This file should explain the various App Suite 8 configuration types and how they are represented in the values.yaml files. It should help with transferring legacy App Suite 7 settings into App Suite 8 as well.

Note: the entire configuration mechanism is to be understood as a temporary vehicle in our initial kubernetes implementation for App Suite. We are working on a re-implementation of the entire configuration mechanism.


The entire configuration happens, as usual, via values.yaml files, given as paramter to the helm install call on the App Suite Helm Chart.

helm install as8 oci:// --values values.yaml

Single vs multiple values.yaml files

As usual with Helm Charts, it is possible to specify multiple values.yaml files on one helm install command line. helm will then merge the contents on helm install.

While this can be helpful in special situations, in general we do not recommend to split up the values functionally; it reduces readability and is a potential source of errors.

There is one execption, though: It is considered best practices to manage secret settings in a separate file, while keeping the other settings in the main values.yaml file. The values.secret.yaml file can then be managed by appropriate means of version control and deployment automation.

helm install as8 oci:// --values values.yaml --values values.secret.yaml

YAML High Level Structure

The Core App Suite Stack Chart oci:// and similar charts expect a values.yaml structure which looks, from high level, as follows:

  # global settings here

  # core-mw settings here
  # core-ui settings here
  # core-ui-middleware settings here
  # istio settings here

There are charts which contain the Stack Chart and deploy it alongside other chars. This includes on the one hand the App Suite Pro chart, Charts for customized versions of App Suite, and also the (open source) Public Sector chart oci://

Following the structure of the chart itself, these umbrella or meta charts expect a values.yaml structure as follows:

  # global settings here

    # core-mw settings here
    # core-ui settings here
    # core-ui-middleware settings here
    # istio settings here

  # settings for a-custom-ui component here

  # settings for another-custom-ui component here

Note how the stack chart settings become attached to a top level appsuite: entry, and additional components get configured alongside of it. The global: section remains a top-level section.

Depending on which kind of chart you employ, you need to adjust your values.yaml structure accordingly. If in doubt, consult the helm show values command.

$ helm show values helm show values oci:// --version ...
# match the output against the structures shown above

Middleware Properties

Middleware properties like can be set in the properties object:

    com.openexchange.mail.loginSource: "mail"
    com.openexchange.mail.mailServerSource: "global"

Secret properties get their own object. These are stored in kubernetes secrets as opposed to configmaps for regular properties. This works the same way for any of the other secret variants later in this document.

    com.openexchange.push.credstorage.passcrypt: "8297f949a39d49618ed957e6cfead030"

The system tries to find the properties file that contains the setting and overrides it. If it can't find such a file, it adds the setting to a generic new file, which is home for all such settings.

Most of the settings work regardless of the file they are specified in. Some (legacy) settings however require to be defined in exactly the right file. (Most of these can be identified by looking like SHELL_ENVIRONMENT_VARIABLE variables.)

If you need to force a property to wind up in a certain .properties file, you can use the propertiesFiles or secretPropertiesFiles objects:

      MAX_UPLOAD_SIZE: "92233720368000" "30087962"
      com.openexchange.mail.someSecret: "some secret value"

The property is then overwritten or added to the file referred to in the parent object.

UI Settings

UI settings that are delivered via the JSLob interface live in the .properties files in /opt/open-xchange/etc/settings. These properties can be set using the uiSettings or secretUISettings objects:

    io.ox/mail//dumpster/folder: "default0/DUMPSTER"
    io.ox/core//apps/quickLaunchCount: "5"
    io.ox/core//mySecretName: "Rumpelstilskin"

This again tries to guess the proper .properties file or adds a new one. Similarly to above, you can also force a specific file to be used:

      io.ox/mail//dumpster/folder: "default0/DUMPSTER"
      io.ox/core//mySecretName: "Rumpelstilskin"

Note though, that these MUST still be placed in /opt/open-xchange/etc/settings/ for the middleware to pick them up.


The settings that usually live under /opt/open-xchange/etc/meta, like protecting and unprotecting UI properties or aliasing a middleware property to a UI property can be set in a single meta object:

      protected: true
      protected: false
      protected: false

This winds up as a sinlge .yaml file in the meta directory. If you need to structure these settings, do so with comments in the yaml file.


