eikek/docspell#2502 Added the option supply existing Kubernetes secrets to load secret values.

2025-07-04 16:48:26 +00:00 · 2024-02-18 02:00:08 +01:00
parent 53160d34bf
commit ad61dae136
9 changed files with 220 additions and 34 deletions
--- a/kubernetes/helm/docspell/templates/_configs.tpl
+++ b/kubernetes/helm/docspell/templates/_configs.tpl
@ -15,7 +15,9 @@
 {{- $envPrefix = "DOCSPELL_JOEX_JDBC" -}}
 {{- end }}
 {{ $envPrefix }}_USER: {{ .context.Values.postgresql.global.postgresql.auth.username }}
 {{- if not .context.Values.postgresql.global.postgresql.auth.existingSecret }}
 {{ $envPrefix }}_PASSWORD: {{ .context.Values.postgresql.global.postgresql.auth.password }}
 {{- end }}
 {{ $envPrefix }}_URL: {{ include "postgresql.jdbcUrl" .context }}
 {{- end -}}
 {{- end -}}
--- a/kubernetes/helm/docspell/templates/_helpers.tpl
+++ b/kubernetes/helm/docspell/templates/_helpers.tpl
@ -57,4 +57,4 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end -}}
-{{- end -}}
+{{- end -}}
--- a/kubernetes/helm/docspell/templates/joex/_existingSecrets.yaml
+++ b/kubernetes/helm/docspell/templates/joex/_existingSecrets.yaml
@ -0,0 +1,10 @@
 {{- define "docspell.joex.secrets.existingSecrets" -}}
 {{/*PostgreSQL Password*/}}
 {{- if .Values.postgresql.global.postgresql.auth.existingSecret -}}
 - name: DOCSPELL_JOEX_JDBC_PASSWORD
  valueFrom:
    secretKeyRef:
      name: {{ .Values.postgresql.global.postgresql.auth.existingSecret }}
      key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.userPasswordKey | default "password" }}
 {{- end -}}
 {{- end -}}
--- a/kubernetes/helm/docspell/templates/joex/deployment.yaml
+++ b/kubernetes/helm/docspell/templates/joex/deployment.yaml
@ -27,6 +27,7 @@ spec:
    metadata:
      annotations:
        checksum/config: {{ include (print $.Template.BasePath "/joex/config.yaml") . | sha256sum }}
        checksum/secret: {{ include (print $.Template.BasePath "/joex/secret.yaml") . | sha256sum }}
        {{- with .Values.joex.podAnnotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
@ -51,6 +52,8 @@ spec:
          ports:
          - containerPort: {{ .Values.joex.service.port }}
            name: http
          env:
          {{- include "docspell.joex.secrets.existingSecrets" . | nindent 10 }}
          envFrom:
          - configMapRef:
              name: {{ include "docspell.fullname" . }}-joex
--- a/kubernetes/helm/docspell/templates/restserver/_configs.tpl
+++ b/kubernetes/helm/docspell/templates/restserver/_configs.tpl
@ -32,9 +32,14 @@
 {{/*Auth Secrets*/}}
 {{- define "docspell.server.secrets.auth" -}}
-{{- with .Values.docspell.server.auth.serverSecret }}
+{{- if .Values.docspell.server.auth.serverSecret -}}
 {{- if and .Values.docspell.server.auth.serverSecret.value .Values.docspell.server.auth.serverSecret.existingSecret -}}
 {{- fail "Only either a fixed server secret or an existing secret should be specified" -}}
 {{- end -}}
 {{- with .Values.docspell.server.auth.serverSecret.value }}
 DOCSPELL_SERVER_AUTH_SERVER__SECRET: {{ . }}
-{{- end }}
+{{- end -}}
 {{- end -}}
 {{- end -}}
 {{/*Download Config*/}}
@ -71,7 +76,7 @@ DOCSPELL_SERVER_AUTH_SERVER__SECRET: {{ . }}
 {{- define "docspell.server.secrets.openid" -}}
 {{- $envPrefix := "DOCSPELL_SERVER_OPENID" -}}
 {{- range $index, $entry := .Values.docspell.server.openid -}}
-{{- if $entry.enabled -}}
+{{- if and $entry.enabled (not $entry.provider.existingSecret) -}}
 {{- $envPrefix = printf "%s_%s_PROVIDER" $envPrefix ($index | toString) }}
 {{ $envPrefix }}_CLIENT__ID: {{ $entry.provider.clientId }}
 {{ $envPrefix }}_CLIENT__SECRET: {{ $entry.provider.clientSecret }}
@ -110,24 +115,40 @@ DOCSPELL_SERVER_AUTH_SERVER__SECRET: {{ . }}
 {{/*Integration Endpoint Secrets*/}}
 {{- define "docspell.server.secrets.integrationEndpoint" -}}
-{{- if .Values.docspell.server.integrationEndpoint.httpBasic.enabled | quote -}}
+{{- if .Values.docspell.server.integrationEndpoint.httpBasic.enabled -}}
