gitea_admin/k8s-and-chill
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

fix(ocis): Move secret generation to PreSync init Job

Browse source 
Removes all 13 Helm-generated secrets from rendered output and instead
generates them at deploy time via an init Job. The Job creates secrets
with random credentials only if they don't already exist, ensuring
idempotent deploys. Runs as ArgoCD PreSync hook so secrets are ready
before oCIS pods start.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Felix Wolf 2026-04-06 13:08:38 +02:00
parent 9f8714d767
commit 106271ffa3
49 changed files with 291 additions and 233 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
CLAUDE.md
View file

@ -74,6 +74,11 @@ kubectl apply -f rendered/envs/production/<app>/ --server-side # Deploy
## Container Images ## Container Images
- **Never use bitnami images.** Use `alpine/k8s` or plain `alpine` for utility Jobs instead. - **Never use bitnami images.** Use `alpine/k8s` or plain `alpine` for utility Jobs instead.
## Secrets (not in git) ## Secrets
- `cert-manager/letsencrypt-account-key` — ACME account key (auto-generated) - **Never commit secrets to git.** This is a public repository.
- `argocd/argocd-initial-admin-secret` — ArgoCD admin password (auto-generated) - **All secrets must be generated in-cluster** using init Jobs (ArgoCD PreSync hooks) that create secrets if they don't already exist. See `prototypes/ocis/ytt/s3-secret-job.ytt.yaml` for the pattern.
- **External secrets** (e.g. S3 credentials) that cannot be generated must be created manually in the cluster before deploying. The init Job should validate their existence and fail fast if missing.
- When adding a new application that uses a Helm chart generating secrets, configure all `secretRefs` to point to pre-created secret names and use an init Job to generate them.
- Known external secrets (not in git, created manually):
- `ocis/ocis-s3-credentials` — Hetzner S3 access key and secret key
- `cert-manager/letsencrypt-account-key` — ACME account key (auto-generated by cert-manager)

13
prototypes/ocis/helm/ocis.yaml
View file

@ -21,6 +21,19 @@ resources:
cpu: 10m cpu: 10m
secretRefs: secretRefs:
adminUserSecretRef: ocis-admin-user
idpSecretRef: ocis-idp-secrets
jwtSecretRef: ocis-jwt-secret
ldapSecretRef: ocis-ldap-bind-secrets
ldapCaRef: ocis-ldap-ca
ldapCertRef: ocis-ldap-cert
machineAuthApiKeySecretRef: ocis-machine-auth-api-key
storagesystemJwtSecretRef: ocis-storage-system-jwt-secret
storagesystemSecretRef: ocis-storage-system
thumbnailsSecretRef: ocis-thumbnails-transfer-secret
transferSecretSecretRef: ocis-transfer-secret
serviceAccountSecretRef: ocis-service-account-secret
collaborationWopiSecret: ocis-collaboration-wopi-secret
s3CredentialsSecretRef: ocis-s3-credentials s3CredentialsSecretRef: ocis-s3-credentials
services: services:

106
prototypes/ocis/ytt/s3-secret-job.ytt.yaml
View file

@ -42,6 +42,8 @@ metadata:
name: ocis-secret-init name: ocis-secret-init
namespace: #@ ns namespace: #@ ns
annotations: annotations:
argocd.argoproj.io/sync-wave: "-1"
argocd.argoproj.io/hook: PreSync
argocd.argoproj.io/sync-options: Replace=true argocd.argoproj.io/sync-options: Replace=true
spec: spec:
ttlSecondsAfterFinished: 300 ttlSecondsAfterFinished: 300
@ -58,18 +60,104 @@ spec:
- | - |
set -e set -e
SECRET_NAME="ocis-s3-credentials" gen_random() {
head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1"
}
if ! kubectl get secret "${SECRET_NAME}" -n ${NAMESPACE} >/dev/null 2>&1; then gen_uuid() {
echo "ERROR: Secret ${SECRET_NAME} does not exist in namespace ${NAMESPACE}." cat /proc/sys/kernel/random/uuid
echo "Please create it manually with keys 'accessKey' and 'secretKey':" }
echo " kubectl create secret generic ${SECRET_NAME} -n ${NAMESPACE} \\"
echo " --from-literal=accessKey=<your-access-key> \\" create_secret_if_missing() {
echo " --from-literal=secretKey=<your-secret-key>" local name="$1"
shift
if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then
echo "Secret $name already exists, skipping"
return
fi
kubectl create secret generic "$name" -n "${NAMESPACE}" "$@"
echo "Created secret $name"
}
# Validate external secrets exist
if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then
echo "ERROR: External secret ocis-s3-credentials must be created manually"
exit 1 exit 1
else
echo "Secret ${SECRET_NAME} exists, OK"
fi fi
# Admin user
create_secret_if_missing ocis-admin-user \
--from-literal=password="$(gen_random 32)" \
--from-literal=user-id="$(gen_uuid)"
# JWT secret
create_secret_if_missing ocis-jwt-secret \
--from-literal=jwt-secret="$(gen_random 32)"
# Machine auth API key
create_secret_if_missing ocis-machine-auth-api-key \
--from-literal=machine-auth-api-key="$(gen_random 32)"
# Storage system JWT secret
create_secret_if_missing ocis-storage-system-jwt-secret \
--from-literal=storage-system-jwt-secret="$(gen_random 32)"
# Storage system secret
create_secret_if_missing ocis-storage-system \
--from-literal=api-key="$(gen_random 32)" \
--from-literal=user-id="$(gen_uuid)"
# Transfer secret
create_secret_if_missing ocis-transfer-secret \
--from-literal=transfer-secret="$(gen_random 32)"
# Thumbnails transfer secret
create_secret_if_missing ocis-thumbnails-transfer-secret \
--from-literal=thumbnails-transfer-secret="$(gen_random 32)"
# Service account secret
create_secret_if_missing ocis-service-account-secret \
--from-literal=service-account-secret="$(gen_random 32)"
# Collaboration WOPI secret
create_secret_if_missing ocis-collaboration-wopi-secret \
--from-literal=wopi-secret="$(gen_random 32)"
# LDAP bind secrets (three passwords for different bind users)
create_secret_if_missing ocis-ldap-bind-secrets \
--from-literal=reva-ldap-bind-password="$(gen_random 32)" \
--from-literal=idp-ldap-bind-password="$(gen_random 32)" \
--from-literal=graph-ldap-bind-password="$(gen_random 32)"
# IDP secret (encryption key + RSA private key)
create_secret_if_missing ocis-idp-secrets \
--from-literal=encryption.key="$(gen_random 32)" \
--from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)"
# LDAP CA cert + key (self-signed)
if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then
openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \
-days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null
kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \
--from-file=ldap-ca.crt=/tmp/ldap-ca.crt
echo "Created secret ocis-ldap-ca"
# LDAP server cert signed by the CA
openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \
-nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null
openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \
-CAcreateserial -out /tmp/ldap.crt -days 3650 \
-extfile <(printf "subjectAltName=DNS:idm") 2>/dev/null
kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \
--from-file=ldap.crt=/tmp/ldap.crt \
--from-file=ldap.key=/tmp/ldap.key
echo "Created secret ocis-ldap-cert"
rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl
else
echo "Secret ocis-ldap-ca already exists, skipping LDAP certs"
fi
echo "All secrets initialized successfully"
env: env:
- name: NAMESPACE - name: NAMESPACE
valueFrom: valueFrom:

