reflect mail config changes

charts/ocis/docs/values-desc-table.adoc

@@ -672,11 +672,11 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 `true`
 |
-| features.sharing.passwordPolicies.bannedPasswordsList
+| features.sharing.passwordPolicies.bannedPasswords
 a| [subs=-attributes]
-+string+
++list+
 a| [subs=-attributes]
-`""`
+`[]`
 |
 | features.sharing.passwordPolicies.minCharacters
 a| [subs=-attributes]
@@ -784,7 +784,7 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`"Always"`
+`"IfNotPresent"`
 | Image pull policy
 | image.pullSecrets
 a| [subs=-attributes]
@@ -802,7 +802,7 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
-`""`
+`"c804f9b7120eebe276ec4d35975760e0d924fa197ba641e243ab22e118cec6ed"`
 | Image sha / digest (optional).
 | image.tag
 a| [subs=-attributes]
@@ -1038,6 +1038,12 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 `""`
 | Reference to an existing keycloak client secret, used for the GDPR export. Only used if features.externalUserManagement.gdprExport.enabled equals true.
+| secretRefs.globalNotificationsSecretRef
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`""`
+| The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.
 | secretRefs.idpSecretRef
 a| [subs=-attributes]
 +string+

charts/ocis/docs/values.adoc.yaml

@@ -7,9 +7,9 @@ image:
   # -- Image tag. Defaults to the chart's appVersion.
   tag: "latest"
   # -- Image sha / digest (optional).
-  sha: ""
+  sha: "c804f9b7120eebe276ec4d35975760e0d924fa197ba641e243ab22e118cec6ed" # oCIS as of 18th October 2023
   # -- Image pull policy
-  pullPolicy: Always
+  pullPolicy: IfNotPresent
   # -- Names of the secret containing the credentials to pull an image from the registry. More
   # information how a secret can be defined at https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
   #
@@ -217,8 +217,10 @@ features:
       minSpecialCharacters: 0
       # the minimum amount of digits the password needs to have
       minDigits: 0
-      # the path to the file containing the list of banned passwords
-      bannedPasswordsList: ""
+      # list of banned passwords
+      bannedPasswords: []
+        # - foo
+        # - bar
   # Apps integration
   appsIntegration:
     # -- Enables the apps integration.
@@ -593,6 +595,8 @@ secretRefs:
   s3CredentialsSecretRef: ""
   # -- Reference to an existing service account secret (see xref:{secrets}[Secrets])
   serviceAccountSecretRef: ""
+  # -- The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.
+  globalNotificationsSecretRef: ""
 
 # Security context options.
 securityContext:
@@ -695,13 +699,15 @@ jobNodeSelector:
   # kubernetes.io/arch: "amd64"
 
 # -- Default priorityClassName to apply to all services, except per-service jobPriorityClassName configuration in `services.<service-name>.jobPriorityClassName` is set.
-jobPriorityClassName: ""
+jobPriorityClassName:
+  ""
   # ocis-low-priority
   # ocis-medium-priority
   # ocis-high-priority
 
 # -- Default priorityClassName to apply to all services, except per-service priorityClassName configuration in `services.<service-name>.priorityClassName` is set.
-priorityClassName: ""
+priorityClassName:
+  ""
   # ocis-low-priority
   # ocis-medium-priority
   # ocis-high-priority

charts/ocis/templates/_common/_configvalues.tpl

@@ -40,6 +40,10 @@ All take the scope as the first and only parameter.
 {{ .Values.secretRefs.serviceAccountSecretRef | default "service-account-secret" | quote }}
 {{- end -}}
 
+{{- define "secrets.globalNotificationsSecret" -}}
+{{ required "messagingSystemCASecret can't be autogenerated" .Values.secretRefs.globalNotificationsSecretRef | quote }}
+{{- end -}}
+
 {{- define "secrets.messagingSystemCASecret" -}}
 {{ required "messagingSystemCASecret can't be autogenerated" .Values.secretRefs.messagingSystemCaRef | quote }}
 {{- end -}}

charts/ocis/templates/authservice/deployment.yaml

@@ -56,12 +56,6 @@ spec:
                   name: {{ include "secrets.jwtSecret" . }}
                   key: jwt-secret
 
-            - name: AUTH_SERVICE_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "secrets.machineAuthAPIKeySecret" . }}
-                  key: machine-auth-api-key
-
             - name: AUTH_SERVICE_SERVICE_ACCOUNT_ID
               valueFrom:
                 configMapKeyRef:

charts/ocis/templates/clientlog/deployment.yaml

@@ -45,8 +45,7 @@ spec:
             - name: CLIENTLOG_DEBUG_PPROF
               value: {{ .Values.debug.profiling | quote }}
 