-{{- $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT__HTTP__BASIC" -}}
+{{- if and .Values.docspell.server.integrationEndpoint.httpBasic.credentials .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret -}}
 {{- fail "Only either the fixed credentials or an existing secret for the httpBasic integration endpoint should be set" -}}
 {{- end -}}
 {{- $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__BASIC" -}}
 {{ $envPrefix}}_REALM: {{ .Values.docspell.server.integrationEndpoint.httpBasic.realm }}
-{{ $envPrefix}}_USER: {{ .Values.docspell.server.integrationEndpoint.httpBasic.user }}
+{{- with .Values.docspell.server.integrationEndpoint.httpBasic.credentials }}
-{{ $envPrefix}}_PASSWORD: {{ .Values.docspell.server.integrationEndpoint.httpBasic.password }}
+{{ $envPrefix}}_USER: {{ .username }}
 {{ $envPrefix}}_PASSWORD: {{ .password }}
 {{- end -}}
 {{- end }}
-{{- if .Values.docspell.server.integrationEndpoint.httpHeader.enabled | quote -}}
+{{- if .Values.docspell.server.integrationEndpoint.httpHeader.enabled -}}
-{{ $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT__HTTP__HEADER" }}
+{{- if and .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.value .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret -}}
 {{- fail "Only either the fixed header value or an existing secret for the http header ingration endpoint should be set" -}}
 {{- end -}}
 {{ $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__HEADER" }}
 {{ $envPrefix }}_HEADER__NAME: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerName }}
-{{ $envPrefix }}_HEADER__VALUE: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue }}
+{{- with .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.value -}}
 {{ $envPrefix }}_HEADER__VALUE: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.value }}
 {{- end -}}
 {{- end }}
 {{- end -}}
 {{/*Admin Endpoint Secrets*/}}
 {{- define "docspell.server.secrets.adminEndpoint" -}}
-{{- with .Values.docspell.server.adminEndpoint.secret }}
+{{- if .Values.docspell.server.adminEndpoint.enabled -}}
-DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET: {{ . }}
+{{- $context := . -}}
-{{- end }}
+{{- with .Values.docspell.server.adminEndpoint.secret -}}
 {{- if $context.Values.docspell.server.adminEndpoint.existingSecret }}
 {{- fail "Only either the fixed value or an existing secret for the admin endpoint should be set" -}}
 {{- end -}}
 DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET: {{ .value }}
 {{- end -}}
 {{- end -}}
 {{- end -}}
 {{/*Signup Settings*/}}
@ -142,6 +163,12 @@ DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET: {{ . }}
 {{/*Signup Secrets*/}}
 {{- define "docspell.server.secrets.signup" -}}
 {{- if eq .Values.docspell.server.backend.signup.mode "invite" }}
-DOCSPELL_SERVER_BACKEND_SIGNUP_NEW__INVITE__PASSWORD: {{ .Values.docspell.server.backend.signup.newInvitePassword }}
+{{- $context := . -}}
 {{- with .Values.docspell.server.backend.signup.newInvitePassword.value -}}
 {{- if $context.Values.docspell.server.backend.signup.newInvitePassword.existingSecret -}}
 {{- fail "Only either the fixed value or an existing secret for the new invite password should be set" -}}
 {{- end -}}
 DOCSPELL_SERVER_BACKEND_SIGNUP_NEW__INVITE__PASSWORD: {{ . }}
 {{- end -}}
 {{- end -}}
 {{- end -}}
--- a/kubernetes/helm/docspell/templates/restserver/_existingSecrets.tpl
+++ b/kubernetes/helm/docspell/templates/restserver/_existingSecrets.tpl
@ -0,0 +1,86 @@
 {{- define "docspell.server.secrets.existingSecrets" -}}
 {{/*Server Secret*/}}
 {{- if .Values.docspell.server.auth.serverSecret -}}
 {{- if and .Values.docspell.server.auth.serverSecret.existingSecret (not .Values.docspell.server.auth.serverSecret.value) -}}
 - name: DOCSPELL_SERVER_AUTH_SERVER__SECRET
  valueFrom:
    secretKeyRef:
      name: {{ .Values.docspell.server.auth.serverSecret.existingSecret.name }}