2
rendered/envs/production/ocis/configmap-auth-service.yaml
View file

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
data: data:
service-account-id: c1561758-95a8-4926-aff8-a689830e1c46 service-account-id: 227a1de1-3a8d-4d80-b497-63fe5b754fa0
kind: ConfigMap kind: ConfigMap
metadata: metadata:
annotations: annotations:

2
rendered/envs/production/ocis/configmap-graph.yaml
View file

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
data: data:
application-id: 7ee4ec5b-f9ab-4785-bc57-18b2b0ed19df application-id: da877587-2c1f-4944-80a4-2a26155965e0
kind: ConfigMap kind: ConfigMap
metadata: metadata:
annotations: annotations:

2
rendered/envs/production/ocis/configmap-storage-users.yaml
View file

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
data: data:
storage-uuid: 322b777b-988b-40ab-88b0-96f4bcd6b010 storage-uuid: d680b677-e6e1-45de-bd19-b7a6e2ab7425
kind: ConfigMap kind: ConfigMap
metadata: metadata:
annotations: annotations:

6
rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml
View file

@ -70,12 +70,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
- name: OCIS_TRANSFER_SECRET - name: OCIS_TRANSFER_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: transfer-secret key: transfer-secret
name: transfer-secret name: ocis-transfer-secret
- name: STORAGE_USERS_MOUNT_ID - name: STORAGE_USERS_MOUNT_ID
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
@ -90,7 +90,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: service-account-secret key: service-account-secret
name: service-account-secret name: ocis-service-account-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: storage-users-clean-expired-uploads name: storage-users-clean-expired-uploads

6
rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml
View file

@ -51,12 +51,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
- name: OCIS_TRANSFER_SECRET - name: OCIS_TRANSFER_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: transfer-secret key: transfer-secret
name: transfer-secret name: ocis-transfer-secret
- name: STORAGE_USERS_MOUNT_ID - name: STORAGE_USERS_MOUNT_ID
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
@ -71,7 +71,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: service-account-secret key: service-account-secret
name: service-account-secret name: ocis-service-account-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: storage-users-purge-expired-trash-bin-items name: storage-users-purge-expired-trash-bin-items

6
rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml
View file

@ -53,12 +53,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
- name: OCIS_TRANSFER_SECRET - name: OCIS_TRANSFER_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: transfer-secret key: transfer-secret
name: transfer-secret name: ocis-transfer-secret
- name: STORAGE_USERS_MOUNT_ID - name: STORAGE_USERS_MOUNT_ID
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
@ -73,7 +73,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: service-account-secret key: service-account-secret
name: service-account-secret name: ocis-service-account-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: storage-users-restart-postprocessing name: storage-users-restart-postprocessing

4
rendered/envs/production/ocis/deployment-activitylog.yaml
View file

@ -79,12 +79,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: service-account-secret key: service-account-secret
name: service-account-secret name: ocis-service-account-secret
- name: ACTIVITYLOG_JWT_SECRET - name: ACTIVITYLOG_JWT_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:

2
rendered/envs/production/ocis/deployment-appregistry.yaml
View file

@ -68,7 +68,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:

4
rendered/envs/production/ocis/deployment-authmachine.yaml
View file

@ -66,12 +66,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
- name: AUTH_MACHINE_API_KEY - name: AUTH_MACHINE_API_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: machine-auth-api-key key: machine-auth-api-key
name: machine-auth-api-key name: ocis-machine-auth-api-key
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:

4
rendered/envs/production/ocis/deployment-authservice.yaml
View file

@ -66,7 +66,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
- name: AUTH_SERVICE_SERVICE_ACCOUNT_ID - name: AUTH_SERVICE_SERVICE_ACCOUNT_ID
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
@ -76,7 +76,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: service-account-secret key: service-account-secret
name: service-account-secret name: ocis-service-account-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:

4
rendered/envs/production/ocis/deployment-clientlog.yaml
View file

@ -71,12 +71,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: service-account-secret key: service-account-secret
name: service-account-secret name: ocis-service-account-secret
- name: CLIENTLOG_JWT_SECRET - name: CLIENTLOG_JWT_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:

8
rendered/envs/production/ocis/deployment-frontend.yaml
View file

@ -76,7 +76,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
- name: FRONTEND_APP_HANDLER_INSECURE - name: FRONTEND_APP_HANDLER_INSECURE
value: "false" value: "false"
- name: FRONTEND_ARCHIVER_INSECURE - name: FRONTEND_ARCHIVER_INSECURE
@ -103,7 +103,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: machine-auth-api-key key: machine-auth-api-key
name: machine-auth-api-key name: ocis-machine-auth-api-key
- name: FRONTEND_SERVICE_ACCOUNT_ID - name: FRONTEND_SERVICE_ACCOUNT_ID
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
@ -113,12 +113,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: service-account-secret key: service-account-secret
name: service-account-secret name: ocis-service-account-secret
- name: OCIS_TRANSFER_SECRET - name: OCIS_TRANSFER_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: transfer-secret key: transfer-secret
name: transfer-secret name: ocis-transfer-secret
- name: FRONTEND_AUTO_ACCEPT_SHARES - name: FRONTEND_AUTO_ACCEPT_SHARES
value: "true" value: "true"
- name: FRONTEND_MAX_CONCURRENCY - name: FRONTEND_MAX_CONCURRENCY

4
rendered/envs/production/ocis/deployment-gateway.yaml
View file

@ -79,12 +79,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
- name: OCIS_TRANSFER_SECRET - name: OCIS_TRANSFER_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: transfer-secret key: transfer-secret
name: transfer-secret name: ocis-transfer-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:

8
rendered/envs/production/ocis/deployment-graph.yaml
View file

@ -84,7 +84,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: graph-ldap-bind-password key: graph-ldap-bind-password
name: ldap-bind-secrets name: ocis-ldap-bind-secrets
- name: OCIS_SHOW_USER_EMAIL_IN_RESULTS - name: OCIS_SHOW_USER_EMAIL_IN_RESULTS
value: "false" value: "false"
- name: GRAPH_APPLICATION_ID - name: GRAPH_APPLICATION_ID
@ -96,7 +96,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
- name: OCIS_DEFAULT_LANGUAGE - name: OCIS_DEFAULT_LANGUAGE
value: en value: en
- name: GRAPH_SERVICE_ACCOUNT_ID - name: GRAPH_SERVICE_ACCOUNT_ID
@ -108,7 +108,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: service-account-secret key: service-account-secret
name: service-account-secret name: ocis-service-account-secret
- name: OCIS_ENABLE_OCM - name: OCIS_ENABLE_OCM
value: "false" value: "false"
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
@ -152,4 +152,4 @@ spec:
name: messaging-system-ca name: messaging-system-ca
- name: ldap-ca - name: ldap-ca
secret: secret:
secretName: ldap-ca secretName: ocis-ldap-ca

