diff --git a/kubernetes/helm/docspell/templates/_configs.tpl b/kubernetes/helm/docspell/templates/_configs.tpl index 535851a398..f27543071d 100644 --- a/kubernetes/helm/docspell/templates/_configs.tpl +++ b/kubernetes/helm/docspell/templates/_configs.tpl @@ -15,7 +15,9 @@ {{- $envPrefix = "DOCSPELL_JOEX_JDBC" -}} {{- end }} {{ $envPrefix }}_USER: {{ .context.Values.postgresql.global.postgresql.auth.username }} +{{- if not .context.Values.postgresql.global.postgresql.auth.existingSecret }} {{ $envPrefix }}_PASSWORD: {{ .context.Values.postgresql.global.postgresql.auth.password }} +{{- end }} {{ $envPrefix }}_URL: {{ include "postgresql.jdbcUrl" .context }} {{- end -}} {{- end -}} diff --git a/kubernetes/helm/docspell/templates/_helpers.tpl b/kubernetes/helm/docspell/templates/_helpers.tpl index aef2b5535d..f03c46b74f 100644 --- a/kubernetes/helm/docspell/templates/_helpers.tpl +++ b/kubernetes/helm/docspell/templates/_helpers.tpl @@ -57,4 +57,4 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- else }} {{- default "default" .Values.serviceAccount.name }} {{- end -}} -{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/kubernetes/helm/docspell/templates/joex/_existingSecrets.yaml b/kubernetes/helm/docspell/templates/joex/_existingSecrets.yaml new file mode 100644 index 0000000000..92b91f51b5 --- /dev/null +++ b/kubernetes/helm/docspell/templates/joex/_existingSecrets.yaml @@ -0,0 +1,10 @@ +{{- define "docspell.joex.secrets.existingSecrets" -}} +{{/*PostgreSQL Password*/}} +{{- if .Values.postgresql.global.postgresql.auth.existingSecret -}} +- name: DOCSPELL_JOEX_JDBC_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.postgresql.global.postgresql.auth.existingSecret }} + key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.userPasswordKey | default "password" }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/kubernetes/helm/docspell/templates/joex/deployment.yaml b/kubernetes/helm/docspell/templates/joex/deployment.yaml index 2d5f20f763..ac6ebdd9c2 100644 --- a/kubernetes/helm/docspell/templates/joex/deployment.yaml +++ b/kubernetes/helm/docspell/templates/joex/deployment.yaml @@ -27,6 +27,7 @@ spec: metadata: annotations: checksum/config: {{ include (print $.Template.BasePath "/joex/config.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/joex/secret.yaml") . | sha256sum }} {{- with .Values.joex.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -51,6 +52,8 @@ spec: ports: - containerPort: {{ .Values.joex.service.port }} name: http + env: + {{- include "docspell.joex.secrets.existingSecrets" . | nindent 10 }} envFrom: - configMapRef: name: {{ include "docspell.fullname" . }}-joex diff --git a/kubernetes/helm/docspell/templates/restserver/_configs.tpl b/kubernetes/helm/docspell/templates/restserver/_configs.tpl index 61743c8102..37fdca0220 100644 --- a/kubernetes/helm/docspell/templates/restserver/_configs.tpl +++ b/kubernetes/helm/docspell/templates/restserver/_configs.tpl @@ -32,9 +32,14 @@ {{/*Auth Secrets*/}} {{- define "docspell.server.secrets.auth" -}} -{{- with .Values.docspell.server.auth.serverSecret }} +{{- if .Values.docspell.server.auth.serverSecret -}} +{{- if and .Values.docspell.server.auth.serverSecret.value .Values.docspell.server.auth.serverSecret.existingSecret -}} +{{- fail "Only either a fixed server secret or an existing secret should be specified" -}} +{{- end -}} +{{- with .Values.docspell.server.auth.serverSecret.value }} DOCSPELL_SERVER_AUTH_SERVER__SECRET: {{ . }} -{{- end }} +{{- end -}} +{{- end -}} {{- end -}} {{/*Download Config*/}} @@ -71,7 +76,7 @@ DOCSPELL_SERVER_AUTH_SERVER__SECRET: {{ . }} {{- define "docspell.server.secrets.openid" -}} {{- $envPrefix := "DOCSPELL_SERVER_OPENID" -}} {{- range $index, $entry := .Values.docspell.server.openid -}} -{{- if $entry.enabled -}} +{{- if and $entry.enabled (not $entry.provider.existingSecret) -}} {{- $envPrefix = printf "%s_%s_PROVIDER" $envPrefix ($index | toString) }} {{ $envPrefix }}_CLIENT__ID: {{ $entry.provider.clientId }} {{ $envPrefix }}_CLIENT__SECRET: {{ $entry.provider.clientSecret }} @@ -110,24 +115,40 @@ DOCSPELL_SERVER_AUTH_SERVER__SECRET: {{ . }} {{/*Integration Endpoint Secrets*/}} {{- define "docspell.server.secrets.integrationEndpoint" -}} -{{- if .Values.docspell.server.integrationEndpoint.httpBasic.enabled | quote -}} -{{- $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT__HTTP__BASIC" -}} +{{- if .Values.docspell.server.integrationEndpoint.httpBasic.enabled -}} +{{- if and .Values.docspell.server.integrationEndpoint.httpBasic.credentials .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret -}} +{{- fail "Only either the fixed credentials or an existing secret for the httpBasic integration endpoint should be set" -}} +{{- end -}} +{{- $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__BASIC" -}} {{ $envPrefix}}_REALM: {{ .Values.docspell.server.integrationEndpoint.httpBasic.realm }} -{{ $envPrefix}}_USER: {{ .Values.docspell.server.integrationEndpoint.httpBasic.user }} -{{ $envPrefix}}_PASSWORD: {{ .Values.docspell.server.integrationEndpoint.httpBasic.password }} +{{- with .Values.docspell.server.integrationEndpoint.httpBasic.credentials }} +{{ $envPrefix}}_USER: {{ .username }} +{{ $envPrefix}}_PASSWORD: {{ .password }} +{{- end -}} {{- end }} -{{- if .Values.docspell.server.integrationEndpoint.httpHeader.enabled | quote -}} -{{ $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT__HTTP__HEADER" }} +{{- if .Values.docspell.server.integrationEndpoint.httpHeader.enabled -}} +{{- if and .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.value .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret -}} +{{- fail "Only either the fixed header value or an existing secret for the http header ingration endpoint should be set" -}} +{{- end -}} +{{ $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__HEADER" }} {{ $envPrefix }}_HEADER__NAME: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerName }} -{{ $envPrefix }}_HEADER__VALUE: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue }} +{{- with .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.value -}} +{{ $envPrefix }}_HEADER__VALUE: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.value }} +{{- end -}} {{- end }} {{- end -}} {{/*Admin Endpoint Secrets*/}} {{- define "docspell.server.secrets.adminEndpoint" -}} -{{- with .Values.docspell.server.adminEndpoint.secret }} -DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET: {{ . }} -{{- end }} +{{- if .Values.docspell.server.adminEndpoint.enabled -}} +{{- $context := . -}} +{{- with .Values.docspell.server.adminEndpoint.secret -}} +{{- if $context.Values.docspell.server.adminEndpoint.existingSecret }} +{{- fail "Only either the fixed value or an existing secret for the admin endpoint should be set" -}} +{{- end -}} +DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET: {{ .value }} +{{- end -}} +{{- end -}} {{- end -}} {{/*Signup Settings*/}} @@ -142,6 +163,12 @@ DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET: {{ . }} {{/*Signup Secrets*/}} {{- define "docspell.server.secrets.signup" -}} {{- if eq .Values.docspell.server.backend.signup.mode "invite" }} -DOCSPELL_SERVER_BACKEND_SIGNUP_NEW__INVITE__PASSWORD: {{ .Values.docspell.server.backend.signup.newInvitePassword }} +{{- $context := . -}} +{{- with .Values.docspell.server.backend.signup.newInvitePassword.value -}} +{{- if $context.Values.docspell.server.backend.signup.newInvitePassword.existingSecret -}} +{{- fail "Only either the fixed value or an existing secret for the new invite password should be set" -}} +{{- end -}} +DOCSPELL_SERVER_BACKEND_SIGNUP_NEW__INVITE__PASSWORD: {{ . }} +{{- end -}} {{- end -}} {{- end -}} \ No newline at end of file diff --git a/kubernetes/helm/docspell/templates/restserver/_existingSecrets.tpl