      key: {{ .Values.docspell.server.auth.serverSecret.existingSecret.key }}
 {{- end -}}
 {{- end }}
 {{/*OIDC Secrets*/}}
 {{- range $index, $entry := .Values.docspell.server.openid -}}
 {{- if and $entry.enabled $entry.provider.existingSecret -}}
 {{- $envPrefix := printf "%s_%s_PROVIDER" "DOCSPELL_SERVER_OPENID" ($index | toString) -}}
 - name: {{ $envPrefix }}_CLIENT__ID
  valueFrom:
    secretKeyRef:
      name: {{ $entry.provider.existingSecret.name }}
      key: {{ $entry.provider.existingSecret.clientIdKey }}
 - name: {{ $envPrefix }}_CLIENT__SECRET
  valueFrom:
    secretKeyRef:
      name: {{ $entry.provider.existingSecret.name }}
      key: {{ $entry.provider.existingSecret.clientSecretKey }}
 - name: {{ $envPrefix }}_SIGN__KEY
 {{- if $entry.provider.existingSecret.signKeyKey -}}
  valueFrom:
    secretKeyRef:
      name: {{ $entry.provider.existingSecret.name }}
      key: {{ $entry.provider.existingSecret.signKeyKey }}
 {{- else }}
  value: ""
 {{- end -}}
 {{- end -}}
 {{- end -}}
 {{/*Integration Endpoint Http Basic Auth*/}}
 {{- if .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret }}
 - name: DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__BASIC_USER
  valueFrom:
    secretKeyRef:
      name: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.name }}
      key: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.usernameKey }}
 - name: DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__BASIC_PASSWORD
  valueFrom:
    secretKeyRef:
      name: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.name }}
      key: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.passwordKey }}
 {{- end }}
 {{/*Integration Endpoint Http Header Auth*/}}
 {{- if and .Values.docspell.server.integrationEndpoint.enabled .Values.docspell.server.integrationEndpoint.httpHeader.enabled -}}
 {{- if .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret }}
 - name: DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__HEADER_HEADER__VALUE
  valueFrom:
    secretKeyRef:
      name: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret.name }}
      key: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret.key }}
 {{- end -}}
 {{- end }}
 {{/*Admin Endpoint Secret*/}}
 {{- with .Values.docspell.server.adminEndpoint.existingSecret }}
 - name: DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET
  valueFrom:
    secretKeyRef:
      name: {{ .name }}
      key: {{ .key }}
 {{- end }}
 {{/*Sign Up Invitation Generation Password*/}}
 {{- if eq .Values.docspell.server.backend.signup.mode "invite" -}}
 {{- with .Values.docspell.server.backend.signup.newInvitePassword.existingSecret }}
 - name: DOCSPELL_SERVER_BACKEND_SIGNUP_NEW__INVITE__PASSWORD
  valueFrom:
    secretKeyRef:
      name: {{ .name }}
      key: {{ .key }}
 {{- end -}}
 {{- end }}
 {{/*PostgreSQL Password*/}}
 {{- if .Values.postgresql.global.postgresql.auth.existingSecret -}}
 - name: DOCSPELL_SERVER_BACKEND_JDBC_PASSWORD
  valueFrom:
    secretKeyRef:
      name: {{ .Values.postgresql.global.postgresql.auth.existingSecret }}
      key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.userPasswordKey | default "password" }}
 {{- end -}}
 {{- end -}}
--- a/kubernetes/helm/docspell/templates/restserver/deployment.yaml
+++ b/kubernetes/helm/docspell/templates/restserver/deployment.yaml
@ -27,6 +27,7 @@ spec:
    metadata:
      annotations:
        checksum/config: {{ include (print $.Template.BasePath "/restserver/config.yaml") . | sha256sum }}
        checksum/secret: {{ include (print $.Template.BasePath "/restserver/secret.yaml") . | sha256sum }}
        {{- with .Values.restserver.podAnnotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
@ -47,6 +48,8 @@ spec:
          ports:
          - containerPort: {{ .Values.restserver.service.port }}
            name: http
          env:
          {{- include "docspell.server.secrets.existingSecrets" . | nindent 10 }}
          envFrom:
