Fix oci url and fluxcd config values (opencloud-eu#115)

* Fix oci url and fluxcd config values

* Bump up Version

* Bump up Version

* Bump up Version

* fix: correct busybox image reference and fix typos

- Use initContainerImage values for busybox init container instead of minio image registry/tag
- Fix typo: 'Upgrate' -> 'Upgrade' in timoni README
- Fix template spacing for consistency (add space after opening brackets)

Note: initContainerImage is already defined in values.yaml (line 75-88)

Co-authored-by: Michael Stingl <[email protected]>

---------

Co-authored-by: Your Name <[email protected]>
Co-authored-by: Michael Stingl <[email protected]>

Author: 3 people

charts/opencloud-microservices/README.md

@@ -126,17 +126,6 @@ This repository contains the following chart:
 
 ### Microservices Chart (`charts/opencloud-microservices`)
 
-**Architecture**: Pod-per-service
-- Every single service in its own pod
-- Full Gateway API integration
-- NATS service discovery required
-- Keycloak for authentication
-- MinIO for object storage
-- Integrated LDAP 
-- Document editing with Collabora and/or OnlyOffice
-- Slightly higher resource usage due to microservices pod overhead
-### Microservices Chart (`charts/opencloud-microservices`)
-
 **Architecture**: Pod-per-service
 - Every single service in its own pod
 - Full Gateway API integration
@@ -148,6 +137,51 @@ This repository contains the following chart:
 - Slightly higher resource usage due to microservices pod overhead
 - See [architectural warnings](./charts/opencloud-microservices/README.md#architectural-considerations)
 
+# 🔐 Mandatory secret changes for production
+
+Set all of the following to strong, unique values before deploying to production. Rotate regularly and never commit real values to VCS. Names are taken from deployments/timoni/secret.yaml.
+
+1) LDAP / IDM
+- Secret: ldap-bind-secrets
+  - Key: reva-ldap-bind-password
+  - Note: Must match the LDAP admin password below
+
+- Secret: opencloud-ldap-secrets
+  - Key: adminPassword
+  - Key: configPassword
+  - Note: LDAP Administrator credentials
+
+2) Object Storage (MinIO / S3)
+- Secret: s3secret
+  - Key: accessKey
+  - Key: secretKey
+  - Note: Used by services for S3 access
+
+- Secret: opencloud-minio-secrets - for testing only
+  - Key: rootPassword
+  - Note: MinIO root account password
+
+3) Authentication (Keycloak) - for testing only
+- Secret: opencloud-keycloak-admin-secrets
+  - Key: adminPassword
+  - Note: Keycloak admin password
+
+- Secret: opencloud-keycloak-postgresql-secrets - for testing only
+  - Key: postgresqlPassword
+  - Note: Password for Keycloak’s PostgreSQL database user
+
+4) Messaging / Queues
+- Secret: opencloud-amqp-secret
+  - Key: amqpUrl
+  - Note: Contains credentials in URL form; replace with a strong user/password and secure endpoint
+
+5) Document Editing (OnlyOffice)
+- Secret: opencloud-onlyoffice-secrets
+  - Key: inbox
+  - Key: outbox
+  - Key: session
+  - Note: Tokens used by OnlyOffice/WOPI integration
+
 
 ## 🚀 Installation
 
@@ -174,12 +208,14 @@ timoni bundle apply -f ./charts/opencloud-microservices/deployments/timoni/openc
 
 The charts are also available in the GitHub Container Registry (GHCR) as OCI artifacts:
 
+Change the repo url to:  ghcr.io/opencloud-eu/helm-charts/opencloud-microservices
+
 ```bash
 cd charts/opencloud-microservices/deployments
 helmfile sync
 
 ```
-You can also install it with timoni instead of helm:
+You can also install it with timoni and fluxcd instead of helm:
 ```bash
 kubectl apply -f ./charts/opencloud-microservices/deployments/timoni/ && \
 timoni bundle apply -f ./charts/opencloud-microservices/deployments/timoni/opencloud.cue --runtime ./charts/opencloud-microservices/deployments/timoni/runtime.cue

charts/opencloud-microservices/deployments/helm/helmfile.yaml

@@ -13,8 +13,8 @@ repositories:
 releases:
   # --- OpenCloud Microservice Chart Release ---
   # Deploys the main OpenCloud application with all its integrated services.
-  - name: opencloud-helm
-    namespace: opencloud-helm # Dedicated namespace for the OpenCloud deployment.
+  - name: opencloud
+    namespace: opencloud # Dedicated namespace for the OpenCloud deployment.
     chart: ../../ # Path to the OpenCloud Helm chart.
     values:
       # --- General Settings ---

charts/opencloud-microservices/deployments/timoni/README.md

@@ -1,5 +1,4 @@
-# Install
-
+# Install/Upgrade
 kubectl apply -f ./charts/opencloud-microservices/deployments/timoni/ && \
 timoni bundle apply -f ./charts/opencloud-microservices/deployments/timoni/opencloud.cue --runtime ./charts/opencloud-microservices/deployments/timoni/runtime.cue
 

charts/opencloud-microservices/deployments/timoni/configmap.yaml

@@ -93,6 +93,7 @@ data:
   # Collabora Configuration
   ###############################################################################
   COLLABORA_URI: "https://collabora.opencloud.test"
+  COLLABORA_DOMAIN: "collabora.opencloud.test"
   COLLABORA_ICON_URI: "https://collabora.opencloud.test/favicon.ico"
   COLLABORA_ENABLED: "true"
   COLLABORA_INSECURE: "true"

charts/opencloud-microservices/deployments/timoni/opencloud.cue

@@ -21,11 +21,11 @@ bundle: {
             namespace: "opencloud"
             values: {
                 repository: {
-                    url: "oci://ghcr.io/suse-coder/helm-charts"
+                    url: "oci://ghcr.io/opencloud-eu/helm-charts"
                 }
                 chart: {
                     name:    "opencloud-microservices"
-                    version: "*"
+                    version: "0.1.0"
                 }
                 sync: {
                     timeout: 10
@@ -56,7 +56,12 @@ bundle: {
                             }
                         }
                     }
+                    collabora: {
+                        enabled: bool @timoni(runtime:bool:COLLABORA_ENABLED)
+                        domain: string @timoni(runtime:string:COLLABORA_DOMAIN)
+                    }
                     onlyoffice: {
+                        enabled: bool @timoni(runtime:bool:ONLYOFFICE_ENABLED)
                         domain: string @timoni(runtime:string:ONLYOFFICE_DOMAIN)
                         persistence: {
                             size: string @timoni(runtime:string:ONLYOFFICE_PERSISTENCE_SIZE)
@@ -499,3 +504,4 @@ bundle: {
         }
     }
 }
+

charts/opencloud-microservices/deployments/timoni/runtime.cue

@@ -51,6 +51,7 @@ runtime: {
                 "LDAP_URI":                  "obj.data.LDAP_URI"
                 "OIDC_ISSUER_URI":           "obj.data.OIDC_ISSUER_URI"
                 "COLLABORA_URI":             "obj.data.COLLABORA_URI"
+                "COLLABORA_DOMAIN":          "obj.data.COLLABORA_DOMAIN"
                 "COLLABORA_ICON_URI":        "obj.data.COLLABORA_ICON_URI"
                 "WOPI_INGRESS_DOMAIN":       "obj.data.WOPI_INGRESS_DOMAIN"
                 "WOPI_COLLABORA_TLS_HOST":   "obj.data.WOPI_COLLABORA_TLS_HOST"
@@ -135,6 +136,7 @@ runtime: {
         LDAP_URI: "ldap://openldap.openldap.svc.cluster.local:389"
         OIDC_ISSUER_URI: "https://keycloak.opencloud.test/realms/openCloud"
         COLLABORA_URI: "https://collabora.opencloud.test"
+        COLLABORA_DOMAIN: "collabora.opencloud.test"
         COLLABORA_ICON_URI: "https://collabora.opencloud.test/favicon.ico"
         WOPI_INGRESS_DOMAIN: "wopi.opencloud.test"
         WOPI_COLLABORA_TLS_HOST: "wopi-collabora.kube.opencloud.test"

charts/opencloud-microservices/deployments/timoni/secret.yaml

@@ -1,3 +1,4 @@
+# The ldap-bind-secrets and opencloud-ldap-secrets adminPassword have to be the same
 apiVersion: v1
 kind: Secret
 metadata:

charts/opencloud-microservices/templates/minio/deployment.yaml

@@ -13,7 +13,8 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: init-minio-bucket
-          image: busybox
+          image: "{{ .Values.initContainerImage.repository }}:{{ .Values.initContainerImage.tag }}"
+          imagePullPolicy: {{ .Values.initContainerImage.pullPolicy | default "IfNotPresent" }}
           securityContext:
             runAsUser: 1000
             runAsGroup: 1000
@@ -25,7 +26,7 @@ spec:
       containers:
         - name: minio
           image: "{{ .Values.minio.image.registry }}/{{ .Values.minio.image.repository }}:{{ .Values.minio.image.tag | default .Values.minio.version }}"
-          imagePullPolicy: {{.Values.minio.image.pullPolicy | default "IfNotPresent" }}
+          imagePullPolicy: {{ .Values.minio.image.pullPolicy | default "IfNotPresent" }}
           args:
             - server
             - --console-address