ContextSets that selectively override settings based on a label on a context are configured in files under /opt/open-xchange/etc/contextSets. To do so in helm, use the contextSets object. This also works as a secretContextSets object.

      com.openexchange.sessiond.maxSession: 10
      com.openexchange.secret: 123abc


Certain Properties are handled by /opt/open-xchange/etc/as-config.yml. Just add the yaml you need to the asConfig object:

      host: all
      host: myexchange.myhost.mytld
      someConfig: some overriding value

Other YAML Files

You can also specify any other YAML files as-is in either the regular or secret variants. These are added to /opt/open-xchange/etc/:

        # Disbled by default
        enabled: true
        type: manual
        providers: [mail]
        alternatives: []
        # The comma-separated Font Awesome names
        icon: fa-envelope-o
        # The translatable display name
        displayName_t10e: "eMail"
        # The translatable description
        description_t10e: "To manually setup your Mail account, please use the following information"
        groups: [default]
        id: 4

Other Files

Text Files

You can also place arbitrary files in /opt/open-xchange/etc/:

    importerExporter.xml: |-
        <bean id="importerExporter" class="com.openexchange.groupware.importexport.ImporterExporter">

              <property name="importers">
                  <ref bean="iCalImporter" />
                  <ref bean="vCardImporter" />

              <property name="exporters">
                  <ref bean="iCalExporter" />
                  <ref bean="vCardExporter" />
                  <ref bean="csvContactExporter" />


        <bean id="iCalImporter" 		class="com.openexchange.groupware.importexport.importers.ICalImporter" />
        <bean id="vCardImporter" 		class="com.openexchange.groupware.importexport.importers.VCardImporter" />
        <bean id="iCalExporter" 		class="com.openexchange.groupware.importexport.exporters.ICalExporter" />
        <bean id="vCardExporter" 		class="com.openexchange.groupware.importexport.exporters.VCardExporter" />
        <bean id="csvContactExporter" 	class="com.openexchange.groupware.importexport.exporters.CSVContactExporter" />
    tokenlogin-secrets: |-

Binary Files

To add binary files to /opt/open-xchange/etc you need to base64encode their content and put them in the etcBinaries or secretETCBinaries data structure like so:

    - name: binary1
      filename: something.bin
      b64Content: <base 64 encoded file content>
    - name: binary2
      filename: something-secret.bin
      b64Content: <base 64 encoded file content>

These are each put into individual secrets and configmaps, whose respective sizes cannot exceed 1MiB.

Bundle Activation

In the AppSuite 7 days some features would be toggled on or off depending on whether a certain package was installed on the system. Nowadays the appsuite middleware image contains all bundles, but which ones are actually active can be controlled in a variety of ways. We organize bundles into packages and packages into features. Multiple bundles make up a package, multiple packages make up a feature.

To enable a feature, do the following:

      plugins: enabled
      cloudPlugins: enabled
      reseller: enabled

To know which packages are part of the mentioned features, take a look at the values file of the appsuite middleware chartopen in new window. Here you can see the features.definitionssection that defines a feature:

      - open-xchange-admin-reseller
      - open-xchange-admin-soap-reseller

Which means, that the feature reseller consists of the packages open-xchange-admin-reseller and open-xchange-admin-soap-reseller. In that values file you can also see the default activation state for all the packages that we have assembled into features. You can also enable individual packages like so:

      open-xchange-sso: enabled
      open-xchange-hostname-config-cascade: enabled
      open-xchange-hostname-bla: disabled

By default a package will be enabled unless disabled in either the appsuite middleware's values file as a package or as a member or a disabled feature. You can also see the list of packages disabled by default in the values file of the appsuite middleware chartopen in new window.