b/kubernetes/helm/docspell/templates/restserver/_existingSecrets.tpl new file mode 100644 index 0000000000..54446d9980 --- /dev/null +++ b/kubernetes/helm/docspell/templates/restserver/_existingSecrets.tpl @@ -0,0 +1,86 @@ +{{- define "docspell.server.secrets.existingSecrets" -}} +{{/*Server Secret*/}} +{{- if .Values.docspell.server.auth.serverSecret -}} +{{- if and .Values.docspell.server.auth.serverSecret.existingSecret (not .Values.docspell.server.auth.serverSecret.value) -}} +- name: DOCSPELL_SERVER_AUTH_SERVER__SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.docspell.server.auth.serverSecret.existingSecret.name }} + key: {{ .Values.docspell.server.auth.serverSecret.existingSecret.key }} +{{- end -}} +{{- end }} +{{/*OIDC Secrets*/}} +{{- range $index, $entry := .Values.docspell.server.openid -}} +{{- if and $entry.enabled $entry.provider.existingSecret -}} +{{- $envPrefix := printf "%s_%s_PROVIDER" "DOCSPELL_SERVER_OPENID" ($index | toString) -}} +- name: {{ $envPrefix }}_CLIENT__ID + valueFrom: + secretKeyRef: + name: {{ $entry.provider.existingSecret.name }} + key: {{ $entry.provider.existingSecret.clientIdKey }} +- name: {{ $envPrefix }}_CLIENT__SECRET + valueFrom: + secretKeyRef: + name: {{ $entry.provider.existingSecret.name }} + key: {{ $entry.provider.existingSecret.clientSecretKey }} +- name: {{ $envPrefix }}_SIGN__KEY +{{- if $entry.provider.existingSecret.signKeyKey -}} + valueFrom: + secretKeyRef: + name: {{ $entry.provider.existingSecret.name }} + key: {{ $entry.provider.existingSecret.signKeyKey }} +{{- else }} + value: "" +{{- end -}} +{{- end -}} +{{- end -}} +{{/*Integration Endpoint Http Basic Auth*/}} +{{- if .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret }} +- name: DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__BASIC_USER + valueFrom: + secretKeyRef: + name: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.name }} + key: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.usernameKey }} +- name: DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__BASIC_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.name }} + key: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.passwordKey }} +{{- end }} +{{/*Integration Endpoint Http Header Auth*/}} +{{- if and .Values.docspell.server.integrationEndpoint.enabled .Values.docspell.server.integrationEndpoint.httpHeader.enabled -}} +{{- if .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret }} +- name: DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__HEADER_HEADER__VALUE + valueFrom: + secretKeyRef: + name: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret.name }} + key: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret.key }} +{{- end -}} +{{- end }} +{{/*Admin Endpoint Secret*/}} +{{- with .Values.docspell.server.adminEndpoint.existingSecret }} +- name: DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET + valueFrom: + secretKeyRef: + name: {{ .name }} + key: {{ .key }} +{{- end }} +{{/*Sign Up Invitation Generation Password*/}} +{{- if eq .Values.docspell.server.backend.signup.mode "invite" -}} +{{- with .Values.docspell.server.backend.signup.newInvitePassword.existingSecret }} +- name: DOCSPELL_SERVER_BACKEND_SIGNUP_NEW__INVITE__PASSWORD + valueFrom: + secretKeyRef: + name: {{ .name }} + key: {{ .key }} +{{- end -}} +{{- end }} +{{/*PostgreSQL Password*/}} +{{- if .Values.postgresql.global.postgresql.auth.existingSecret -}} +- name: DOCSPELL_SERVER_BACKEND_JDBC_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.postgresql.global.postgresql.auth.existingSecret }} + key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.userPasswordKey | default "password" }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/kubernetes/helm/docspell/templates/restserver/deployment.yaml b/kubernetes/helm/docspell/templates/restserver/deployment.yaml index f37fdb4f2e..095468e823 100644 --- a/kubernetes/helm/docspell/templates/restserver/deployment.yaml +++ b/kubernetes/helm/docspell/templates/restserver/deployment.yaml @@ -27,6 +27,7 @@ spec: metadata: annotations: checksum/config: {{ include (print $.Template.BasePath "/restserver/config.