-            # NOTE: change to CLIENTLOG... once fix has landed in master
-            - name: USERLOG_DEBUG_ADDR
+            - name: CLIENTLOG_DEBUG_ADDR
               value: 0.0.0.0:9260
 
             - name: CLIENTLOG_STORE

charts/ocis/templates/frontend/config.yaml

@@ -0,0 +1,15 @@
+{{- include "ocis.basicServiceTemplates" (dict "scope" . "appName" "appNameFrontend" "appNameSuffix" "") -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: sharing-banned-passwords
+  namespace: {{ template "ocis.namespace" . }}
+  labels:
+    {{- include "ocis.labels" . | nindent 4 }}
+data:
+  sharing-banned-passwords.txt: |-
+    {{- with .Values.features.sharing.passwordPolicies.bannedPasswords -}}
+    {{- range . -}}
+    {{- . | nindent 4 }}
+    {{- end -}}
+    {{- end -}}

charts/ocis/templates/frontend/deployment.yaml

@@ -9,7 +9,7 @@ spec:
   {{- end }}
   {{- include "ocis.deploymentStrategy" . | nindent 2 }}
   template:
-    {{- include "ocis.templateMetadata" (dict "scope" $ "configCheck" false) | nindent 4 }}
+    {{- include "ocis.templateMetadata" (dict "scope" $ "configCheck" true) | nindent 4 }}
     spec:
       {{- include "ocis.serviceAccount" . | nindent 6 }}
       {{- include "ocis.affinity" .Values.services.frontend | nindent 6 }}
@@ -152,7 +152,7 @@ spec:
 
             # password policies
             - name: FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS
-              value: {{ .Values.features.sharing.passwordPolicies.minChars | quote }}
+              value: {{ .Values.features.sharing.passwordPolicies.minCharacters | quote }}
             - name: FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS
               value: {{ .Values.features.sharing.passwordPolicies.minLowerCharacters | quote }}
             - name: FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS
@@ -162,7 +162,7 @@ spec:
             - name: FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS
               value: {{ .Values.features.sharing.passwordPolicies.minSpecialCharacters | quote }}
             - name: FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST
-              value: {{ .Values.features.sharing.passwordPolicies.bannedPasswordsList | quote }}
+              value: /etc/ocis/sharing-banned-passwords.txt
 
           {{- include "ocis.livenessProbe" . | nindent 10 }}
 
@@ -175,10 +175,15 @@ spec:
               containerPort: 9141
 
           volumeMounts:
+            - name: configs
+              mountPath: /etc/ocis
             - name: tmp-volume
               mountPath: /tmp
 
       {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
       volumes:
         - name: tmp-volume
           emptyDir: {}
+        - name: configs
+          configMap:
+            name: sharing-banned-passwords

charts/ocis/templates/graph/deployment.yaml

@@ -192,12 +192,6 @@ spec:
               value: {{ .Values.features.quotas.default | quote }}
             {{- end }}
 
-            - name: USERLOG_MACHINE_AUTH_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "secrets.machineAuthAPIKeySecret" . }}
-                  key: machine-auth-api-key
-
             {{- if .Values.features.gdprReport.integrations.keycloak.enabled }}
             - name: GRAPH_KEYCLOAK_BASE_PATH
               value: {{ .Values.features.gdprReport.integrations.keycloak.basePath | quote }}

charts/ocis/templates/ocs/deployment.yaml

@@ -63,12 +63,6 @@ spec:
                   name: {{ include "secrets.jwtSecret" . }}
                   key: jwt-secret
 
-            - name: OCS_MACHINE_AUTH_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "secrets.machineAuthAPIKeySecret" . }}
-                  key: machine-auth-api-key
-
             {{- include "ocis.cors" . |nindent 12 }}
 
           {{- include "ocis.livenessProbe" . | nindent 10 }}

charts/ocis/templates/policies/deployment.yaml

@@ -78,11 +78,6 @@ spec:
                 secretKeyRef:
                   name: {{ include "secrets.jwtSecret" $ }}
                   key: jwt-secret
-            - name: POLICIES_MACHINE_AUTH_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "secrets.machineAuthAPIKeySecret" . }}
-                  key: machine-auth-api-key
 
             - name: POLICIES_DEBUG_PPROF
               value: {{ .Values.debug.profiling | quote }}

charts/ocis/templates/search/deployment.yaml

@@ -105,12 +105,6 @@ spec:
                   name: {{ include "secrets.jwtSecret" . }}
                   key: jwt-secret
 