          - configMapRef:
              name: {{ include "docspell.fullname" . }}-restserver
--- a/kubernetes/helm/docspell/templates/restserver/secret.yaml
+++ b/kubernetes/helm/docspell/templates/restserver/secret.yaml
@ -7,11 +7,19 @@ metadata:
 type: Opaque
 stringData:
    assertions:
-      {{- if and (gt .Values.restserver.replicaCount 1.0) (not .Values.docspell.server.auth.serverSecret) -}}
+      {{- if gt .Values.restserver.replicaCount 1.0 }}
      {{- if not .Values.docspell.server.auth.serverSecret -}}
      {{- fail "If multiple replicas are running of the rest server, the server secret has to be fixed." -}}
      {{- else if not (or  .Values.docspell.server.auth.serverSecret.existingSecret .Values.docspell.server.auth.serverSecret.value) }}
      {{- end -}}
      {{- if and .Values.docspell.server.adminEndpoint.enabled (and (not .Values.docspell.server.adminEndpoint.existingSecret) (not .Values.docspell.server.adminEndpoint.secret)) -}}
      {{- fail "When enabling the administration endpoint, a value for authentication has the supplied." -}}
      {{- end -}}
      {{- end -}}
      {{- if eq .Values.docspell.server.backend.signup.mode "invite" -}}
      {{- if not .Values.docspell.server.backend.signup.newInvitePassword -}}
      {{- fail "Invite password has to be set, when using signup mode 'invite'." -}}
      {{- end -}}
      {{- if and (eq .Values.docspell.server.backend.signup.mode "invite") (not .Values.docspell.server.backend.signup.newInvitePassword) -}}
      {{- fail "Invite password has to be set, when using signup mode 'invite'" -}}
      {{- end -}}
    {{- include "docspell.server.secrets.auth" . | nindent 4 }}
    {{- include "docspell.server.secrets.openid" . | nindent 4 }}
--- a/kubernetes/helm/docspell/values.yaml
+++ b/kubernetes/helm/docspell/values.yaml
@ -60,13 +60,19 @@ docspell:
    bind:
      address: 0.0.0.0
      port: 7880
-    ## @param docspell.server.auth.serverSecret Secret to sign the authenticator tokens. If empty, one will be generated
+    ## @param docspell.server.auth.serverSecret.value Secret to sign the authenticator tokens. If empty, one will be generated
    ## @param docspell.server.auth.serverSecret.existingSecret.name The name of an existing Kubernetes secret that contains the server secret
    ## @param docspell.server.auth.serverSecret.existingSecret.key The key inside the existing Kubernetes secret that contains the server secret
    ## @param docspell.server.auth.sessionValid How long an authentication token is valid
    ## @param docspell.server.auth.onAccountSourceConflict Fail if a duplicate account from an external source should fail the login. Can be: fail, convert    
    ## @param docspell.server.auth.rememberMe.enabled Enable/disable the remember me function
    ## @param docspell.server.auth.rememberMe.valid How long the remember me cookie/token is valid
    auth:
-      serverSecret: b64:YRx77QujCGkHSvll0TVEmtTaw3Z5eXr+nWMsEJowgKg=
+      serverSecret: 
        # value: asdf
        # existingSecret:
        #   name: "my-existing-secret"
        #   key: "key-inside-secret"
      sessionValid: "5 minutes"
      onAccountSourceConflict: fail
      rememberMe:
@ -85,14 +91,19 @@ docspell:
          providerId: keycloak
          clientId: docspell
          clientSecret: example-secret-439e-bf06-911e4cdd56a6
          scope: profile
          authorizeUrl: http://localhost:8080/auth/realms/home/protocol/openid-connect/auth
          tokenUrl: http://localhost:8080/auth/realms/home/protocol/openid-connect/token
          scope: openid profile email
          # User URL is not used when signature key is set
          # userUrl: http://localhost:8080/auth/realms/home/protocol/openid-connect/userinfo
          logoutUrl: http://localhost:8080/auth/realms/home/protocol/openid-connect/logout
          signKey: b64:anVzdC1hLXRlc3Q=
          sigAlgo: RS512
          # existingSecret:
          #   name: "my-existing-secret"
          #   clientIdKey: clientId
          #   clientSecretKey: clientSecret
          #   signKeyKey: signKey
        # The collective of the user is given in the access token as property `docspell_collective`
        collectiveKey: "lookup:docspell_collective"
        # The username to use for the docspell account
@ -104,8 +115,6 @@ docspell:
    ## @param docspell.server.integrationEndpoint.sourceName The name used for the item "source" property when uploaded through this endpoint
    ## @param docspell.server.integrationEndpoint.allowedIps.enabled Enable ip-allow-access-list
    ## @param docspell.server.integrationEndpoint.allowedIps.ips List of ips which should be added to the access list
    ## @param docspell.server.integrationEndpoint.httpBasic.enabled Whether integration endpoint requests are expected to use http basic auth when uploading files
    ## @param doscpell.server.integrationEndpoint.httpHeader.enabled Whether integration endpoint requests are expected to supply some specific header when uploading files
    integrationEndpoint:
      enabled: true
      priority: low
@ -115,18 +124,46 @@ docspell:
        ips:
          # IP addresses may be specific as simple globs: a part marked as '*' matches any octet, like in `192.168.*.*`
          - 127.0.0.1
      ## @param docspell.server.integrationEndpoint.httpBasic.enabled Whether integration endpoint requests are expected to use http basic auth when uploading files
      ## @param docspell.server.integrationEndpoint.httpBasic.credentials.user The username for httpBasic authentication
      ## @param docspell.server.integrationEndpoint.httpBasic.credentials.password The password for the httpBasic authentication
      ## @param docspell.server.integrationEndpoint.httpBasic.existingSecret.name Name of an existing Kubernetes secret that contains the httpBasic credentials
      ## @param docspell.server.integrationEndpoint.httpBasic.existingSecret.usernameKey The key inside the existing Kubernetes secret that contains the username for httpBasic
      ## @param docspell.server.integrationEndpoint.httpBasic.existingSecret.passwordKey The key inside the existing Kubernetes secret that contains the password for httpBasic
      httpBasic:
        enabled: false
        realm: "Docspell Integration"
-        user: "docspell-int"
+        credentials:
-        password: "docspell-int"
+          # username: "docspell-int"
          # password: "docspell-int"
        # existingSecret:
        #   name: "http-basic-secret-name"
        #   usernameKey: "username-key-inside-secret"
        #   passwordKey: "password-key-inside-secret"
      ## @param doscpell.server.integrationEndpoint.httpHeader.enabled Whether integration endpoint requests are expected to supply some specific header when uploading files
      ## @param docpsell.server.integrationEndpoint.httpHeader.headerName The name of the header that has to be included in the integration endpoint request
      ## @param docspell.server.integrationEndpoint.httpHeader.headerValue.value The header value that is expected to be included in the integration endpoint request
      ## @param docspell.server.integrationEndpojnt.httpHeader.headerValue.existingSecret.name The name of an existing Kubernetes secret that contains the value expected to be included in the integration endpoint request
      ## @param docspell.server.integrationEndpojnt.httpHeader.headerValue.existingSecret.key The key inside of an existing Kubernetes secret that contains the value expected to be included in the integration endpoint 
      httpHeader:
-        enabled: true
+        enabled: false
        headerName: "Docspell-Integration"
-        headerValue: "SomeSecret"
+        headerValue: 
-    ## @param docspell.server.adminEndpoint.secret Special administration endpoint. If a secret isn't supplied, the endpont is disabled