6
rendered/envs/production/ocis/deployment-groups.yaml
View file

@ -70,14 +70,14 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: reva-ldap-bind-password key: reva-ldap-bind-password
name: ldap-bind-secrets name: ocis-ldap-bind-secrets
- name: GROUPS_IDP_URL - name: GROUPS_IDP_URL
value: https://drive.tr1ceracop.de value: https://drive.tr1ceracop.de
- name: GROUPS_JWT_SECRET - name: GROUPS_JWT_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
@ -118,4 +118,4 @@ spec:
name: tmp-volume name: tmp-volume
- name: ldap-ca - name: ldap-ca
secret: secret:
secretName: ldap-ca secretName: ocis-ldap-ca

12
rendered/envs/production/ocis/deployment-idm.yaml
View file

@ -67,27 +67,27 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: password key: password
name: admin-user name: ocis-admin-user
- name: IDM_ADMIN_USER_ID - name: IDM_ADMIN_USER_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: user-id key: user-id
name: admin-user name: ocis-admin-user
- name: IDM_SVC_PASSWORD - name: IDM_SVC_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: graph-ldap-bind-password key: graph-ldap-bind-password
name: ldap-bind-secrets name: ocis-ldap-bind-secrets
- name: IDM_REVASVC_PASSWORD - name: IDM_REVASVC_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: reva-ldap-bind-password key: reva-ldap-bind-password
name: ldap-bind-secrets name: ocis-ldap-bind-secrets
- name: IDM_IDPSVC_PASSWORD - name: IDM_IDPSVC_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: idp-ldap-bind-password key: idp-ldap-bind-password
name: ldap-bind-secrets name: ocis-ldap-bind-secrets
- name: IDM_LDAPS_CERT - name: IDM_LDAPS_CERT
value: /etc/ocis/ldap-cert/ldap.crt value: /etc/ocis/ldap-cert/ldap.crt
- name: IDM_LDAPS_KEY - name: IDM_LDAPS_KEY
@ -150,7 +150,7 @@ spec:
volumes: volumes:
- name: ldap-cert - name: ldap-cert
secret: secret:
secretName: ldap-cert secretName: ocis-ldap-cert
- name: idm-data - name: idm-data
persistentVolumeClaim: persistentVolumeClaim:
claimName: idm-data claimName: idm-data

6
rendered/envs/production/ocis/deployment-idp.yaml
View file

@ -70,7 +70,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: idp-ldap-bind-password key: idp-ldap-bind-password
name: ldap-bind-secrets name: ocis-ldap-bind-secrets
- name: IDP_SIGNING_PRIVATE_KEY_FILES - name: IDP_SIGNING_PRIVATE_KEY_FILES
value: /etc/ocis/idp/private-key.pem value: /etc/ocis/idp/private-key.pem
- name: IDP_ENCRYPTION_SECRET_FILE - name: IDP_ENCRYPTION_SECRET_FILE
@ -118,7 +118,7 @@ spec:
name: ocis-data-tmp name: ocis-data-tmp
- name: ldap-ca - name: ldap-ca
secret: secret:
secretName: ldap-ca secretName: ocis-ldap-ca
- name: idp-secrets - name: idp-secrets
secret: secret:
secretName: idp-secrets secretName: ocis-idp-secrets

4
rendered/envs/production/ocis/deployment-ocdav.yaml
View file

@ -74,12 +74,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
- name: OCDAV_MACHINE_AUTH_API_KEY - name: OCDAV_MACHINE_AUTH_API_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: machine-auth-api-key key: machine-auth-api-key
name: machine-auth-api-key name: ocis-machine-auth-api-key
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:

2
rendered/envs/production/ocis/deployment-ocs.yaml
View file

@ -76,7 +76,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:

6
rendered/envs/production/ocis/deployment-proxy.yaml
View file

@ -82,12 +82,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
- name: PROXY_MACHINE_AUTH_API_KEY - name: PROXY_MACHINE_AUTH_API_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: machine-auth-api-key key: machine-auth-api-key
name: machine-auth-api-key name: ocis-machine-auth-api-key
- name: PROXY_SERVICE_ACCOUNT_ID - name: PROXY_SERVICE_ACCOUNT_ID
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
@ -97,7 +97,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: service-account-secret key: service-account-secret
name: service-account-secret name: ocis-service-account-secret
- name: PROXY_CSP_CONFIG_FILE_LOCATION - name: PROXY_CSP_CONFIG_FILE_LOCATION
value: /etc/ocis/csp.yaml value: /etc/ocis/csp.yaml
- name: PROXY_AUTOPROVISION_ACCOUNTS - name: PROXY_AUTOPROVISION_ACCOUNTS

4
rendered/envs/production/ocis/deployment-search.yaml
View file

@ -69,7 +69,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
- name: SEARCH_SERVICE_ACCOUNT_ID - name: SEARCH_SERVICE_ACCOUNT_ID
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
@ -79,7 +79,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: service-account-secret key: service-account-secret
name: service-account-secret name: ocis-service-account-secret
- name: OCIS_ASYNC_UPLOADS - name: OCIS_ASYNC_UPLOADS
value: "true" value: "true"
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4

8
rendered/envs/production/ocis/deployment-settings.yaml
View file

@ -80,12 +80,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: user-id key: user-id
name: admin-user name: ocis-admin-user
- name: SETTINGS_JWT_SECRET - name: SETTINGS_JWT_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
- name: SETTINGS_SERVICE_ACCOUNT_IDS - name: SETTINGS_SERVICE_ACCOUNT_IDS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
@ -95,12 +95,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: api-key key: api-key
name: storage-system name: ocis-storage-system
- name: OCIS_SYSTEM_USER_ID - name: OCIS_SYSTEM_USER_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: user-id key: user-id
name: storage-system name: ocis-storage-system
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:

