From 01beae5dad221e8fc28f9d0bec622a242c65319e Mon Sep 17 00:00:00 2001
From: Willy Kloucek <wkloucek@owncloud.com>
Date: Thu, 8 Dec 2022 15:14:59 +0100
Subject: [PATCH 1/2] enforce best practices

---
 charts/ocis/templates/NOTES.txt | 73 ++++++++++++++++++++++++++-------
 1 file changed, 59 insertions(+), 14 deletions(-)

diff --git a/charts/ocis/templates/NOTES.txt b/charts/ocis/templates/NOTES.txt
index 3942580fe..eb79ef3d3 100644
--- a/charts/ocis/templates/NOTES.txt
+++ b/charts/ocis/templates/NOTES.txt
@@ -1,10 +1,3 @@
-{{- $idm := and (not .Values.features.externalUserManagement.enabled) (not .Values.services.idm.persistence.enabled) -}}
-{{- $nats := and (not .Values.messagingSystem.external.enabled) (not .Values.services.nats.persistence.enabled) -}}
-{{- $search := not .Values.services.search.persistence.enabled -}}
-{{- $storageSystem := not .Values.services.storageSystem.persistence.enabled -}}
-{{- $storageUsers := not .Values.services.storageUsers.persistence.enabled -}}
-{{- $store := not .Values.services.store.persistence.enabled -}}
-
 You're now running
                  ,----..      ,---,   .--.--.
                 /   /   \  ,`--.' |  /  /    '.
@@ -25,28 +18,80 @@ You can get the initial "admin" administrator user password by running:
 
 kubectl -n <namespace> get secrets/admin-user --template='{{"{{"}}.data.password | base64decode{{"}}"}}'
 
-{{ if or $storageSystem $storageUsers $store $idm $search $nats }}
+{{ $noExternalUserManagement := not .Values.features.externalUserManagement.enabled -}}
+{{- $noopCache := eq .Values.cache.type "noop" -}}
+{{- $basicAuth := .Values.features.basicAuthentication -}}
+{{- $demoUsers := .Values.features.demoUsers -}}
+{{- $oidcIdpInsecure := .Values.insecure.oidcIdpInsecure -}}
+{{- $ocisHttpApiInsecure := .Values.insecure.ocisHttpApiInsecure -}}
+{{- $externalLDAPinsecure := and .Values.features.externalUserManagement.enabled .Values.features.externalUserManagement.ldap.insecure -}}
+{{- $noSMTPencryption := and .Values.features.emailNotifications.enabled (eq .Values.cache.type "noop") -}}
+
+{{ if or $noExternalUserManagement $noopCache $basicAuth $demoUsers $oidcIdpInsecure $ocisHttpApiInsecure $externalLDAPinsecure $noSMTPencryption }}
+#################################################################################
+######   WARNING: Your deployment of oCIS does not follow all best          #####
+######   practices for production deployments of oCIS.                      #####
+######                                                                      #####
+######   Following best practices are not applied:                          #####
+{{- if $noExternalUserManagement}}
+######     - `features.externalUserManagement.enabled` should be            #####
+######       set to `true`.                                                 #####
+{{- end }}
+{{- if $noopCache}}
+######     - `cache.type` should not be set to `noop`                       #####
+{{- end }}
+{{- if $basicAuth}}
+######     - `features.basicAuthentication` should be set to `false`        #####
+{{- end }}
+{{- if $demoUsers}}
+######     - `features.demoUsers` should be set to `false`                  #####
+{{- end }}
+{{- if $oidcIdpInsecure}}
+######     - `insecure.oidcIdpInsecure` should be set to `false`            #####
+{{- end }}
+{{- if $ocisHttpApiInsecure}}
+######     - `insecure.ocisHttpApiInsecure` should be set to `false`        #####
+{{- end }}
+{{- if $externalLDAPinsecure}}
+######     - `features.externalUserManagement.ldap.insecure` should         #####
+######        be set to `false`                                             #####
+{{- end }}
+{{- if $noSMTPencryption}}
+######     - `features.emailNotifications.enabled` should be set to `false` #####
+{{- end }}
+#################################################################################
+{{ end }}
+
+
+{{- $idmUnpersisted := and (not .Values.features.externalUserManagement.enabled) (not .Values.services.idm.persistence.enabled) -}}
+{{- $natsUnpersisted := and (not .Values.messagingSystem.external.enabled) (not .Values.services.nats.persistence.enabled) -}}
+{{- $searchUnpersisted := not .Values.services.search.persistence.enabled -}}
+{{- $storageSystemUnpersisted := not .Values.services.storageSystem.persistence.enabled -}}
+{{- $storageUsersUnpersisted := not .Values.services.storageUsers.persistence.enabled -}}
+{{- $storeUnpersisted := not .Values.services.store.persistence.enabled -}}
+
+{{ if or $storageSystemUnpersisted $storageUsersUnpersisted $storeUnpersisted $idmUnpersisted $searchUnpersisted $natsUnpersisted }}
 #################################################################################
 ######   WARNING: Persistence is disabled for some services.                #####
 ######   You will lose your data when a service's pod is terminated.        #####
 ######                                                                      #####
 ######   Following services don't use persistence:                          #####
-{{- if $storageUsers }}
+{{- if $storageUsersUnpersisted }}
 ######     - storage-users                                                  #####
 {{- end }}
-{{- if $storageSystem }}
+{{- if $storageSystemUnpersisted }}
 ######     - storage-system                                                 #####
 {{- end }}
-{{- if $idm }}
+{{- if $idmUnpersisted }}
 ######     - idm                                                            #####
 {{- end }}
-{{- if $store }}
+{{- if $storeUnpersisted }}
 ######     - store                                                          #####
 {{- end }}
-{{- if $search }}
+{{- if $searchUnpersisted }}
 ######     - search                                                         #####
 {{- end }}
-{{- if $nats }}
+{{- if $natsUnpersisted }}
 ######     - nats                                                           #####
 {{- end }}
 #################################################################################

From 195512fe7da71d9e98ad3064ad537271b54f051c Mon Sep 17 00:00:00 2001
From: Willy Kloucek <wkloucek@owncloud.com>
Date: Mon, 20 Mar 2023 16:29:01 +0100
Subject: [PATCH 2/2] fix smtp encryption check and message

---
 charts/ocis/templates/NOTES.txt | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/charts/ocis/templates/NOTES.txt b/charts/ocis/templates/NOTES.txt
index eb79ef3d3..adacd2194 100644
--- a/charts/ocis/templates/NOTES.txt
+++ b/charts/ocis/templates/NOTES.txt
@@ -25,7 +25,7 @@ kubectl -n <namespace> get secrets/admin-user --template='{{"{{"}}.data.password
 {{- $oidcIdpInsecure := .Values.insecure.oidcIdpInsecure -}}
 {{- $ocisHttpApiInsecure := .Values.insecure.ocisHttpApiInsecure -}}
 {{- $externalLDAPinsecure := and .Values.features.externalUserManagement.enabled .Values.features.externalUserManagement.ldap.insecure -}}
-{{- $noSMTPencryption := and .Values.features.emailNotifications.enabled (eq .Values.cache.type "noop") -}}
+{{- $noSMTPencryption := and .Values.features.emailNotifications.enabled (eq .Values.features.emailNotifications.smtp.encryption "none") -}}
 
 {{ if or $noExternalUserManagement $noopCache $basicAuth $demoUsers $oidcIdpInsecure $ocisHttpApiInsecure $externalLDAPinsecure $noSMTPencryption }}
 #################################################################################
@@ -57,7 +57,8 @@ kubectl -n <namespace> get secrets/admin-user --template='{{"{{"}}.data.password
 ######        be set to `false`                                             #####
 {{- end }}
 {{- if $noSMTPencryption}}
-######     - `features.emailNotifications.enabled` should be set to `false` #####
+######     - `features.emailNotifications.smtp.encryption` should           #####
+######        not be set to `none`                                          #####
 {{- end }}
 #################################################################################
 {{ end }}