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/restserver/secret.yaml") . | sha256sum }} {{- with .Values.restserver.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -47,6 +48,8 @@ spec: ports: - containerPort: {{ .Values.restserver.service.port }} name: http + env: + {{- include "docspell.server.secrets.existingSecrets" . | nindent 10 }} envFrom: - configMapRef: name: {{ include "docspell.fullname" . }}-restserver diff --git a/kubernetes/helm/docspell/templates/restserver/secret.yaml b/kubernetes/helm/docspell/templates/restserver/secret.yaml index 69a498d6c1..854cc2fda7 100644 --- a/kubernetes/helm/docspell/templates/restserver/secret.yaml +++ b/kubernetes/helm/docspell/templates/restserver/secret.yaml @@ -7,11 +7,19 @@ metadata: type: Opaque stringData: assertions: - {{- if and (gt .Values.restserver.replicaCount 1.0) (not .Values.docspell.server.auth.serverSecret) -}} + {{- if gt .Values.restserver.replicaCount 1.0 }} + {{- if not .Values.docspell.server.auth.serverSecret -}} {{- fail "If multiple replicas are running of the rest server, the server secret has to be fixed." -}} + {{- else if not (or .Values.docspell.server.auth.serverSecret.existingSecret .Values.docspell.server.auth.serverSecret.value) }} + {{- end -}} + {{- if and .Values.docspell.server.adminEndpoint.enabled (and (not .Values.docspell.server.adminEndpoint.existingSecret) (not .Values.docspell.server.adminEndpoint.secret)) -}} + {{- fail "When enabling the administration endpoint, a value for authentication has the supplied." -}} + {{- end -}} + {{- end -}} + {{- if eq .Values.docspell.server.backend.signup.mode "invite" -}} + {{- if not .Values.docspell.server.backend.signup.newInvitePassword -}} + {{- fail "Invite password has to be set, when using signup mode 'invite'." -}} {{- end -}} - {{- if and (eq .Values.docspell.server.backend.signup.mode "invite") (not .Values.docspell.server.backend.signup.newInvitePassword) -}} - {{- fail "Invite password has to be set, when using signup mode 'invite'" -}} {{- end -}} {{- include "docspell.server.secrets.auth" . | nindent 4 }} {{- include "docspell.server.secrets.openid" . | nindent 4 }} diff --git a/kubernetes/helm/docspell/values.yaml b/kubernetes/helm/docspell/values.yaml index 00dcee6ad8..225c16cd24 100644 --- a/kubernetes/helm/docspell/values.yaml +++ b/kubernetes/helm/docspell/values.yaml @@ -60,13 +60,19 @@ docspell: bind: address: 0.0.0.0 port: 7880 - ## @param docspell.server.auth.serverSecret Secret to sign the authenticator tokens. If empty, one will be generated + ## @param docspell.server.auth.serverSecret.value Secret to sign the authenticator tokens. If empty, one will be generated + ## @param docspell.server.auth.serverSecret.existingSecret.name The name of an existing Kubernetes secret that contains the server secret + ## @param docspell.server.auth.serverSecret.existingSecret.key The key inside the existing Kubernetes secret that contains the server secret ## @param docspell.server.auth.sessionValid How long an authentication token is valid ## @param docspell.server.auth.onAccountSourceConflict Fail if a duplicate account from an external source should fail the login. Can be: fail, convert ## @param docspell.server.auth.rememberMe.enabled Enable/disable the remember me function ## @param docspell.server.auth.rememberMe.valid How long the remember me cookie/token is valid auth: - serverSecret: b64:YRx77QujCGkHSvll0TVEmtTaw3Z5eXr+nWMsEJowgKg= + serverSecret: + # value: asdf + # existingSecret: + # name: "my-existing-secret" + # key: "key-inside-secret" sessionValid: "5 minutes" onAccountSourceConflict: fail rememberMe: @@ -85,14 +91,19 @@ docspell: providerId: keycloak clientId: docspell clientSecret: example-secret-439e-bf06-911e4cdd56a6 - scope: profile authorizeUrl: http://localhost:8080/auth/realms/home/protocol/openid-connect/auth tokenUrl: http://localhost:8080/auth/realms/home/protocol/openid-connect/token + scope: openid profile email # User URL is not used when signature key is set # userUrl: http://localhost:8080/auth/realms/home/protocol/openid-connect/userinfo logoutUrl: http://localhost:8080/auth/realms/home/protocol/openid-connect/logout signKey: b64:anVzdC1hLXRlc3Q= sigAlgo: RS512 + # existingSecret: + # name: "my-existing-secret" + # clientIdKey: clientId + # clientSecretKey: clientSecret + # signKeyKey: signKey # The collective of the user is given in the access token as property `docspell_collective` collectiveKey: "lookup:docspell_collective" # The username to use for the docspell account @@ -104,8 +115,6 @@ docspell: ## @param docspell.server.integrationEndpoint.sourceName The name used for the item "source" property when uploaded through this endpoint ## @param docspell.server.integrationEndpoint.allowedIps.enabled Enable ip-allow-access-list ## @param docspell.server.integrationEndpoint.allowedIps.ips List of ips which should be added to the access list - ## @param docspell.server.integrationEndpoint.httpBasic.enabled Whether integration endpoint requests are expected to use http basic auth when uploading files - ## @param doscpell.server.integrationEndpoint.httpHeader.enabled Whether integration endpoint requests are expected to supply some specific header when uploading files integrationEndpoint: enabled: true priority: low @@ -115,18 +124,46 @@ docspell: ips: # IP addresses may be specific as simple globs: a part marked as '*' matches any octet, like in `192.168.*.*` - 127.0.0.1 + ## @param docspell.server.integrationEndpoint.httpBasic.enabled Whether integration endpoint requests are expected to use http basic auth when uploading files + ## @param docspell.server.integrationEndpoint.httpBasic.credentials.user The username for httpBasic authentication + ## @param docspell.server.integrationEndpoint.httpBasic.credentials.password The password for the httpBasic authentication + ## @param docspell.server.integrationEndpoint.httpBasic.existingSecret.name Name of an existing Kubernetes secret that contains the httpBasic credentials + ## @param docspell.server.integrationEndpoint.httpBasic.existingSecret.usernameKey The key inside the existing Kubernetes secret that contains the username for httpBasic + ## @param docspell.server.integrationEndpoint.httpBasic.existingSecret.passwordKey The key inside the existing Kubernetes secret that contains the password for httpBasic httpBasic: enabled: false realm: "Docspell Integration" - user: "docspell-int" - password: "docspell-int" + credentials: + # username: "docspell-int" + # password: "docspell-int" + # existingSecret: + # name: "http-basic-secret-name" + # usernameKey: "username-key-inside-secret" + # passwordKey: "password-key-inside-secret" + ## @param doscpell.server.integrationEndpoint.httpHeader.enabled Whether integration endpoint requests are expected to supply some specific header when uploading files + ## @param docpsell.server.integrationEndpoint.httpHeader.headerName The name of the header that has to be included in the integration endpoint request + ## @param docspell.server.integrationEndpoint.httpHeader.headerValue.value The header value that is expected to be included in the integration endpoint request + ## @param docspell.server.integrationEndpojnt.httpHeader.headerValue.existingSecret.name The name of an existing Kubernetes secret that contains the value expected to be included in the integration endpoint request + ## @param docspell.server.integrationEndpojnt.httpHeader.headerValue.existingSecret.key The key inside of an existing Kubernetes secret that contains the value expected to be included in the integration endpoint