10
rendered/envs/production/ocis/deployment-sharing.yaml
View file

@ -68,7 +68,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
- name: SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD - name: SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD
value: "false" value: "false"
- name: SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD - name: SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD
@ -91,24 +91,24 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: api-key key: api-key
name: storage-system name: ocis-storage-system
- name: SHARING_USER_JSONCS3_SYSTEM_USER_ID - name: SHARING_USER_JSONCS3_SYSTEM_USER_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: user-id key: user-id
name: storage-system name: ocis-storage-system
- name: SHARING_PUBLIC_DRIVER - name: SHARING_PUBLIC_DRIVER
value: jsoncs3 value: jsoncs3
- name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY - name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: api-key key: api-key
name: storage-system name: ocis-storage-system
- name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID - name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: user-id key: user-id
name: storage-system name: ocis-storage-system
- name: SHARING_USER_JSONCS3_MAX_CONCURRENCY - name: SHARING_USER_JSONCS3_MAX_CONCURRENCY
value: "20" value: "20"
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4

2
rendered/envs/production/ocis/deployment-sse.yaml
View file

@ -72,7 +72,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:

2
rendered/envs/production/ocis/deployment-storagepubliclink.yaml
View file

@ -70,7 +70,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:

2
rendered/envs/production/ocis/deployment-storageshares.yaml
View file

@ -66,7 +66,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:

6
rendered/envs/production/ocis/deployment-storagesystem.yaml
View file

@ -78,17 +78,17 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: storage-system-jwt-secret key: storage-system-jwt-secret
name: storage-system-jwt-secret name: ocis-storage-system-jwt-secret
- name: OCIS_SYSTEM_USER_API_KEY - name: OCIS_SYSTEM_USER_API_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: api-key key: api-key
name: storage-system name: ocis-storage-system
- name: OCIS_SYSTEM_USER_ID - name: OCIS_SYSTEM_USER_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: user-id key: user-id
name: storage-system name: ocis-storage-system
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:

6
rendered/envs/production/ocis/deployment-storageusers.yaml
View file

@ -125,7 +125,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: service-account-secret key: service-account-secret
name: service-account-secret name: ocis-service-account-secret
- name: STORAGE_USERS_STAT_CACHE_STORE - name: STORAGE_USERS_STAT_CACHE_STORE
value: noop value: noop
- name: STORAGE_USERS_MOUNT_ID - name: STORAGE_USERS_MOUNT_ID
@ -137,12 +137,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
- name: OCIS_TRANSFER_SECRET - name: OCIS_TRANSFER_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: transfer-secret key: transfer-secret
name: transfer-secret name: ocis-transfer-secret
- name: OCIS_ASYNC_UPLOADS - name: OCIS_ASYNC_UPLOADS
value: "true" value: "true"
- name: STORAGE_USERS_EVENTS_NUM_CONSUMERS - name: STORAGE_USERS_EVENTS_NUM_CONSUMERS

2
rendered/envs/production/ocis/deployment-thumbnails.yaml
View file

@ -84,7 +84,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: thumbnails-transfer-secret key: thumbnails-transfer-secret
name: thumbnails-transfer-secret name: ocis-thumbnails-transfer-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:

4
rendered/envs/production/ocis/deployment-userlog.yaml
View file

@ -73,12 +73,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: service-account-secret key: service-account-secret
name: service-account-secret name: ocis-service-account-secret
- name: USERLOG_JWT_SECRET - name: USERLOG_JWT_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
- name: USERLOG_MAX_CONCURRENCY - name: USERLOG_MAX_CONCURRENCY
value: "1" value: "1"
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4

6
rendered/envs/production/ocis/deployment-users.yaml
View file

@ -70,14 +70,14 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: reva-ldap-bind-password key: reva-ldap-bind-password
name: ldap-bind-secrets name: ocis-ldap-bind-secrets
- name: USERS_IDP_URL - name: USERS_IDP_URL
value: https://drive.tr1ceracop.de value: https://drive.tr1ceracop.de
- name: USERS_JWT_SECRET - name: USERS_JWT_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
@ -118,4 +118,4 @@ spec:
name: tmp-volume name: tmp-volume
- name: ldap-ca - name: ldap-ca
secret: secret:
secretName: ldap-ca secretName: ocis-ldap-ca

2
rendered/envs/production/ocis/deployment-web.yaml
View file

@ -88,7 +88,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: jwt-secret key: jwt-secret
name: jwt-secret name: ocis-jwt-secret
image: owncloud/ocis:7.1.4 image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:

106
rendered/envs/production/ocis/job-ocis-secret-init.yaml
View file

@ -3,7 +3,9 @@ kind: Job
metadata: metadata:
annotations: annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
argocd.argoproj.io/hook: PreSync
argocd.argoproj.io/sync-options: Replace=true argocd.argoproj.io/sync-options: Replace=true
argocd.argoproj.io/sync-wave: "-1"
name: ocis-secret-init name: ocis-secret-init
namespace: ocis namespace: ocis
spec: spec:
@ -16,18 +18,104 @@ spec:
- | - |
set -e set -e
SECRET_NAME="ocis-s3-credentials" gen_random() {
head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1"
}
if ! kubectl get secret "${SECRET_NAME}" -n ${NAMESPACE} >/dev/null 2>&1; then gen_uuid() {
echo "ERROR: Secret ${SECRET_NAME} does not exist in namespace ${NAMESPACE}." cat /proc/sys/kernel/random/uuid
echo "Please create it manually with keys 'accessKey' and 'secretKey':" }
echo " kubectl create secret generic ${SECRET_NAME} -n ${NAMESPACE} \\"
echo " --from-literal=accessKey=<your-access-key> \\" create_secret_if_missing() {
echo " --from-literal=secretKey=<your-secret-key>" local name="$1"
shift
if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then
echo "Secret $name already exists, skipping"
return
fi
kubectl create secret generic "$name" -n "${NAMESPACE}" "$@"
echo "Created secret $name"
}
# Validate external secrets exist
if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then
echo "ERROR: External secret ocis-s3-credentials must be created manually"
exit 1 exit 1
else
echo "Secret ${SECRET_NAME} exists, OK"
fi fi
# Admin user
create_secret_if_missing ocis-admin-user \
--from-literal=password="$(gen_random 32)" \
--from-literal=user-id="$(gen_uuid)"
# JWT secret
create_secret_if_missing ocis-jwt-secret \
--from-literal=jwt-secret="$(gen_random 32)"
# Machine auth API key
create_secret_if_missing ocis-machine-auth-api-key \
--from-literal=machine-auth-api-key="$(gen_random 32)"
# Storage system JWT secret
create_secret_if_missing ocis-storage-system-jwt-secret \
--from-literal=storage-system-jwt-secret="$(gen_random 32)"
# Storage system secret
create_secret_if_missing ocis-storage-system \
--from-literal=api-key="$(gen_random 32)" \
--from-literal=user-id="$(gen_uuid)"
# Transfer secret
create_secret_if_missing ocis-transfer-secret \
--from-literal=transfer-secret="$(gen_random 32)"
# Thumbnails transfer secret
create_secret_if_missing ocis-thumbnails-transfer-secret \
--from-literal=thumbnails-transfer-secret="$(gen_random 32)"
# Service account secret
create_secret_if_missing ocis-service-account-secret \
--from-literal=service-account-secret="$(gen_random 32)"
# Collaboration WOPI secret
create_secret_if_missing ocis-collaboration-wopi-secret \
--from-literal=wopi-secret="$(gen_random 32)"
# LDAP bind secrets (three passwords for different bind users)
create_secret_if_missing ocis-ldap-bind-secrets \
--from-literal=reva-ldap-bind-password="$(gen_random 32)" \
--from-literal=idp-ldap-bind-password="$(gen_random 32)" \
--from-literal=graph-ldap-bind-password="$(gen_random 32)"
# IDP secret (encryption key + RSA private key)
create_secret_if_missing ocis-idp-secrets \
--from-literal=encryption.key="$(gen_random 32)" \
--from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)"
# LDAP CA cert + key (self-signed)
if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then
openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \
-days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null
kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \
--from-file=ldap-ca.crt=/tmp/ldap-ca.crt
echo "Created secret ocis-ldap-ca"
# LDAP server cert signed by the CA
openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \
-nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null
openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \
-CAcreateserial -out /tmp/ldap.crt -days 3650 \
-extfile <(printf "subjectAltName=DNS:idm") 2>/dev/null
kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \
--from-file=ldap.crt=/tmp/ldap.crt \
--from-file=ldap.key=/tmp/ldap.key
echo "Created secret ocis-ldap-cert"
rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl
else
echo "Secret ocis-ldap-ca already exists, skipping LDAP certs"
fi
echo "All secrets initialized successfully"
env: env:
- name: NAMESPACE - name: NAMESPACE
valueFrom: valueFrom:

11
rendered/envs/production/ocis/secret-admin-user.yaml
View file

@ -1,11 +0,0 @@
apiVersion: v1
data:
password: cHNCME40QW85Y3NDYTYxOVNpUVVrY0VJZTYxajdU
user-id: MTJjNDE0OGUtZGIxZC00ZTUxLWIwZDQtMjc4YzhlMTExZjcz
kind: Secret
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: null
name: admin-user
namespace: ocis

10
rendered/envs/production/ocis/secret-collaboration-wopi-secret.yaml
View file

@ -1,10 +0,0 @@
apiVersion: v1
data:
wopi-secret: Wno2dmFISjdBTFVKZ3BWeXFhdTM4eDNiWVVVeHlv
kind: Secret
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: null
name: collaboration-wopi-secret
namespace: ocis

11
rendered/envs/production/ocis/secret-idp-secrets.yaml
View file

@ -1,11 +0,0 @@
apiVersion: v1
data:
encryption.key: NU1FOHBzQ2Q3akZSJz0qP352czZ5cUlYJEhPUEl7fnc=
private-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBM0k3d1J5a0hXRE1zblNFY1FSaUpPWHFvY2t1U2xiajhzbFRUYmRvMmI0SVo0UHlCCnFaRHNTZkpIa1pnUkxTUE4yN3hMazM5bDlZQUM2MjF6YThKMk9hK05qYSsreXJXUFZBSGxOUm5lRHMwTENmM28KOFhnMDBkT0dNRkNJbmZ5UEE3VThEYm10RlRHeXBPQTVGMnZqVVhqV3JOejhHWUF5Z0J4NmlxSmRNVHRLVFpxaQpyWVdWY0poN1dTdzFKYkd0N2ZjUk9NK3JJbDhxVFJlRUE1czVNeTR4S3JNeWVTa0MxMW5LVy9UNzZUQjNzaFBuCi91dmYyTENSOUxMZkFoS0JJSDVGK1piUHNDQzlaT05MVkJDRlkvTUZPbUxzYmlIR1BTVklrRktoMFU2cFd3cjEKSzlVSm5ISWJCcXBSU2NPaVgzSk41Mkpzdnl6RHVqS1NKcmJYVCt0UGNpcHRmOTU1Q0RGaFcyL2pZeVJSZlBHTgoxeTlBYTRMLytocFF2ellMUnRicWxJQXpXQ1dFdTJ4cEVIRzAzTlpzeE44aW5LbVYyeXVVRXBNb080RkVUSklyClFTTnA1R09HVEpXVmhCdjNsdXUvUlg2Y0diVUZHYVorbVNlM1BobWJORlMxbUlqZGZacHhkd1lnRWtnYjNpYVMKOFdSU2VIWlBhQXdQeFowai9aVVA1S0hwT1ArUmVHU1Q5bzRmVGNKY1h6MEpFT1BiRXhEaEF5NkM0UFRVR0VVbgpWSGRjOUsyTXV0QjFnS2FvN05EUW9IQU9MbEptamxaMGxZSk44MDFLRklHdWlINGp4bk82SHNhUFRNZ3NRWUZwClBBcUpxWlFyblBiL09JNkw0UE5tTVR2a1AwTTBUSUd6UTZXSE5UZ0JRR0NOZzhUbHJ1d29qQmtpcFpFQ0F3RUEKQVFLQ0FnQkRSeHJHS2g3Q2FjSEhJRzEwOGQ0UitYZGVmZXoxM05yQUx4M2JXWC9YWGRFMUR2RWlYMEdrZ05JUgorRmZzOUFuOGFDQ0ptb2ZvYmliMTE0b29xY1hVYk5kNkM4emdHcWZnMFQ4d2huWjAvMWpKc0hrWkJ6amRkRzl2ClYzR0U5NkJNV2tFNlVwUVliZk4zVmFvMG1jVmFlY2pLTEJKK1dOdU90cUV1bnI1Y29TQldNY0JEdkFiTXRNYVQKZWVld1d0V2FUQTRselRyL25oWFNORVVoc0h5dlB2emljSTBKNWxlbWh3NHlKTFdlK1JqWjZqYVBUVFlYN0N4cApmeEtGbUUxcE12dDNXZWg2YWxJN2J4WHdTNlhVeWpHakVML2NERk5qSFhkWUJzeXpneEluNGx6TkJRd01lOFlBCnIzMWlTZG5DMGFRdjI1Y2ViYkk2bnVoMEJMd0NaTmFQZzBUK2htNlkrVEZBdVZiajlPRHZVLy8ybUFPVXlpeUMKaE1XRHFreVAxQ1IrdDZvTU9JVmtXYjArQk4vRXhqblhxa2kybTNGemR3QkVlVExBdm9pRDRoWEhhVEtQMUJ6UApEcTVPcFQvaVhoNUlKVGlNTmdoR1R5QkNDSEQ2a1puZnhZbmFVTmMvOUVDaHZqdG1ZcW9DbVUzVXlEenFTSlpWCnA0OTUzK0M1bGhBMytvbWMvVGU3RENqeE1tNC9rcFlUZm9sL21nRGNMMXlmUU00dmt2akNDendtOWVqc0JtT2oKZ3lqMk9GRFRLUDBQUFNaV3hwZXhqSkhzdUV4OHBNQkpmR0xySzQyV2xPVEhTazNCSllKL3R2ODRxbXJFR3BiUgpydkgvQ3NQd05xaW12SndXL3VRMlNNWXdHT0JPcHg5elY5b3lEU1dDVlJYQU1OU3dmUUtDQVFFQTlMZjFxY0l4CkdZejhEMnRJQ0cxVStwblpoTUVqVjRnUjNIWUJPV2RuYVdHVGJGQ0ZzWmFob0RMNjBxaUJKR0ZIcTdzWjhXYkgKR3FpQ1ZFb3lnLzVoREU4eDFtVU05UFltSzAvQlNlQVhrM1RJa0hQWDYwVDlaKytYOHloVmRwOGsrZUMyV1hHeAo0MzNBNEZrWGpSK1BPMXM3dXhIUGVtdHhWb2l4bDNjMjBEd21hMHpDaXpVVEc4VTJrKytyYWw1WG9uTjA5MldiCkU4R2twYUlEUjkzU0lBaS9oak5IVWFmdExLOXZ3SmJLTFJJdHJkOFRDRWpoWWlEM050UzIxNGJ1YXhVQjI1NDYKcUp5cEx6Y0VoK2hqZzVmRE56TnVMYWwyb2E5aDBpZithcExud21hRVJUaXQ1MDhodTNiclQ0c2ZyZ0c0bmtaYwpIMmpYL0dSR3ZlVzBsd0tDQVFFQTVybmFQak5sckZ2cDBOOUxvRzBXWm1lOWxvZWxiN3d1ZjQzcm1HcnJQQTZzCk1wK24zMUJhaXVITEQ2eEF3QUU3dXp6UkJqQVpZQ2psSDAvRnllVHJzSlBuUW1zWTU4MldnMWxmcGIzSUxVMHgKZVNMMVhJWFNDSGJxYThJZ0ZUSldSdDY2UjArSHpER2REVVlndzd3T3BRVk84cTB5TFJYYUVTZ3NuWlhqZmtIOApzeFMzMTZkQ04rV2I3amtrcEFsRFFZRDdocjQ4TzFReHpuRW00NWRqcXRub0YvMUJsZ3B4MEJYT2FjeDhQbHlUCnBvaGpkcnUxd1MzVmRXZDdlSVpqbmh0dXc4U1RrWGZmcmJUejk1NHNBaFdTa1Y5amgwT0Rpc2tDeWV5RjlDU3UKQTVETVhDVXdickQrZ1VpUU8zSXNEeE1IQzFjNk1wWlJJbVpNZUExMEZ3S0NBUUJuYURpUmxESkZOckxvSFJBaQpKM2pxTUFxZk16R284aUdDQkFjK1ozaG1La291VWRROGw0Y1NkNWhQWGM2OFBiTVlXUVo4WUU2djhCYXFZWFA1CkhJdUx0UWM5TGhRTWl0clVJRzV2dGhhZ1E0L2dvbUxSMHFRMXdDTjRKMG45eHYvTDZ1MkMzQzBzRU41b3JwenEKRURUcEF3TTVhQ3hBOFpmQjFoOGMvczRWcmVVYUlDUnd5R3VicDNrSmlCUHA3WldnV3FOSlN4RDloeXo0cEg0NApadjQ4ZFJYaE1sZm5wRXJ2UCs2NzlidlcwY0Nsb1FhYzBKY1ViUk9wZ3JjRVdjcnpTcnd2UGl4UlJXbWtQdDVXClE1ZVJhcGFlQThpQjJRTDlEV3dMYnNUdDZjZXUrTHpadHpxYzdHNDNsZWVYQkJYTjVJSkx0eldFUER4UU5WdEQKTVFaZkFvSUJBRVpRMjg5YkVLQnZ2cGwyZy9EWGJoMDFmcFVTci91V2lVRThlbEdRUERLb2NoaFhpZXpINjJBcQpJaDJickh3WHBDR1REa3pwZWNKUmxFcHZvR0xBVG9nWSswREZyT2h3UW0relhEQUIzN0RXdHI0cFJrZTFUT1poCmYxM3A0cWN6R1JJdUxPMHdzcjByWGFhKytadE5nOVVOQWh0NVp6SlFWNDRsQlR2ZGcyQm1NZUpON1IxZkR4SkQKK3JxbVZhRmNaVS9nUkVlelVGM3djZUZ0b0tGNThOa1A0ZWoxdVBoR0pKdDdHZFlxaUs3a3ZlYmg2QlkyYk5UNwo1L01JMzV0Q3NiZHN1dHdVMjdoWXBTV21ZVGZVejZxdThtVTFnZnFtTzcrZk5TZGUyeEFsNFphYW1YMTNwQVFJCkV2aEpxaE5EMzJPVXMrL2ozSXV3UGZmUzMza3krRzhDZ2dFQkFNNkVySXovbDdFS0RNN0NWd2VOMUhIUk1NV0MKQldKRTdaNi9LUlZ2TDE4bjhkWUV4NEJaYTdCcjhNZnRQejVTSHRCOUxqZmZlbWNxcVhqRzdhcXV3NDFRSFFkLwpPV0lRVGl4RWNrRDlaYmwwOG1MU2h1WCtLZlhJejMwK0gybG51UTdQVWo1N0N1V0pndGdGY05EeFdwaG1ncFkxCkp0djNYdEVhM0lNVDRBNHVLSGdHbDZyOTdxSFQvRXF4MmljTGxOWFU2aEFjYjV2QmgzK2JaOGFQbUpWWi84QlcKakJZWmxYMTFmaWFnSWF4NThHUTM4VS9GQTFHaEJyeGVGcU50WG9PSGU0QS82Tmxmb0E1dDRGVExmWjVMUW9SKwpkRmxNMlBSM016dnEwSFB3RFdTQ2kvR3RqQzB4WXZ4U0FmQ3BucFptWkNORTNEMU94b29FUUNzWW5sbz0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
kind: Secret
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: null
name: idp-secrets
namespace: ocis

10
rendered/envs/production/ocis/secret-jwt-secret.yaml
View file

@ -1,10 +0,0 @@
apiVersion: v1
data:
jwt-secret: N0FxeFRwa2xVdDZ1MmJ0MVlNbGIzQ3E3Y2paRXQw
kind: Secret
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: null
name: jwt-secret
namespace: ocis

12
rendered/envs/production/ocis/secret-ldap-bind-secrets.yaml
View file

@ -1,12 +0,0 @@
apiVersion: v1
data:
graph-ldap-bind-password: OXhsb0V0N3YwM2Zrc24xY0lpanBwZmRhTlYybEV5
idp-ldap-bind-password: eFNndGZaRzF0SzhNeXB4c0doSTJhd3B6aDZGQWE3
reva-ldap-bind-password: aWZRZXVtQ3hYVERFdWx6bElHQXQ4TUdHazF4cGQ0
kind: Secret
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: null
name: ldap-bind-secrets
namespace: ocis

10
rendered/envs/production/ocis/secret-ldap-ca.yaml
View file

@ -1,10 +0,0 @@
apiVersion: v1
data:
ldap-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREekNDQWZlZ0F3SUJBZ0lRVXQ5V0d1aHd0aWtFcngzL2c3Zkl1VEFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkc1pHRndMV05oTUI0WERUSTJNRFF3TmpFd05UTXdOVm9YRFRJM01EUXdOakV3TlRNdwpOVm93RWpFUU1BNEdBMVVFQXhNSGJHUmhjQzFqWVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDCkFRb0NnZ0VCQUw5cjVqZnlHVnZEL1RLT3BXcHA0RW9IcWFRc3kyZ1pxelRpWDNjNHk0MmV6M2NsU29lWHcyNlEKcmZSTnhGd3hJUVFLUEZyZ1FkMGFjcmtsdzc1VWViZjc4blZQaE0rUHJqRjdJc1cvbTZvSlRSenE2L0s5NkRBMwpMNk5FWlZXVVlDNHU4Szg3SjA0TWdPb2kxMlZXbFJUNmlRZldDVTNhUkZTVlA5d1Myd2h0TGNqdzh4TWQyMGxoCll0dzc4Qm1zaEJNRVZDYis1d3lxSDFQazJLandjUERPa1hrTzNqTHFManlZNC9QUnl3Uk05RlREQloycmpsMUkKQkdPYm1IVTQwZFVTbXpoZHFMY3dKZkJjU3dEdGQxbmlURHRtbVh0eU44Y09LOVdlY1pNSit4SElzRUtLYTVzQgppZVFFd0VHUVBDMm94TURsRmgzMnNyM0Y4dEZmWDZrQ0F3RUFBYU5oTUY4d0RnWURWUjBQQVFIL0JBUURBZ0trCk1CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFQQmdOVkhSTUJBZjhFQlRBREFRSC8KTUIwR0ExVWREZ1FXQkJTVkRZd25kdTFTU1dnUkdBbnVQa1d4WHJvZmN6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBUUVBSk92UUVkT1FHb1NqVEJZZ0krWk5uVDVtVTdQMlhvT1dkU2FrTTVLY3dSSjlFUFh2ZGJrL2NPN3Y1d3B4CmVGTll0eFJoNGZqMTBxQVZyTWNnbnBRbFN4R3FaSURDNFNqZkRXZWlIdStwcTFGMWRrdlppQUNFbGQ5KzZOZWkKcGhhNmpyMi8vV28yV0FpSWJjNlVXSEx1bjY0azA3cVJreCtFK0g2OXhYd0RWVHN6MFlta2tCN2dhVnpLczY5bApSd2FoNy9tQ0M0eFdQK0xCb1h4N2JYWStuUTRycGJqTGNNeFM2Y1lHOEQ4VGhTNlBkSHNidDk3MnhZMnpsdlJwClA4dll2dUFDdUsyYTBvM3VUTGdhZEdFY1NQVDFKMCtsekFjSHk2S1VoZXhyYUcyVjhYL0hHNWpGcFFUamFmalYKL0hkQWcvbEtJSDZNenE3RGtIUXNmRktTdnc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
kind: Secret
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: null
name: ldap-ca
namespace: ocis

11
rendered/envs/production/ocis/secret-ldap-cert.yaml
View file

@ -1,11 +0,0 @@
apiVersion: v1
data:
ldap.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lRQ3I1YkhoWjB5S09vY041dVRrS0JJREFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkc1pHRndMV05oTUI0WERUSTJNRFF3TmpFd05UTXdOVm9YRFRJM01EUXdOakV3TlRNdwpOVm93RGpFTU1Bb0dBMVVFQXhNRGFXUnRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFyRHZXbnYvbnE2SzFRaUd4bURQSTJVN3hkZUFKRitxRG5sZE8yNHlPZkQ0VG9GOUx6Z1M4SExRWmRTKzMKWjhzVlJxYXZYS0hNcmFBcjVzMmJuL2ZzbXNUUkppbEVCM3AwTXZPN2t5YlJCcjlJcEE4WGd2Ynpucmk3TzVoMApUalUvcEcyNE9LaEJvMEhzV2JRSVpqa3J2YmV4ZnF6VXFiaE5lenJhTmRqcEIxcWxvbGF5enBVc0FxYjlnS1E2CkhUTjdhNDErUk56NCt6L0FlaUJPTS8yRmVxMHBVb3hLMWdCbklycCtlSm9BOHkrQTA3a2RMSm54Z01adXpxcHoKZTRjMXVKWFRqRDVmYmlpYkdsVjJzcFZqc2NWZlplVWdwWVFZWlFoclBBbERodjNBQ29ITnBjdWRzRXhPOTdBMwozcmRMVTFaMTN2ZnVRVDZtSjFBMEhJVENlUUlEQVFBQm8zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEClZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGoKQkJnd0ZvQVVsUTJNSjNidFVrbG9FUmdKN2o1RnNWNjZIM013RGdZRFZSMFJCQWN3QllJRGFXUnRNQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFBVVlkZTN3U1p4QVhVcHkwUzFJS21URTVpOHNWbUx0aXdyOXVsQ3l6WUNiOVd0Cjh6ZXVJaDhDV1lxQzgzais1cjdlaThpbGJzTDc1bzErQ1FSREswM1NWMkdGSjRINkErZmoybXVzMHdCakY0VmEKbXRNL1cxckFIamZmREJ3T1BTM3BvNWp2UWNLN2l2ajhweTNnYzYrVVdnSTlsQnZwZUVXcFM1Z2Jxdy9ZQ1Z1OApvT21yem9vZzZUQlNVWUNtK2VJREZ6TTlzdEJUMWk5RmhYclpYSmpoSTVEcTlaWm50UGpjdVhVZjRFSGFSdFpxCjBqWC9uL0x6eVFpREs4d2dWU1AwY0MyZVVhMjdzMFhUelJld0lQc0piZ3hWMTlhWjJENm03bGVWZ05FVDhkdGwKbkdHbjc2YlBvdVUyY1RpaGQ5OFdlSGpGMTF2ZlpTZnRmeElsTEh3VQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
ldap.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBckR2V252L25xNksxUWlHeG1EUEkyVTd4ZGVBSkYrcURubGRPMjR5T2ZENFRvRjlMCnpnUzhITFFaZFMrM1o4c1ZScWF2WEtITXJhQXI1czJibi9mc21zVFJKaWxFQjNwME12TzdreWJSQnI5SXBBOFgKZ3Ziem5yaTdPNWgwVGpVL3BHMjRPS2hCbzBIc1diUUlaamtydmJleGZxelVxYmhOZXpyYU5kanBCMXFsb2xheQp6cFVzQXFiOWdLUTZIVE43YTQxK1JOejQrei9BZWlCT00vMkZlcTBwVW94SzFnQm5JcnArZUpvQTh5K0EwN2tkCkxKbnhnTVp1enFwemU0YzF1SlhUakQ1ZmJpaWJHbFYyc3BWanNjVmZaZVVncFlRWVpRaHJQQWxEaHYzQUNvSE4KcGN1ZHNFeE85N0EzM3JkTFUxWjEzdmZ1UVQ2bUoxQTBISVRDZVFJREFRQUJBb0lCQUE0WEdTQkozRGlZNTQ1QQo5bWYydUpRNmxwdG5tQ2JhT3lsTmlEaUMzN2MvVnRpMFl4MjRHbkdZdEVwM2ZHQWo1NW92a2NJWXhJZGh4cVdyCnBYTXBVN1IzcklxY0xxSVQvUVNjRnZqYllKZFdOOG1nS0hMQTVENVVhNURkRUlyRFpYRDh2dWozcnVMOXhpbXkKaGt0aW12YjYyNno2MDYwTTFGM2oreTBUa1VEV0lhUllwb1llNnlKQkdXbjNRTW1zV3ZXNStmU0c3Yk1VOWlCdwpRTWx2cnZOdlBIbDZJWWhrd0dnSWp1cjVKblRqc0U5SWZBdUR5L2hVNzl0SFpzV252RlRmUDdJTVZNSVBTY2NICnl2SHgwMHpuaE9LOHZXSkFGb3pMUVdpZFpldUFEaEhhblhGaklTd1A3cDBPNDc4T0xxTCtWNjdBMk54bEZaK3UKRTdTdCs5a0NnWUVBNUJMY0Z2UjN3K0k0dkJFWFd6bHVOREd2VFVRdXI4Y1VTbjVkcXAxR1NhWlpkNFhDL0hpcwo1QVI1c2dPaU0zMllLQkFvY1NJRmdJdW9ic2g2VWpNdU8zWktCVU5ibyttZ3ZQNW1qKzF4VkQrNGN0QS92ak9sCnNNT1VYNS95VEJlZ0Z3QkNvKzVqNWVsMHQvSHllcE5wTTJRZjJjUFVVczlCYjlkdDA5NU9PclVDZ1lFQXdWS2kKWFhUZVM3dDdDME5CbFlkWkRTa293ODJldTdQZEdNSzFGM3pRWU5vcXgydG1UTzVTbzI0S20zRTNiZzZwNzF5bgpqU3doV0lkQS9ZSFJsano3cyt2WVJ0VjBPcmtmYlZCQzhGVUtONUVNSlhhL1NDOFlRc1psUWZvUkVXb3BuS0ZECnFUUDV6SzVkelBwYWFNNlhWRm5WMFFlb0UvODYxSEN6aW5DYUR6VUNnWUJ6NnZYN29NTGlSeThvdnRNTkpYSlMKaXRJYlJrVW9SOW1UUndpYU41ZEt4WWFCVGZYZFZnUWhXL2p5TmhDUmRRc0ppYlRVVTBOU295aTNMYU9sOWFkUQp4MzAxa1plWkJwd1Frb2hVTEkxR0VhRFFrZkZqM1dJZ0pqZGFKclFDWXB1V05TYXBwUGNYR29HZElCWnFvRk4rCnNDdlVCVWo3MGFUamtDMmMya2NPWlFLQmdBWTY0NENmZzRwdFFFbmNvUUJ3bkM0UVpYL3A0SE9zR0RQMEVtSHYKWThlN1FDV3RFRjdxVHo5MURHSjJBNU5JWmJHUkN0VkIxdEZEaXBTZzJtQTlGdDkxZWtMT0hqREdSbnovV1NqbApsSzYxdmU1M0pUTHVVWm5WU3U0VllQZHV0R2lYeWRacUZtTENPOE9mVGNxUzNjMmFGNG5rOVVXdnMvV2tyQ1NKCi9HMEJBb0dCQUlFM3FkcTFrcmJKcW5rVTRLK3BQREpsV0FjSUJXUjVERnlPY0U2M1V5ekNvTHdsZDFZVHVlNisKWkVhSnExYW1nRlZVRllkbitiUVJPWnI4ZVY1MldYSktBWmEyclRxUlJPTVVLVHk5RVR0cGpBSXJvV3lEOEp0bApxMkpkTnQ5Rk1LQWJkYWZMc1piaGl3eFdpRjUremJKUkhpU3ZtVG9RTGNDRDhJcXZnUFcyCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: null
name: ldap-cert
namespace: ocis

10
rendered/envs/production/ocis/secret-machine-auth-api-key.yaml
View file

@ -1,10 +0,0 @@
apiVersion: v1
data:
machine-auth-api-key: Ymh0RmU1Zko3VWpsZDJRM09RWUJPclJUOHlmNUpS
kind: Secret
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: null
name: machine-auth-api-key
namespace: ocis

10
rendered/envs/production/ocis/secret-service-account-secret.yaml
View file

@ -1,10 +0,0 @@
apiVersion: v1
data:
service-account-secret: S25hYjNES2pUWDRVOWNrSHI2dlZBaWJyOVFqZ1NT
kind: Secret
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: null
name: service-account-secret
namespace: ocis

10
rendered/envs/production/ocis/secret-storage-system-jwt-secret.yaml
View file

@ -1,10 +0,0 @@
apiVersion: v1
data:
storage-system-jwt-secret: T2FTMVBaQW5tamVxQ2RXckZFQ3Q3M2VrdnBKNmx0
kind: Secret
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: null
name: storage-system-jwt-secret
namespace: ocis

11
rendered/envs/production/ocis/secret-storage-system.yaml
View file

@ -1,11 +0,0 @@
apiVersion: v1
data:
api-key: YlJCR2dobmZOTjJzUWQ1NkVyYVRFZEN5S1FMTWx4
user-id: MWFlNzk2YmYtMWI0ZS00ZGI2LWI2OTUtM2E5ZGE3MDU1NDc1
kind: Secret
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: null
name: storage-system
namespace: ocis

10
rendered/envs/production/ocis/secret-thumbnails-transfer-secret.yaml
View file

@ -1,10 +0,0 @@
apiVersion: v1
data:
thumbnails-transfer-secret: MUJMNk44aktWVXlIYW1lS2RBVklaMk9MZ1dKY0M4
kind: Secret
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: null
name: thumbnails-transfer-secret
namespace: ocis

10
rendered/envs/production/ocis/secret-transfer-secret.yaml
View file

@ -1,10 +0,0 @@
apiVersion: v1
data:
transfer-secret: ajhYWFQyYVBRcEs0a0pCeXc1cjJnWHRBOTVzQjZh
kind: Secret
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: null
name: transfer-secret
namespace: ocis