To find out which bundle is part of a package is a little more involved. You don't need this information but in very special cases. It is possible in principle by one of the following means:

  • investigating in a running middleware container, via kubectl exec, as long as it is still possible, or kubectl debug
  • spinning up a container locally (hint: podman run -it ... --entrypoint bash).
  • pulling the middleware image and extracting locally

Regardless the means you use to access the filesystem: The metadata used to determine which bundles to switch on can be found at /opt/open-xchange/osgi/bundle.d

cd /opt/open-xchange/osgi/bundle.d


The directories here correspond to the packages the files inside the directories correspond to individual bundles:

cd open-xchange-admin-reseller/

ls -l

-rw-r--r--   1 open-xchange open-xchange    68 May  5 07:55 com.openexchange.admin.reseller.ini
-rw-r--r--   1 open-xchange open-xchange    72 May  5 07:55 com.openexchange.admin.reseller.rmi.ini
-rw-r--r--   1 open-xchange open-xchange    77 May  5 07:55 com.openexchange.config.cascade.reseller.ini
-rw-r--r--   1 open-xchange open-xchange    67 May  5 07:58 com.openexchange.reseller.impl.ini

So the open-xchange-admin-reseller packages consists of the bundles com.openexchange.admin.reseller, com.openexchange.admin.reseller.rmi, com.openexchange.config.cascade.reseller and com.openexchange.reseller.impl. If, conversely, you'd like to know which package contains a bundle, use e.g. find:

cd /opt/open-xchange/osgi/bundle.d

find . -name "com.openexchange.reseller.impl.ini"


which tells you the bundle will be part of open-xchange-admin-reseller.

Deep Dive: How are settings applied to the containers?

All the settings mentioned above find their way into ConfigMaps or Secrets.


Properties are set using the ox_props command line tool. This tool takes as input a yaml file that looks something like this:

anywhere: Some Value

  io.ox/core/theme: light

and applies it using either a heuristic to find the file that contains a property (everything below anywhere) or adds the property to a newly created file or uses the file specified. These YAML files are created with input from either the properties or propertiesFiles settings (and created as a ConfigMap) or the secretProperties and secretPropertiesFiles and rendered as a Secret with the appsuite-properties respectively. UI Settings wind up in a ConfigMap or Secret called appsuite-ui-settings. The AppSuite Pods mount these files at /injections/configuration/properties/ and /injections/configuration/ui-settings/ and the startup script copies them to /configuartion where the ox_props tool expects to find them. ox_props also uses the go templating engine (similar to how Helm renders its files) prior to parsing the resulting YAML.

Text and binary files below /opt/open-xchange/etc/

All the other settings are likewise stored in either ConfigMaps or Secrets:

  • meta: becomes appsuite-meta ConfigMap and is mounted at /injections/etc/meta/meta
  • asConfig: becomes appsuite-as-config ConfigMap and is mounted at /injections/etc/etc-properties
  • contextSets: becomes appsuite-context-sets ConfigMap and is mounted at /injections/etc/context-sets/contextSets
  • yamlFiles:, secretYAMLFiles: become appsuite-yaml-files or appsuite-yaml-secrets ConfigMap and Secret and is mounted at /injections/etc/yaml and /injections/etc/secretYaml
  • etcFiles:, secretETCFiles: become etc-files or etc-secrets ConfigMap and Secret and is mounted at /injections/etc/etc and /injections/etc/secretEtc
  • etcBinaries:, secretETCBinaries: become individual ConfigMaps or Secrets called appsuite-[NAME]-etc-binary which are also mounted at /injections/etc/etc and /injections/etc/secretEtc/ like text files above.

These are all copied to /opt/open-xchange/etc by the entrypoint script.

Entrypoint Startup Script

If you want to see the details of what happens before appsuite starts up, see the startup script here:

Advanced Options

AppSuite Container Hooks

In case the above system misses a feature, we can also configure bash scripts to run at certain points during startup. We can run either at the start, right before the ox_props tool applies the settings stored at /configuration/ in the YAML files, or right before the appsuite process is started:

    start: |
        #! /bin/bash
    beforeApply: {}
    beforeAppsuiteStart: {}

And we can also call the ox_props tool in these scripts to generate or set specific properties:

    start: {}
    beforeApply: {}
    beforeAppsuiteStart: |
        #! /bin/bash
        for ((i=20;i<=100;i++)); 
          ox_props set --file /opt/open-xchange/etc/ --property com.openexchange.filestore.sproxyd.${filestoreId}.baseUrl=http://scality-store/${filestoreId}

Extra Mounts

We can also mount our own ConfigMaps with as extra mounts into the container by using extraMounts and extraVolumes

    - mountPath: /filestore
      name: filestore
    - name: filestore
        server: nfs-server
        path: /export/filestore
        readOnly: false

Extra Mounts with go templated configuration yaml files

TODO: Example