httpHeader: - enabled: true + enabled: false headerName: "Docspell-Integration" - headerValue: "SomeSecret" - ## @param docspell.server.adminEndpoint.secret Special administration endpoint. If a secret isn't supplied, the endpont is disabled + headerValue: + # value: "SomeSecret" + # existingSecret: + # name: "my-existing-secret" + # key: "header-value-key-inside-secret" + ## @param docspell.server.adminEndpoint.enabled Whether to enable the special administration endpoint. A secret value or existing secret containing the value has to be supplied when enabled + ## @param docspell.server.adminEndpoint.secret.value Value for the administration endpoint + ## @param docspell.server.adminEndpoint.existingSecret.name The name of an existing Kubernetes secret that contains the value for the admin endpoint + ## @param docspell.server.adminEndpoint.existingSecret.key The key inside of an existing Kubernetes secret that contains the value for the admin endpoint adminEndpoint: - secret: + enabled: false + # secret: + # value: "test" + # existingSecret: + # name: "my-existing-secret" + # key: "admin-key-inside-secret" ## @param docspell.server.backend.mailDebug Enable or disabling debugging for e-mail related functionality backend: @@ -139,11 +176,17 @@ docspell: runFixupMigrations: true repairSchema: false ## @param docspell.server.backend.signup.mode The mode defines if new users can signup or not (open, invite, closed) - ## @param docspell.server.backend.signup.newInvitePassword If mode is 'invite', a password must be provided to generate invitation keys + ## @param docspell.server.backend.signup.newInvitePassword.value If mode is 'invite', a password must be provided to generate invitation keys + ## @param docspell.server.backend.signup.newInvitePassword.existingSecret.name The name of an existing Kubernetes secret that contains the invitation generation password + ## @param docspell.server.backend.signup.newINvitePassword.existingSecret.key The key inside of an existing Kubernetes secret that contains the invitation generation password ## @param docspell.server.backend.signup.inviteTime If mode is 'invite', this is the period an invitation token is considered valid signup: mode: open - newInvitePassword: + newInvitePassword: + # value: asdf + # existingSecret: + # name: "my-existing-secret" + # key: "invite-password-key" inviteTime: "3 days" ## @param docspell.joex.appId Id of the node ## @param docspell.joex.mailDebug Enable or disabling debugging for e-mail related functionality @@ -295,9 +338,6 @@ ingress: # - secretName: chart-exmaple-tls # hosts: # - docspell.example.com - # Mostly for argocd or any other CI that uses `helm template | kubectl apply` or similar - # If helm doesn't correctly detect your ingress API version you can set it here. - # apiVersion: networking.k8s.io/v1 ## @section ServiceAccount # @@ -542,6 +582,9 @@ solr: ## @param postgresql.global.postgresql.auth.password Password for the `dbname` user (overrides `auth.password`) ## @param postgresql.global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`) ## @param postgresql.global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`) +## @param postgresql.global.postgresql.auth.existingSecret Name of an existing Kubernetes secret that contains the postgresql credentials. `auth.password` will be ignored and picked up from this secret +## @param postgresql.global.postgresql.auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. +## @param postgresql.global.postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. ## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) ## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume postgresql: @@ -552,6 +595,10 @@ postgresql: database: dbname username: dbuser password: dbpass + existingSecret: postgres-secret + secretKeys: + adminPasswordKey: postgres-password + userPasswordKey: password service: postgresql: 5432 primary: