ArgoCD and autogenerated secrets

[wkloucek]

Quick update I just defined all my secrets manually (using sealed secrets) and now I can update the helm values file without breaking anything. Let me know if this is expected/they way to do it with ArgoCD and if so will document this as well in the PR :)

secretRefs:
  ldapSecretRef: "ldap-bind-secrets"
  jwtSecretRef: "jwt-secret"
  machineAuthApiKeySecretRef: "machine-auth-api-key"
  storagesystemJwtSecretRef: "storage-system-jwt-secret"
  storagesystemSecretRef: "storage-system"
  thumbnailsSecretRef: "thumbnails-transfer-secret"
  transferSecretSecretRef: "transfer-secret"

Originally posted by @camrossi in #137 (comment)

[wkloucek]

We need to check what to do for ArgoCD, but I didn't use it myself

cc @d7oc this may be some interesting edge case that could prevent us from using ArgoCD

[d7oc]

Yep this needs to be checked.

[wkloucek]

ArgoCD uses Helm differently than just a plain helm install --upgrade, therefore the lookup function seems not to work: argoproj/argo-cd#5202

The ocis chart is relying on the lookup function to generate some ConfigMaps and Secrets one time (and not alter them later on, see also #141).

To skip using the auto-generation of Secrets and ConfigMaps, one needs to set the references to non empty strings:

ocis-charts/charts/ocis/values.yaml

Lines 544 to 614 in 9b581ed

	# References to ConfigMaps.
	# The ConfigMaps need to be manually created.
	# Leave these empty to have them autogenerated by the Helm chart.
	# Note that ConfigMaps generated by the helm chart will be removed once the helm chart is uninstalled.
	# Furthermore, if you already had ConfigMaps at the default locations, they will be NOT be overwritten,
	# but the helm chart will claim ownership of them. If this is a problem, fill in the configRefs below
	# with the names of your existing secrets.
	# See https://doc.owncloud.com/ocis/next/deployment/container/orchestration/orchestration.html#customize-the-generic-setup[doc.owncloud.com] for how to generate them.
	configRefs:
	# -- Reference to an existing storage-users config.
	storageusersConfigRef: ""
	# -- Reference to an existing graph config.
	graphConfigRef: ""
	# -- Optional reference to an existing web theme config.
	# Will be mounted to /var/lib/ocis/web/assets/themes/owncloud for Web.
	# Does not get autogenerated.
	# Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI.
	webThemeConfigRef: ""
	# -- Optional reference to an existing web theme assets config.
	# Will be mounted to /var/lib/ocis/web/assets/themes/owncloud/assets for Web.
	# Does not get autogenerated.
	# Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI.
	webThemeAssetsConfigRef: ""
	# -- Reference to an existing authservice config.
	authServiceConfigRef: ""
	# References to secrets.
	# Leave these empty to have them autogenerated by the Helm chart.
	# Note that secrets generated by the helm chart will be removed once the helm chart is uninstalled.
	# Furthermore, if you already had secrets at the default locations, they will be NOT be overwritten,
	# but the helm chart will claim ownership of them. If this is a problem, fill in the secretRefs below
	# with the names of your existing secrets.
	# TODO: Update https://doc.owncloud.com/ocis/next/deployment/container/orchestration/orchestration.html#customize-the-generic-setup[doc.owncloud.com] for how to generate them.
	secretRefs:
	# -- Reference to an existing admin user secret (see ref:Secrets#secrets). Not used if `features.externalUserManagement.enabled` equals `true`.
	adminUserSecretRef: ""
	# -- Reference to an existing IDP secret (see ref:Secrets#secrets). Not used if `features.externalUserManagement.enabled` equals `true`.
	idpSecretRef: ""
	# -- Reference to an existing JWT secret (see ref:Secrets#secrets).
	jwtSecretRef: ""
	# -- Reference to an existing keycloak client secret, used for the GDPR export. Only used if features.externalUserManagement.gdprExport.enabled equals true.
	gdprExportClientSecretRef: ""
	# -- Reference to an existing LDAP certificate authority secret (see ref:Secrets#secrets)
	ldapCaRef: ""
	# -- Reference to an existing LDAP cert secret (see ref:Secrets#secrets). Not used if `features.externalUserManagement.enabled` equals `true`.
	ldapCertRef: ""
	# -- Reference to an existing LDAP bind secret (see ref:Secrets#secrets).
	ldapSecretRef: ""
	# -- Reference to an existing machine auth api key secret (see ref:Secrets#secrets)
	machineAuthApiKeySecretRef: ""
	# -- Reference to an existing messaging system certificate authority secret (see ref:Secrets#secrets)
	messagingSystemCaRef: ""
	# -- Reference to an existing SMTP email server settings secret (see ref:Secrets#secrets).
	# Not used if `features.emailNotifications.enabled` equals `false`.
	# Not used if `features.emailNotifications.smtp.authentication` equals `none`.
	notificationsSmtpSecretRef: ""
	# -- Reference to an existing storage-system JWT secret (see ref:Secrets#secrets)
	storagesystemJwtSecretRef: ""
	# -- Reference to an existing storage-system secret (see ref:Secrets#secrets)
	storagesystemSecretRef: ""
	# -- Reference to an existing thumbnails transfer secret (see ref:Secrets#secrets)
	thumbnailsSecretRef: ""
	# -- Reference to an existing transfer secret (see ref:Secrets#secrets)
	transferSecretSecretRef: ""
	# -- Reference to an existing s3 secret (see ref:Secrets#secrets)
	# If not filled in, will attempt to use values in `.storageusers.storageBackend.s3.driverConfig.s3ng` instead.
	s3CredentialsSecretRef: ""
	# -- Reference to an existing service account secret (see ref:Secrets#secrets)
	serviceAccountSecretRef: ""
	# -- The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.
	globalNotificationsSecretRef: ""