMaps need to be manually created.
+# Leave these empty to have them autogenerated by the Helm chart.
+# Note that ConfigMaps generated by the helm chart will be removed once the helm chart is uninstalled.
+# Furthermore, if you already had ConfigMaps at the default locations, they will be NOT be overwritten,
+# but the helm chart will claim ownership of them. If this is a problem, fill in the configRefs below
+# with the names of your existing secrets.
 # See https://doc.owncloud.com/ocis/next/deployment/container/orchestration/orchestration.html#customize-the-generic-setup[doc.owncloud.com] for how to generate them.
 configRefs:
   # -- Reference to an existing storage-users config.
-  storageusersConfigRef: "storage-users"
+  storageusersConfigRef: ""
   # -- Reference to an existing graph config.
-  graphConfigRef: "graph"
+  graphConfigRef: ""
   # -- Optional reference to an existing web theme config.
   # Will be mounted to /var/lib/ocis/web/assets/themes/owncloud for Web.
+  # Does not get autogenerated.
   # Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI.
   webThemeConfigRef: ""
   # -- Optional reference to an existing web theme assets config.
   # Will be mounted to /var/lib/ocis/web/assets/themes/owncloud/assets for Web.
+  # Does not get autogenerated.
   # Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI.
   webThemeAssetsConfigRef: ""
 
 # References to secrets.
-# The secrets need to be manually created.
-# See https://doc.owncloud.com/ocis/next/deployment/container/orchestration/orchestration.html#customize-the-generic-setup[doc.owncloud.com] for how to generate them.
+# Leave these empty to have them autogenerated by the Helm chart.
+# Note that secrets generated by the helm chart will be removed once the helm chart is uninstalled.
+# Furthermore, if you already had secrets at the default locations, they will be NOT be overwritten,
+# but the helm chart will claim ownership of them. If this is a problem, fill in the secretRefs below
+# with the names of your existing secrets.
+# TODO: Update https://doc.owncloud.com/ocis/next/deployment/container/orchestration/orchestration.html#customize-the-generic-setup[doc.owncloud.com] for how to generate them.
 secretRefs:
   # -- Reference to an existing admin user secret (see xref:{secrets}[Secrets]). Not used if `features.externalUserManagement.enabled` equals `true`.
-  adminUserSecretRef: "admin-user"
+  adminUserSecretRef: ""
   # -- Reference to an existing IDP secret (see xref:{secrets}[Secrets]). Not used if `features.externalUserManagement.enabled` equals `true`.
-  idpSecretRef: "idp-secrets"
+  idpSecretRef: ""
   # -- Reference to an existing JWT secret (see xref:{secrets}[Secrets]).
-  jwtSecretRef: "jwt-secret"
+  jwtSecretRef: ""
   # -- Reference to an existing keycloak client secret, used for the GDPR export. Only used if features.externalUserManagement.gdprExport.enabled equals true.
-  gdprExportClientSecretRef: "gdpr-export-client-secret"
+  gdprExportClientSecretRef: ""
   # -- Reference to an existing LDAP certificate authority secret (see xref:{secrets}[Secrets])
-  ldapCaRef: "ldap-ca"
+  ldapCaRef: ""
   # -- Reference to an existing LDAP cert secret (see xref:{secrets}[Secrets]). Not used if `features.externalUserManagement.enabled` equals `true`.
-  ldapCertRef: "ldap-cert"
+  ldapCertRef: ""
   # -- Reference to an existing LDAP bind secret (see xref:{secrets}[Secrets]).
-  ldapSecretRef: "ldap-bind-secrets"
+  ldapSecretRef: ""
   # -- Reference to an existing machine auth api key secret (see xref:{secrets}[Secrets])
-  machineAuthApiKeySecretRef: "machine-auth-api-key"
+  machineAuthApiKeySecretRef: ""
   # -- Reference to an existing messaging system certificate authority secret (see xref:{secrets}[Secrets])
-  messagingSystemCaRef: "messaging-system-ca"
+  messagingSystemCaRef: ""
   # -- Reference to an existing SMTP email server settings secret (see xref:{secrets}[Secrets]). Not used if `features.emailNotifications.enabled` equals `false`.
-  notificationsSmtpSecretRef: "notifications-smtp-secret"
+  notificationsSmtpSecretRef: ""
   # -- Reference to an existing storage-system JWT secret (see xref:{secrets}[Secrets])
-  storagesystemJwtSecretRef: "storage-system-jwt-secret"
+  storagesystemJwtSecretRef: ""
   # -- Reference to an existing storage-system secret (see xref:{secrets}[Secrets])
-  storagesystemSecretRef: "storage-system"
+  storagesystemSecretRef: ""
   # -- Reference to an existing thumbnails transfer secret (see xref:{secrets}[Secrets])
-  thumbnailsSecretRef: "thumbnails-transfer-secret"
+  thumbnailsSecretRef: ""
   # -- Reference to an existing transfer secret (see xref:{secrets}[Secrets])
-  transferSecretSecretRef: "transfer-secret"
+  transferSecretSecretRef: ""
   # -- Reference to an existing s3 secret (see xref:{secrets}[Secrets])
-  s3CredentialsSecretRef: "s3-credentials-secret"
+  # If not filled in, will attempt to use values in `.storageusers.storageBackend.s3.driverConfig.s3ng` instead.
+  s3CredentialsSecretRef: ""
 
 # Security context options.
 securityContext:

charts/ocis/templates/_common/_configvalues.tpl

@@ -0,0 +1,73 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Simple secret and configmap name definitions.
+
+All take the scope as the first and only parameter.
+*/}}
+{{- define "secrets.adminUser" -}}
+{{ .Values.secretRefs.adminUserSecretRef | default "admin-user" | quote }}
+{{- end -}}
+
+{{- define "secrets.idpSecret" -}}
+{{ .Values.secretRefs.idpSecretRef | default "idp-secrets" | quote }}
+{{- end -}}
+
+{{- define "secrets.jwtSecret" -}}
+{{ .Values.secretRefs.jwtSecretRef | default "jwt-secret" | quote }}
+{{- end -}}
+
+{{- define "secrets.gdprExportClientSecret" -}}
+{{ required "gdprExportClientSecretRef can't be autogenerated" .Values.secretRefs.gdprExportClientSecretRef | quote }}
+{{- end -}}
+
+{{- define "secrets.ldapCASecret" -}}
+{{ .Values.secretRefs.ldapCaRef | default "ldap-ca" | quote }}
+{{- end -}}
+
+{{- define "secrets.ldapCertSecret" -}}
+{{ .Values.secretRefs.ldapCertRef | default "ldap-cert" | quote }}
+{{- end -}}
+
+{{- define "secrets.ldapBindSecret" -}}
+{{ .Values.secretRefs.ldapSecretRef | default "ldap-bind-secrets" | quote }}
+{{- end -}}
+
+{{- define "secrets.machineAuthAPIKeySecret" -}}
+{{ .Values.secretRefs.machineAuthApiKeySecretRef | default "machine-auth-api-key" | quote }}
+{{- end -}}
+
+{{- define "secrets.messagingSystemCASecret" -}}
+{{ required "messagingSystemCASecret can't be autogenerated" .Values.secretRefs.messagingSystemCaRef | quote }}
+{{- end -}}
+
+{{- define "secrets.notificationsSMTPSecret" -}}
+{{ required "notificationsSMTPSecret can't be autogenerated" .Values.secretRefs.notificationsSmtpSecretRef | quote }}
+{{- end -}}
+
+{{- define "secrets.storageSystemJWTSecret" -}}
+{{ .Values.secretRefs.storagesystemJwtSecretRef | default "storage-system-jwt-secret" | quote }}
+{{- end -}}
+
+{{- define "secrets.storageSystemSecret" -}}
+{{ .Values.secretRefs.storagesystemSecretRef | default "storage-system" | quote }}
+{{- end -}}
+
+{{- define "secrets.thumbnailsSecret" -}}
+{{ .Values.secretRefs.thumbnailsSecretRef | default "thumbnails-transfer-secret" | quote }}
+{{- end -}}
+
+{{- define "secrets.transferSecret" -}}
+{{ .Values.secretRefs.transferSecretSecretRef | default "transfer-secret" | quote }}
+{{- end -}}
+
+{{- define "secrets.s3CredentialsSecret" -}}
+{{ .Values.secretRefs.s3CredentialsSecretRef | default "s3-credentials-secret" | quote }}
+{{- end -}}
+
+{{- define "config.storageUsers" -}}
+{{ .Values.configRefs.storageusersConfigRef | default "storage-users" | quote }}
+{{- end -}}
+
+{{- define "config.graph" -}}
+{{ .Values.configRefs.graphConfigRef | default "graph" | quote }}
+{{- end -}}

charts/ocis/templates/_common/_tplvalues.tpl

@@ -287,3 +287,45 @@ oCIS persistence dataVolume
   emptyDir: {}
   {{- end }}
 {{- end -}}
+
+{{/*
+oCIS secret wrapper
+
+@param .name          The name of the secret.
+@param .params        Dict containing data keys/values (plaintext).
+@param .scope         The current scope
+*/}}
+{{- define "ocis.secret" -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .name }}
+data:
+  {{- $secretObj := (lookup "v1" "Secret" .scope.Release.Namespace .name) | default dict }}
+  {{- $secretData := (get $secretObj "data") | default dict }}
+  {{- range $key, $value := .params }}
+  {{- $secretValue := (get $secretData $key) | default ($value | b64enc)}}
+  {{ $key }}: {{ $secretValue | quote }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+oCIS ConfigMap wrapper
+
+@param .name          The name of the ConfigMap.
+@param .params        Dict containing data keys/values (plaintext).
+@param .scope         The current scope
+*/}}
+{{- define "ocis.configMap" -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .name }}
+data:
+  {{- $configObj := (lookup "v1" "ConfigMap" .scope.Release.Namespace .name) | default dict }}
+  {{- $configData := (get $configObj "data") | default dict }}
+  {{- range $key, $value := .params }}
+  {{- $configValue := (get $configData $key) | default ($value)}}
+  {{ $key }}: {{ $configValue | quote }}
+  {{- end }}
+{{- end -}}

charts/ocis/templates/antivirus/deployment.yaml

@@ -100,7 +100,7 @@ spec:
         - name: messaging-system-ca
           {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }}
           secret:
-            secretName: {{ .Values.secretRefs.messagingSystemCaRef }}
+            secretName: {{ include "secrets.messagingSystemCASecret" . }}
           {{ else }}
           emptyDir: {}
           {{ end }}

charts/ocis/templates/appprovider/deployment.yaml

@@ -75,7 +75,7 @@ spec:
             - name: APP_PROVIDER_JWT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: {{ $.Values.secretRefs.jwtSecretRef }}
+                  name: {{ include "secrets.jwtSecret" $ }}
                   key: jwt-secret
 
           livenessProbe:

charts/ocis/templates/appregistry/deployment.yaml

@@ -53,7 +53,7 @@ spec:
             - name: APP_REGISTRY_JWT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.secretRefs.jwtSecretRef }}
+                  name: {{ include "secrets.jwtSecret" . }}
                   key: jwt-secret
 
           {{- include "ocis.livenessProbe" . | nindent 10 }}