-            - name: SEARCH_MACHINE_AUTH_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "secrets.machineAuthAPIKeySecret" . }}
-                  key: machine-auth-api-key
-
             - name: SEARCH_SERVICE_ACCOUNT_ID
               valueFrom:
                 configMapKeyRef:

charts/ocis/templates/storageusers/deployment.yaml

@@ -132,12 +132,6 @@ spec:
             - name: STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE
               value: {{ .Values.services.storageusers.maintenance.purgeExpiredTrashBinItems.projectDeleteBefore | quote }}
 
-            - name: OCIS_MACHINE_AUTH_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "secrets.machineAuthAPIKeySecret" . }}
-                  key: machine-auth-api-key
-
             - name: STORAGE_USERS_SERVICE_ACCOUNT_ID
               valueFrom:
                 configMapKeyRef:

charts/ocis/templates/userlog/deployment.yaml

@@ -26,6 +26,9 @@ spec:
           {{- include "ocis.containerSecurityContext" . | nindent 10 }}
           env:
             {{- include "ocis.serviceRegistry" . | nindent 12 }}
+
+            - name: OCIS_DEFAULT_LANGUAGE
+              value: {{ default "en" .Values.features.language.default | quote }}
 
             - name: USERLOG_LOG_COLOR
               value: {{ .Values.logging.color | quote }}
@@ -88,6 +91,14 @@ spec:
                   name: {{ include "secrets.serviceAccountSecret" . }}
                   key: service-account-secret
 
+            {{- if .Values.secretRefs.globalNotificationsSecretRef }}
+            - name: USERLOG_GLOBAL_NOTIFICATIONS_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "secrets.globalNotificationsSecret" . }}
+                  key: notifications-secret
+            {{- end }}
+
             - name: USERLOG_JWT_SECRET
               valueFrom:
                 secretKeyRef:

charts/ocis/values.yaml

@@ -6,9 +6,9 @@ image:
   # -- Image tag. Defaults to the chart's appVersion.
   tag: "latest"
   # -- Image sha / digest (optional).
-  sha: ""
+  sha: "c804f9b7120eebe276ec4d35975760e0d924fa197ba641e243ab22e118cec6ed" # oCIS as of 18th October 2023
   # -- Image pull policy
-  pullPolicy: Always
+  pullPolicy: IfNotPresent
   # -- Names of the secret containing the credentials to pull an image from the registry. More
   # information how a secret can be defined at https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
   #
@@ -170,8 +170,9 @@ features:
       # -- Authentication method for the SMTP communication. Possible values are ‘login’, ‘plain’, ‘crammd5’, ‘none’
       # If set to another value than `none`, a secret referenced by `notificationsSmtpSecretRef` needs to be present.
       authentication: none
-      # -- Encryption method for the SMTP communication. Possible values are ‘starttls’, ‘ssl’, ‘ssltls’, ‘tls’ and ‘none’.
-      encryption: none
+      # -- Encryption method for the SMTP communication. Possible values are ‘starttls’, ‘ssltls’, ‘auto’ and ‘none’.
+      # -- Values 'ssl' and 'tls' are deprecated and will be removed in version "6.0.0". Use 'starttls' instead of 'tls' and 'ssltls' instead of 'ssl'.
+      encryption: auto
     branding:
       # -- Enables mail branding. If enabled, you need to provide the text and html template ConfigMap.
       # The image ConfigMap is optional.
@@ -216,8 +217,11 @@ features:
       minSpecialCharacters: 0
       # the minimum amount of digits the password needs to have
       minDigits: 0
-      # the path to the file containing the list of banned passwords
-      bannedPasswordsList: ""
+      # list of banned passwords
+      bannedPasswords:
+        []
+        # - foo
+        # - bar
   # Apps integration
   appsIntegration:
     # -- Enables the apps integration.
@@ -592,6 +596,8 @@ secretRefs:
   s3CredentialsSecretRef: ""
   # -- Reference to an existing service account secret (see ref:Secrets#secrets)
   serviceAccountSecretRef: ""
+  # -- The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.
+  globalNotificationsSecretRef: ""
 
 # Security context options.
 securityContext:
@@ -694,13 +700,15 @@ jobNodeSelector:
   # kubernetes.io/arch: "amd64"
 
 # -- Default priorityClassName to apply to all services, except per-service jobPriorityClassName configuration in `services.<service-name>.jobPriorityClassName` is set.
-jobPriorityClassName: ""
+jobPriorityClassName:
+  ""
   # ocis-low-priority
   # ocis-medium-priority
   # ocis-high-priority
 
 # -- Default priorityClassName to apply to all services, except per-service priorityClassName configuration in `services.<service-name>.priorityClassName` is set.
-priorityClassName: ""
+priorityClassName:
+  ""
   # ocis-low-priority
   # ocis-medium-priority
   # ocis-high-priority