+          # value: "SomeSecret"
          # existingSecret:
          #   name: "my-existing-secret"
          #   key: "header-value-key-inside-secret"
    ## @param docspell.server.adminEndpoint.enabled Whether to enable the special administration endpoint. A secret value or existing secret containing the value has to be supplied when enabled
    ## @param docspell.server.adminEndpoint.secret.value Value for the administration endpoint
    ## @param docspell.server.adminEndpoint.existingSecret.name The name of an existing Kubernetes secret that contains the value for the admin endpoint 
    ## @param docspell.server.adminEndpoint.existingSecret.key The key inside of an existing Kubernetes secret that contains the value for the admin endpoint
    adminEndpoint:
-      secret: 
+      enabled: false
      # secret:
      #   value: "test"
      # existingSecret:
      #   name: "my-existing-secret"
      #   key: "admin-key-inside-secret"
    ## @param docspell.server.backend.mailDebug Enable or disabling debugging for e-mail related functionality
    backend:
@ -139,11 +176,17 @@ docspell:
        runFixupMigrations: true
        repairSchema: false
      ## @param docspell.server.backend.signup.mode The mode defines if new users can signup or not (open, invite, closed)
-      ## @param docspell.server.backend.signup.newInvitePassword If mode is 'invite', a password must be provided to generate invitation keys
+      ## @param docspell.server.backend.signup.newInvitePassword.value If mode is 'invite', a password must be provided to generate invitation keys
      ## @param docspell.server.backend.signup.newInvitePassword.existingSecret.name The name of an existing Kubernetes secret that contains the invitation generation password
      ## @param docspell.server.backend.signup.newINvitePassword.existingSecret.key The key inside of an existing Kubernetes secret that contains the invitation generation password
      ## @param docspell.server.backend.signup.inviteTime If mode is 'invite', this is the period an invitation token is considered valid
      signup:
        mode: open
-        newInvitePassword: 
+        newInvitePassword:
          # value: asdf
          # existingSecret:
          #   name: "my-existing-secret"
          #   key: "invite-password-key"
        inviteTime: "3 days"
  ## @param docspell.joex.appId Id of the node
  ## @param docspell.joex.mailDebug Enable or disabling debugging for e-mail related functionality  
@ -295,9 +338,6 @@ ingress:
  # - secretName: chart-exmaple-tls
  #   hosts:
  #     - docspell.example.com
  # Mostly for argocd or any other CI that uses `helm template | kubectl apply` or similar
  # If helm doesn't correctly detect your ingress API version you can set it here.
  # apiVersion: networking.k8s.io/v1
 ## @section ServiceAccount
 #
@ -542,6 +582,9 @@ solr:
 ## @param postgresql.global.postgresql.auth.password Password for the `dbname` user (overrides `auth.password`)
 ## @param postgresql.global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`)
 ## @param postgresql.global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`)
 ## @param postgresql.global.postgresql.auth.existingSecret Name of an existing Kubernetes secret that contains the postgresql credentials. `auth.password` will be ignored and picked up from this secret
 ## @param postgresql.global.postgresql.auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials.
 ## @param postgresql.global.postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials.
 ## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
 ## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume
 postgresql:
@ -552,6 +595,10 @@ postgresql:
     database: dbname
     username: dbuser
     password: dbpass
    #  existingSecret: postgres-secret
    #  secretKeys:
    #    adminPasswordKey: postgres-password
    #    userPasswordKey: password
    service:
     postgresql: 5432
  primary: