fix(ocis): Move secret generation to PreSync init Job
Removes all 13 Helm-generated secrets from rendered output and instead generates them at deploy time via an init Job. The Job creates secrets with random credentials only if they don't already exist, ensuring idempotent deploys. Runs as ArgoCD PreSync hook so secrets are ready before oCIS pods start. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Felix Wolf
parent
9f8714d767
commit
106271ffa3
11
CLAUDE.md
11
CLAUDE.md
|
|
@ -74,6 +74,11 @@ kubectl apply -f rendered/envs/production/<app>/ --server-side # Deploy
|
|||
## Container Images
|
||||
- **Never use bitnami images.** Use `alpine/k8s` or plain `alpine` for utility Jobs instead.
|
||||
|
||||
## Secrets (not in git)
|
||||
- `cert-manager/letsencrypt-account-key` — ACME account key (auto-generated)
|
||||
- `argocd/argocd-initial-admin-secret` — ArgoCD admin password (auto-generated)
|
||||
## Secrets
|
||||
- **Never commit secrets to git.** This is a public repository.
|
||||
- **All secrets must be generated in-cluster** using init Jobs (ArgoCD PreSync hooks) that create secrets if they don't already exist. See `prototypes/ocis/ytt/s3-secret-job.ytt.yaml` for the pattern.
|
||||
- **External secrets** (e.g. S3 credentials) that cannot be generated must be created manually in the cluster before deploying. The init Job should validate their existence and fail fast if missing.
|
||||
- When adding a new application that uses a Helm chart generating secrets, configure all `secretRefs` to point to pre-created secret names and use an init Job to generate them.
|
||||
- Known external secrets (not in git, created manually):
|
||||
- `ocis/ocis-s3-credentials` — Hetzner S3 access key and secret key
|
||||
- `cert-manager/letsencrypt-account-key` — ACME account key (auto-generated by cert-manager)
|
||||
|
|
|
|||
|
|
@ -21,6 +21,19 @@ resources:
|
|||
cpu: 10m
|
||||
|
||||
secretRefs:
|
||||
adminUserSecretRef: ocis-admin-user
|
||||
idpSecretRef: ocis-idp-secrets
|
||||
jwtSecretRef: ocis-jwt-secret
|
||||
ldapSecretRef: ocis-ldap-bind-secrets
|
||||
ldapCaRef: ocis-ldap-ca
|
||||
ldapCertRef: ocis-ldap-cert
|
||||
machineAuthApiKeySecretRef: ocis-machine-auth-api-key
|
||||
storagesystemJwtSecretRef: ocis-storage-system-jwt-secret
|
||||
storagesystemSecretRef: ocis-storage-system
|
||||
thumbnailsSecretRef: ocis-thumbnails-transfer-secret
|
||||
transferSecretSecretRef: ocis-transfer-secret
|
||||
serviceAccountSecretRef: ocis-service-account-secret
|
||||
collaborationWopiSecret: ocis-collaboration-wopi-secret
|
||||
s3CredentialsSecretRef: ocis-s3-credentials
|
||||
|
||||
services:
|
||||
|
|
|
|||
|
|
@ -42,6 +42,8 @@ metadata:
|
|||
name: ocis-secret-init
|
||||
namespace: #@ ns
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "-1"
|
||||
argocd.argoproj.io/hook: PreSync
|
||||
argocd.argoproj.io/sync-options: Replace=true
|
||||
spec:
|
||||
ttlSecondsAfterFinished: 300
|
||||
|
|
@ -58,18 +60,104 @@ spec:
|
|||
- |
|
||||
set -e
|
||||
|
||||
SECRET_NAME="ocis-s3-credentials"
|
||||
gen_random() {
|
||||
head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1"
|
||||
}
|
||||
|
||||
if ! kubectl get secret "${SECRET_NAME}" -n ${NAMESPACE} >/dev/null 2>&1; then
|
||||
echo "ERROR: Secret ${SECRET_NAME} does not exist in namespace ${NAMESPACE}."
|
||||
echo "Please create it manually with keys 'accessKey' and 'secretKey':"
|
||||
echo " kubectl create secret generic ${SECRET_NAME} -n ${NAMESPACE} \\"
|
||||
echo " --from-literal=accessKey=<your-access-key> \\"
|
||||
echo " --from-literal=secretKey=<your-secret-key>"
|
||||
exit 1
|
||||
else
|
||||
echo "Secret ${SECRET_NAME} exists, OK"
|
||||
gen_uuid() {
|
||||
cat /proc/sys/kernel/random/uuid
|
||||
}
|
||||
|
||||
create_secret_if_missing() {
|
||||
local name="$1"
|
||||
shift
|
||||
if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then
|
||||
echo "Secret $name already exists, skipping"
|
||||
return
|
||||
fi
|
||||
kubectl create secret generic "$name" -n "${NAMESPACE}" "$@"
|
||||
echo "Created secret $name"
|
||||
}
|
||||
|
||||
# Validate external secrets exist
|
||||
if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then
|
||||
echo "ERROR: External secret ocis-s3-credentials must be created manually"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Admin user
|
||||
create_secret_if_missing ocis-admin-user \
|
||||
--from-literal=password="$(gen_random 32)" \
|
||||
--from-literal=user-id="$(gen_uuid)"
|
||||
|
||||
# JWT secret
|
||||
create_secret_if_missing ocis-jwt-secret \
|
||||
--from-literal=jwt-secret="$(gen_random 32)"
|
||||
|
||||
# Machine auth API key
|
||||
create_secret_if_missing ocis-machine-auth-api-key \
|
||||
--from-literal=machine-auth-api-key="$(gen_random 32)"
|
||||
|
||||
# Storage system JWT secret
|
||||
create_secret_if_missing ocis-storage-system-jwt-secret \
|
||||
--from-literal=storage-system-jwt-secret="$(gen_random 32)"
|
||||
|
||||
# Storage system secret
|
||||
create_secret_if_missing ocis-storage-system \
|
||||
--from-literal=api-key="$(gen_random 32)" \
|
||||
--from-literal=user-id="$(gen_uuid)"
|
||||
|
||||
# Transfer secret
|
||||
create_secret_if_missing ocis-transfer-secret \
|
||||
--from-literal=transfer-secret="$(gen_random 32)"
|
||||
|
||||
# Thumbnails transfer secret
|
||||
create_secret_if_missing ocis-thumbnails-transfer-secret \
|
||||
--from-literal=thumbnails-transfer-secret="$(gen_random 32)"
|
||||
|
||||
# Service account secret
|
||||
create_secret_if_missing ocis-service-account-secret \
|
||||
--from-literal=service-account-secret="$(gen_random 32)"
|
||||
|
||||
# Collaboration WOPI secret
|
||||
create_secret_if_missing ocis-collaboration-wopi-secret \
|
||||
--from-literal=wopi-secret="$(gen_random 32)"
|
||||
|
||||
# LDAP bind secrets (three passwords for different bind users)
|
||||
create_secret_if_missing ocis-ldap-bind-secrets \
|
||||
--from-literal=reva-ldap-bind-password="$(gen_random 32)" \
|
||||
--from-literal=idp-ldap-bind-password="$(gen_random 32)" \
|
||||
--from-literal=graph-ldap-bind-password="$(gen_random 32)"
|
||||
|
||||
# IDP secret (encryption key + RSA private key)
|
||||
create_secret_if_missing ocis-idp-secrets \
|
||||
--from-literal=encryption.key="$(gen_random 32)" \
|
||||
--from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)"
|
||||
|
||||
# LDAP CA cert + key (self-signed)
|
||||
if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then
|
||||
openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \
|
||||
-days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null
|
||||
kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \
|
||||
--from-file=ldap-ca.crt=/tmp/ldap-ca.crt
|
||||
echo "Created secret ocis-ldap-ca"
|
||||
|
||||
# LDAP server cert signed by the CA
|
||||
openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \
|
||||
-nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null
|
||||
openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \
|
||||
-CAcreateserial -out /tmp/ldap.crt -days 3650 \
|
||||
-extfile <(printf "subjectAltName=DNS:idm") 2>/dev/null
|
||||
kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \
|
||||
--from-file=ldap.crt=/tmp/ldap.crt \
|
||||
--from-file=ldap.key=/tmp/ldap.key
|
||||
echo "Created secret ocis-ldap-cert"
|
||||
rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl
|
||||
else
|
||||
echo "Secret ocis-ldap-ca already exists, skipping LDAP certs"
|
||||
fi
|
||||
|
||||
echo "All secrets initialized successfully"
|
||||
env:
|
||||
- name: NAMESPACE
|
||||
valueFrom:
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
service-account-id: c1561758-95a8-4926-aff8-a689830e1c46
|
||||
service-account-id: 227a1de1-3a8d-4d80-b497-63fe5b754fa0
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
annotations:
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
application-id: 7ee4ec5b-f9ab-4785-bc57-18b2b0ed19df
|
||||
application-id: da877587-2c1f-4944-80a4-2a26155965e0
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
annotations:
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
storage-uuid: 322b777b-988b-40ab-88b0-96f4bcd6b010
|
||||
storage-uuid: d680b677-e6e1-45de-bd19-b7a6e2ab7425
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
annotations:
|
||||
|
|
|
|||
|
|
@ -70,12 +70,12 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
- name: OCIS_TRANSFER_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: transfer-secret
|
||||
name: transfer-secret
|
||||
name: ocis-transfer-secret
|
||||
- name: STORAGE_USERS_MOUNT_ID
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
|
|
@ -90,7 +90,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: service-account-secret
|
||||
name: service-account-secret
|
||||
name: ocis-service-account-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: storage-users-clean-expired-uploads
|
||||
|
|
|
|||
|
|
@ -51,12 +51,12 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
- name: OCIS_TRANSFER_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: transfer-secret
|
||||
name: transfer-secret
|
||||
name: ocis-transfer-secret
|
||||
- name: STORAGE_USERS_MOUNT_ID
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
|
|
@ -71,7 +71,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: service-account-secret
|
||||
name: service-account-secret
|
||||
name: ocis-service-account-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: storage-users-purge-expired-trash-bin-items
|
||||
|
|
|
|||
|
|
@ -53,12 +53,12 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
- name: OCIS_TRANSFER_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: transfer-secret
|
||||
name: transfer-secret
|
||||
name: ocis-transfer-secret
|
||||
- name: STORAGE_USERS_MOUNT_ID
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
|
|
@ -73,7 +73,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: service-account-secret
|
||||
name: service-account-secret
|
||||
name: ocis-service-account-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: storage-users-restart-postprocessing
|
||||
|
|
|
|||
|
|
@ -79,12 +79,12 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: service-account-secret
|
||||
name: service-account-secret
|
||||
name: ocis-service-account-secret
|
||||
- name: ACTIVITYLOG_JWT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
|
|||
|
|
@ -68,7 +68,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
|
|||
|
|
@ -66,12 +66,12 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
- name: AUTH_MACHINE_API_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: machine-auth-api-key
|
||||
name: machine-auth-api-key
|
||||
name: ocis-machine-auth-api-key
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
|
|||
|
|
@ -66,7 +66,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
- name: AUTH_SERVICE_SERVICE_ACCOUNT_ID
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
|
|
@ -76,7 +76,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: service-account-secret
|
||||
name: service-account-secret
|
||||
name: ocis-service-account-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
|
|||
|
|
@ -71,12 +71,12 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: service-account-secret
|
||||
name: service-account-secret
|
||||
name: ocis-service-account-secret
|
||||
- name: CLIENTLOG_JWT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
|
|||
|
|
@ -76,7 +76,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
- name: FRONTEND_APP_HANDLER_INSECURE
|
||||
value: "false"
|
||||
- name: FRONTEND_ARCHIVER_INSECURE
|
||||
|
|
@ -103,7 +103,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: machine-auth-api-key
|
||||
name: machine-auth-api-key
|
||||
name: ocis-machine-auth-api-key
|
||||
- name: FRONTEND_SERVICE_ACCOUNT_ID
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
|
|
@ -113,12 +113,12 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: service-account-secret
|
||||
name: service-account-secret
|
||||
name: ocis-service-account-secret
|
||||
- name: OCIS_TRANSFER_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: transfer-secret
|
||||
name: transfer-secret
|
||||
name: ocis-transfer-secret
|
||||
- name: FRONTEND_AUTO_ACCEPT_SHARES
|
||||
value: "true"
|
||||
- name: FRONTEND_MAX_CONCURRENCY
|
||||
|
|
|
|||
|
|
@ -79,12 +79,12 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
- name: OCIS_TRANSFER_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: transfer-secret
|
||||
name: transfer-secret
|
||||
name: ocis-transfer-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
|
|||
|
|
@ -84,7 +84,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: graph-ldap-bind-password
|
||||
name: ldap-bind-secrets
|
||||
name: ocis-ldap-bind-secrets
|
||||
- name: OCIS_SHOW_USER_EMAIL_IN_RESULTS
|
||||
value: "false"
|
||||
- name: GRAPH_APPLICATION_ID
|
||||
|
|
@ -96,7 +96,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
- name: OCIS_DEFAULT_LANGUAGE
|
||||
value: en
|
||||
- name: GRAPH_SERVICE_ACCOUNT_ID
|
||||
|
|
@ -108,7 +108,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: service-account-secret
|
||||
name: service-account-secret
|
||||
name: ocis-service-account-secret
|
||||
- name: OCIS_ENABLE_OCM
|
||||
value: "false"
|
||||
image: owncloud/ocis:7.1.4
|
||||
|
|
@ -152,4 +152,4 @@ spec:
|
|||
name: messaging-system-ca
|
||||
- name: ldap-ca
|
||||
secret:
|
||||
secretName: ldap-ca
|
||||
secretName: ocis-ldap-ca
|
||||
|
|
|
|||
|
|
@ -70,14 +70,14 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: reva-ldap-bind-password
|
||||
name: ldap-bind-secrets
|
||||
name: ocis-ldap-bind-secrets
|
||||
- name: GROUPS_IDP_URL
|
||||
value: https://drive.tr1ceracop.de
|
||||
- name: GROUPS_JWT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
@ -118,4 +118,4 @@ spec:
|
|||
name: tmp-volume
|
||||
- name: ldap-ca
|
||||
secret:
|
||||
secretName: ldap-ca
|
||||
secretName: ocis-ldap-ca
|
||||
|
|
|
|||
|
|
@ -67,27 +67,27 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: password
|
||||
name: admin-user
|
||||
name: ocis-admin-user
|
||||
- name: IDM_ADMIN_USER_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: user-id
|
||||
name: admin-user
|
||||
name: ocis-admin-user
|
||||
- name: IDM_SVC_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: graph-ldap-bind-password
|
||||
name: ldap-bind-secrets
|
||||
name: ocis-ldap-bind-secrets
|
||||
- name: IDM_REVASVC_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: reva-ldap-bind-password
|
||||
name: ldap-bind-secrets
|
||||
name: ocis-ldap-bind-secrets
|
||||
- name: IDM_IDPSVC_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: idp-ldap-bind-password
|
||||
name: ldap-bind-secrets
|
||||
name: ocis-ldap-bind-secrets
|
||||
- name: IDM_LDAPS_CERT
|
||||
value: /etc/ocis/ldap-cert/ldap.crt
|
||||
- name: IDM_LDAPS_KEY
|
||||
|
|
@ -150,7 +150,7 @@ spec:
|
|||
volumes:
|
||||
- name: ldap-cert
|
||||
secret:
|
||||
secretName: ldap-cert
|
||||
secretName: ocis-ldap-cert
|
||||
- name: idm-data
|
||||
persistentVolumeClaim:
|
||||
claimName: idm-data
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: idp-ldap-bind-password
|
||||
name: ldap-bind-secrets
|
||||
name: ocis-ldap-bind-secrets
|
||||
- name: IDP_SIGNING_PRIVATE_KEY_FILES
|
||||
value: /etc/ocis/idp/private-key.pem
|
||||
- name: IDP_ENCRYPTION_SECRET_FILE
|
||||
|
|
@ -118,7 +118,7 @@ spec:
|
|||
name: ocis-data-tmp
|
||||
- name: ldap-ca
|
||||
secret:
|
||||
secretName: ldap-ca
|
||||
secretName: ocis-ldap-ca
|
||||
- name: idp-secrets
|
||||
secret:
|
||||
secretName: idp-secrets
|
||||
secretName: ocis-idp-secrets
|
||||
|
|
|
|||
|
|
@ -74,12 +74,12 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
- name: OCDAV_MACHINE_AUTH_API_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: machine-auth-api-key
|
||||
name: machine-auth-api-key
|
||||
name: ocis-machine-auth-api-key
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
|
|||
|
|
@ -76,7 +76,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
|
|||
|
|
@ -82,12 +82,12 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
- name: PROXY_MACHINE_AUTH_API_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: machine-auth-api-key
|
||||
name: machine-auth-api-key
|
||||
name: ocis-machine-auth-api-key
|
||||
- name: PROXY_SERVICE_ACCOUNT_ID
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
|
|
@ -97,7 +97,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: service-account-secret
|
||||
name: service-account-secret
|
||||
name: ocis-service-account-secret
|
||||
- name: PROXY_CSP_CONFIG_FILE_LOCATION
|
||||
value: /etc/ocis/csp.yaml
|
||||
- name: PROXY_AUTOPROVISION_ACCOUNTS
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
- name: SEARCH_SERVICE_ACCOUNT_ID
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
|
|
@ -79,7 +79,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: service-account-secret
|
||||
name: service-account-secret
|
||||
name: ocis-service-account-secret
|
||||
- name: OCIS_ASYNC_UPLOADS
|
||||
value: "true"
|
||||
image: owncloud/ocis:7.1.4
|
||||
|
|
|
|||
|
|
@ -80,12 +80,12 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: user-id
|
||||
name: admin-user
|
||||
name: ocis-admin-user
|
||||
- name: SETTINGS_JWT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
- name: SETTINGS_SERVICE_ACCOUNT_IDS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
|
|
@ -95,12 +95,12 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: api-key
|
||||
name: storage-system
|
||||
name: ocis-storage-system
|
||||
- name: OCIS_SYSTEM_USER_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: user-id
|
||||
name: storage-system
|
||||
name: ocis-storage-system
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
|
|||
|
|
@ -68,7 +68,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
- name: SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD
|
||||
value: "false"
|
||||
- name: SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD
|
||||
|
|
@ -91,24 +91,24 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: api-key
|
||||
name: storage-system
|
||||
name: ocis-storage-system
|
||||
- name: SHARING_USER_JSONCS3_SYSTEM_USER_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: user-id
|
||||
name: storage-system
|
||||
name: ocis-storage-system
|
||||
- name: SHARING_PUBLIC_DRIVER
|
||||
value: jsoncs3
|
||||
- name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: api-key
|
||||
name: storage-system
|
||||
name: ocis-storage-system
|
||||
- name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: user-id
|
||||
name: storage-system
|
||||
name: ocis-storage-system
|
||||
- name: SHARING_USER_JSONCS3_MAX_CONCURRENCY
|
||||
value: "20"
|
||||
image: owncloud/ocis:7.1.4
|
||||
|
|
|
|||
|
|
@ -72,7 +72,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
|
|||
|
|
@ -66,7 +66,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
|
|||
|
|
@ -78,17 +78,17 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: storage-system-jwt-secret
|
||||
name: storage-system-jwt-secret
|
||||
name: ocis-storage-system-jwt-secret
|
||||
- name: OCIS_SYSTEM_USER_API_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: api-key
|
||||
name: storage-system
|
||||
name: ocis-storage-system
|
||||
- name: OCIS_SYSTEM_USER_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: user-id
|
||||
name: storage-system
|
||||
name: ocis-storage-system
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
|
|||
|
|
@ -125,7 +125,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: service-account-secret
|
||||
name: service-account-secret
|
||||
name: ocis-service-account-secret
|
||||
- name: STORAGE_USERS_STAT_CACHE_STORE
|
||||
value: noop
|
||||
- name: STORAGE_USERS_MOUNT_ID
|
||||
|
|
@ -137,12 +137,12 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
- name: OCIS_TRANSFER_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: transfer-secret
|
||||
name: transfer-secret
|
||||
name: ocis-transfer-secret
|
||||
- name: OCIS_ASYNC_UPLOADS
|
||||
value: "true"
|
||||
- name: STORAGE_USERS_EVENTS_NUM_CONSUMERS
|
||||
|
|
|
|||
|
|
@ -84,7 +84,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: thumbnails-transfer-secret
|
||||
name: thumbnails-transfer-secret
|
||||
name: ocis-thumbnails-transfer-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
|
|||
|
|
@ -73,12 +73,12 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: service-account-secret
|
||||
name: service-account-secret
|
||||
name: ocis-service-account-secret
|
||||
- name: USERLOG_JWT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
- name: USERLOG_MAX_CONCURRENCY
|
||||
value: "1"
|
||||
image: owncloud/ocis:7.1.4
|
||||
|
|
|
|||
|
|
@ -70,14 +70,14 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: reva-ldap-bind-password
|
||||
name: ldap-bind-secrets
|
||||
name: ocis-ldap-bind-secrets
|
||||
- name: USERS_IDP_URL
|
||||
value: https://drive.tr1ceracop.de
|
||||
- name: USERS_JWT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
@ -118,4 +118,4 @@ spec:
|
|||
name: tmp-volume
|
||||
- name: ldap-ca
|
||||
secret:
|
||||
secretName: ldap-ca
|
||||
secretName: ocis-ldap-ca
|
||||
|
|
|
|||
|
|
@ -88,7 +88,7 @@ spec:
|
|||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: jwt-secret
|
||||
name: jwt-secret
|
||||
name: ocis-jwt-secret
|
||||
image: owncloud/ocis:7.1.4
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
|
|
|
|||
|
|
@ -3,7 +3,9 @@ kind: Job
|
|||
metadata:
|
||||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
argocd.argoproj.io/hook: PreSync
|
||||
argocd.argoproj.io/sync-options: Replace=true
|
||||
argocd.argoproj.io/sync-wave: "-1"
|
||||
name: ocis-secret-init
|
||||
namespace: ocis
|
||||
spec:
|
||||
|
|
@ -16,18 +18,104 @@ spec:
|
|||
- |
|
||||
set -e
|
||||
|
||||
SECRET_NAME="ocis-s3-credentials"
|
||||
gen_random() {
|
||||
head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1"
|
||||
}
|
||||
|
||||
if ! kubectl get secret "${SECRET_NAME}" -n ${NAMESPACE} >/dev/null 2>&1; then
|
||||
echo "ERROR: Secret ${SECRET_NAME} does not exist in namespace ${NAMESPACE}."
|
||||
echo "Please create it manually with keys 'accessKey' and 'secretKey':"
|
||||
echo " kubectl create secret generic ${SECRET_NAME} -n ${NAMESPACE} \\"
|
||||
echo " --from-literal=accessKey=<your-access-key> \\"
|
||||
echo " --from-literal=secretKey=<your-secret-key>"
|
||||
exit 1
|
||||
else
|
||||
echo "Secret ${SECRET_NAME} exists, OK"
|
||||
gen_uuid() {
|
||||
cat /proc/sys/kernel/random/uuid
|
||||
}
|
||||
|
||||
create_secret_if_missing() {
|
||||
local name="$1"
|
||||
shift
|
||||
if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then
|
||||
echo "Secret $name already exists, skipping"
|
||||
return
|
||||
fi
|
||||
kubectl create secret generic "$name" -n "${NAMESPACE}" "$@"
|
||||
echo "Created secret $name"
|
||||
}
|
||||
|
||||
# Validate external secrets exist
|
||||
if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then
|
||||
echo "ERROR: External secret ocis-s3-credentials must be created manually"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Admin user
|
||||
create_secret_if_missing ocis-admin-user \
|
||||
--from-literal=password="$(gen_random 32)" \
|
||||
--from-literal=user-id="$(gen_uuid)"
|
||||
|
||||
# JWT secret
|
||||
create_secret_if_missing ocis-jwt-secret \
|
||||
--from-literal=jwt-secret="$(gen_random 32)"
|
||||
|
||||
# Machine auth API key
|
||||
create_secret_if_missing ocis-machine-auth-api-key \
|
||||
--from-literal=machine-auth-api-key="$(gen_random 32)"
|
||||
|
||||
# Storage system JWT secret
|
||||
create_secret_if_missing ocis-storage-system-jwt-secret \
|
||||
--from-literal=storage-system-jwt-secret="$(gen_random 32)"
|
||||
|
||||
# Storage system secret
|
||||
create_secret_if_missing ocis-storage-system \
|
||||
--from-literal=api-key="$(gen_random 32)" \
|
||||
--from-literal=user-id="$(gen_uuid)"
|
||||
|
||||
# Transfer secret
|
||||
create_secret_if_missing ocis-transfer-secret \
|
||||
--from-literal=transfer-secret="$(gen_random 32)"
|
||||
|
||||
# Thumbnails transfer secret
|
||||
create_secret_if_missing ocis-thumbnails-transfer-secret \
|
||||
--from-literal=thumbnails-transfer-secret="$(gen_random 32)"
|
||||
|
||||
# Service account secret
|
||||
create_secret_if_missing ocis-service-account-secret \
|
||||
--from-literal=service-account-secret="$(gen_random 32)"
|
||||
|
||||
# Collaboration WOPI secret
|
||||
create_secret_if_missing ocis-collaboration-wopi-secret \
|
||||
--from-literal=wopi-secret="$(gen_random 32)"
|
||||
|
||||
# LDAP bind secrets (three passwords for different bind users)
|
||||
create_secret_if_missing ocis-ldap-bind-secrets \
|
||||
--from-literal=reva-ldap-bind-password="$(gen_random 32)" \
|
||||
--from-literal=idp-ldap-bind-password="$(gen_random 32)" \
|
||||
--from-literal=graph-ldap-bind-password="$(gen_random 32)"
|
||||
|
||||
# IDP secret (encryption key + RSA private key)
|
||||
create_secret_if_missing ocis-idp-secrets \
|
||||
--from-literal=encryption.key="$(gen_random 32)" \
|
||||
--from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)"
|
||||
|
||||
# LDAP CA cert + key (self-signed)
|
||||
if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then
|
||||
openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \
|
||||
-days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null
|
||||
kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \
|
||||
--from-file=ldap-ca.crt=/tmp/ldap-ca.crt
|
||||
echo "Created secret ocis-ldap-ca"
|
||||
|
||||
# LDAP server cert signed by the CA
|
||||
openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \
|
||||
-nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null
|
||||
openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \
|
||||
-CAcreateserial -out /tmp/ldap.crt -days 3650 \
|
||||
-extfile <(printf "subjectAltName=DNS:idm") 2>/dev/null
|
||||
kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \
|
||||
--from-file=ldap.crt=/tmp/ldap.crt \
|
||||
--from-file=ldap.key=/tmp/ldap.key
|
||||
echo "Created secret ocis-ldap-cert"
|
||||
rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl
|
||||
else
|
||||
echo "Secret ocis-ldap-ca already exists, skipping LDAP certs"
|
||||
fi
|
||||
|
||||
echo "All secrets initialized successfully"
|
||||
env:
|
||||
- name: NAMESPACE
|
||||
valueFrom:
|
||||
|
|
|
|||
|
|
@ -1,11 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
password: cHNCME40QW85Y3NDYTYxOVNpUVVrY0VJZTYxajdU
|
||||
user-id: MTJjNDE0OGUtZGIxZC00ZTUxLWIwZDQtMjc4YzhlMTExZjcz
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels: null
|
||||
name: admin-user
|
||||
namespace: ocis
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
wopi-secret: Wno2dmFISjdBTFVKZ3BWeXFhdTM4eDNiWVVVeHlv
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels: null
|
||||
name: collaboration-wopi-secret
|
||||
namespace: ocis
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
encryption.key: NU1FOHBzQ2Q3akZSJz0qP352czZ5cUlYJEhPUEl7fnc=
|
||||
private-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBM0k3d1J5a0hXRE1zblNFY1FSaUpPWHFvY2t1U2xiajhzbFRUYmRvMmI0SVo0UHlCCnFaRHNTZkpIa1pnUkxTUE4yN3hMazM5bDlZQUM2MjF6YThKMk9hK05qYSsreXJXUFZBSGxOUm5lRHMwTENmM28KOFhnMDBkT0dNRkNJbmZ5UEE3VThEYm10RlRHeXBPQTVGMnZqVVhqV3JOejhHWUF5Z0J4NmlxSmRNVHRLVFpxaQpyWVdWY0poN1dTdzFKYkd0N2ZjUk9NK3JJbDhxVFJlRUE1czVNeTR4S3JNeWVTa0MxMW5LVy9UNzZUQjNzaFBuCi91dmYyTENSOUxMZkFoS0JJSDVGK1piUHNDQzlaT05MVkJDRlkvTUZPbUxzYmlIR1BTVklrRktoMFU2cFd3cjEKSzlVSm5ISWJCcXBSU2NPaVgzSk41Mkpzdnl6RHVqS1NKcmJYVCt0UGNpcHRmOTU1Q0RGaFcyL2pZeVJSZlBHTgoxeTlBYTRMLytocFF2ellMUnRicWxJQXpXQ1dFdTJ4cEVIRzAzTlpzeE44aW5LbVYyeXVVRXBNb080RkVUSklyClFTTnA1R09HVEpXVmhCdjNsdXUvUlg2Y0diVUZHYVorbVNlM1BobWJORlMxbUlqZGZacHhkd1lnRWtnYjNpYVMKOFdSU2VIWlBhQXdQeFowai9aVVA1S0hwT1ArUmVHU1Q5bzRmVGNKY1h6MEpFT1BiRXhEaEF5NkM0UFRVR0VVbgpWSGRjOUsyTXV0QjFnS2FvN05EUW9IQU9MbEptamxaMGxZSk44MDFLRklHdWlINGp4bk82SHNhUFRNZ3NRWUZwClBBcUpxWlFyblBiL09JNkw0UE5tTVR2a1AwTTBUSUd6UTZXSE5UZ0JRR0NOZzhUbHJ1d29qQmtpcFpFQ0F3RUEKQVFLQ0FnQkRSeHJHS2g3Q2FjSEhJRzEwOGQ0UitYZGVmZXoxM05yQUx4M2JXWC9YWGRFMUR2RWlYMEdrZ05JUgorRmZzOUFuOGFDQ0ptb2ZvYmliMTE0b29xY1hVYk5kNkM4emdHcWZnMFQ4d2huWjAvMWpKc0hrWkJ6amRkRzl2ClYzR0U5NkJNV2tFNlVwUVliZk4zVmFvMG1jVmFlY2pLTEJKK1dOdU90cUV1bnI1Y29TQldNY0JEdkFiTXRNYVQKZWVld1d0V2FUQTRselRyL25oWFNORVVoc0h5dlB2emljSTBKNWxlbWh3NHlKTFdlK1JqWjZqYVBUVFlYN0N4cApmeEtGbUUxcE12dDNXZWg2YWxJN2J4WHdTNlhVeWpHakVML2NERk5qSFhkWUJzeXpneEluNGx6TkJRd01lOFlBCnIzMWlTZG5DMGFRdjI1Y2ViYkk2bnVoMEJMd0NaTmFQZzBUK2htNlkrVEZBdVZiajlPRHZVLy8ybUFPVXlpeUMKaE1XRHFreVAxQ1IrdDZvTU9JVmtXYjArQk4vRXhqblhxa2kybTNGemR3QkVlVExBdm9pRDRoWEhhVEtQMUJ6UApEcTVPcFQvaVhoNUlKVGlNTmdoR1R5QkNDSEQ2a1puZnhZbmFVTmMvOUVDaHZqdG1ZcW9DbVUzVXlEenFTSlpWCnA0OTUzK0M1bGhBMytvbWMvVGU3RENqeE1tNC9rcFlUZm9sL21nRGNMMXlmUU00dmt2akNDendtOWVqc0JtT2oKZ3lqMk9GRFRLUDBQUFNaV3hwZXhqSkhzdUV4OHBNQkpmR0xySzQyV2xPVEhTazNCSllKL3R2ODRxbXJFR3BiUgpydkgvQ3NQd05xaW12SndXL3VRMlNNWXdHT0JPcHg5elY5b3lEU1dDVlJYQU1OU3dmUUtDQVFFQTlMZjFxY0l4CkdZejhEMnRJQ0cxVStwblpoTUVqVjRnUjNIWUJPV2RuYVdHVGJGQ0ZzWmFob0RMNjBxaUJKR0ZIcTdzWjhXYkgKR3FpQ1ZFb3lnLzVoREU4eDFtVU05UFltSzAvQlNlQVhrM1RJa0hQWDYwVDlaKytYOHloVmRwOGsrZUMyV1hHeAo0MzNBNEZrWGpSK1BPMXM3dXhIUGVtdHhWb2l4bDNjMjBEd21hMHpDaXpVVEc4VTJrKytyYWw1WG9uTjA5MldiCkU4R2twYUlEUjkzU0lBaS9oak5IVWFmdExLOXZ3SmJLTFJJdHJkOFRDRWpoWWlEM050UzIxNGJ1YXhVQjI1NDYKcUp5cEx6Y0VoK2hqZzVmRE56TnVMYWwyb2E5aDBpZithcExud21hRVJUaXQ1MDhodTNiclQ0c2ZyZ0c0bmtaYwpIMmpYL0dSR3ZlVzBsd0tDQVFFQTVybmFQak5sckZ2cDBOOUxvRzBXWm1lOWxvZWxiN3d1ZjQzcm1HcnJQQTZzCk1wK24zMUJhaXVITEQ2eEF3QUU3dXp6UkJqQVpZQ2psSDAvRnllVHJzSlBuUW1zWTU4MldnMWxmcGIzSUxVMHgKZVNMMVhJWFNDSGJxYThJZ0ZUSldSdDY2UjArSHpER2REVVlndzd3T3BRVk84cTB5TFJYYUVTZ3NuWlhqZmtIOApzeFMzMTZkQ04rV2I3amtrcEFsRFFZRDdocjQ4TzFReHpuRW00NWRqcXRub0YvMUJsZ3B4MEJYT2FjeDhQbHlUCnBvaGpkcnUxd1MzVmRXZDdlSVpqbmh0dXc4U1RrWGZmcmJUejk1NHNBaFdTa1Y5amgwT0Rpc2tDeWV5RjlDU3UKQTVETVhDVXdickQrZ1VpUU8zSXNEeE1IQzFjNk1wWlJJbVpNZUExMEZ3S0NBUUJuYURpUmxESkZOckxvSFJBaQpKM2pxTUFxZk16R284aUdDQkFjK1ozaG1La291VWRROGw0Y1NkNWhQWGM2OFBiTVlXUVo4WUU2djhCYXFZWFA1CkhJdUx0UWM5TGhRTWl0clVJRzV2dGhhZ1E0L2dvbUxSMHFRMXdDTjRKMG45eHYvTDZ1MkMzQzBzRU41b3JwenEKRURUcEF3TTVhQ3hBOFpmQjFoOGMvczRWcmVVYUlDUnd5R3VicDNrSmlCUHA3WldnV3FOSlN4RDloeXo0cEg0NApadjQ4ZFJYaE1sZm5wRXJ2UCs2NzlidlcwY0Nsb1FhYzBKY1ViUk9wZ3JjRVdjcnpTcnd2UGl4UlJXbWtQdDVXClE1ZVJhcGFlQThpQjJRTDlEV3dMYnNUdDZjZXUrTHpadHpxYzdHNDNsZWVYQkJYTjVJSkx0eldFUER4UU5WdEQKTVFaZkFvSUJBRVpRMjg5YkVLQnZ2cGwyZy9EWGJoMDFmcFVTci91V2lVRThlbEdRUERLb2NoaFhpZXpINjJBcQpJaDJickh3WHBDR1REa3pwZWNKUmxFcHZvR0xBVG9nWSswREZyT2h3UW0relhEQUIzN0RXdHI0cFJrZTFUT1poCmYxM3A0cWN6R1JJdUxPMHdzcjByWGFhKytadE5nOVVOQWh0NVp6SlFWNDRsQlR2ZGcyQm1NZUpON1IxZkR4SkQKK3JxbVZhRmNaVS9nUkVlelVGM3djZUZ0b0tGNThOa1A0ZWoxdVBoR0pKdDdHZFlxaUs3a3ZlYmg2QlkyYk5UNwo1L01JMzV0Q3NiZHN1dHdVMjdoWXBTV21ZVGZVejZxdThtVTFnZnFtTzcrZk5TZGUyeEFsNFphYW1YMTNwQVFJCkV2aEpxaE5EMzJPVXMrL2ozSXV3UGZmUzMza3krRzhDZ2dFQkFNNkVySXovbDdFS0RNN0NWd2VOMUhIUk1NV0MKQldKRTdaNi9LUlZ2TDE4bjhkWUV4NEJaYTdCcjhNZnRQejVTSHRCOUxqZmZlbWNxcVhqRzdhcXV3NDFRSFFkLwpPV0lRVGl4RWNrRDlaYmwwOG1MU2h1WCtLZlhJejMwK0gybG51UTdQVWo1N0N1V0pndGdGY05EeFdwaG1ncFkxCkp0djNYdEVhM0lNVDRBNHVLSGdHbDZyOTdxSFQvRXF4MmljTGxOWFU2aEFjYjV2QmgzK2JaOGFQbUpWWi84QlcKakJZWmxYMTFmaWFnSWF4NThHUTM4VS9GQTFHaEJyeGVGcU50WG9PSGU0QS82Tmxmb0E1dDRGVExmWjVMUW9SKwpkRmxNMlBSM016dnEwSFB3RFdTQ2kvR3RqQzB4WXZ4U0FmQ3BucFptWkNORTNEMU94b29FUUNzWW5sbz0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels: null
|
||||
name: idp-secrets
|
||||
namespace: ocis
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
jwt-secret: N0FxeFRwa2xVdDZ1MmJ0MVlNbGIzQ3E3Y2paRXQw
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels: null
|
||||
name: jwt-secret
|
||||
namespace: ocis
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
graph-ldap-bind-password: OXhsb0V0N3YwM2Zrc24xY0lpanBwZmRhTlYybEV5
|
||||
idp-ldap-bind-password: eFNndGZaRzF0SzhNeXB4c0doSTJhd3B6aDZGQWE3
|
||||
reva-ldap-bind-password: aWZRZXVtQ3hYVERFdWx6bElHQXQ4TUdHazF4cGQ0
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels: null
|
||||
name: ldap-bind-secrets
|
||||
namespace: ocis
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
ldap-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREekNDQWZlZ0F3SUJBZ0lRVXQ5V0d1aHd0aWtFcngzL2c3Zkl1VEFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkc1pHRndMV05oTUI0WERUSTJNRFF3TmpFd05UTXdOVm9YRFRJM01EUXdOakV3TlRNdwpOVm93RWpFUU1BNEdBMVVFQXhNSGJHUmhjQzFqWVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDCkFRb0NnZ0VCQUw5cjVqZnlHVnZEL1RLT3BXcHA0RW9IcWFRc3kyZ1pxelRpWDNjNHk0MmV6M2NsU29lWHcyNlEKcmZSTnhGd3hJUVFLUEZyZ1FkMGFjcmtsdzc1VWViZjc4blZQaE0rUHJqRjdJc1cvbTZvSlRSenE2L0s5NkRBMwpMNk5FWlZXVVlDNHU4Szg3SjA0TWdPb2kxMlZXbFJUNmlRZldDVTNhUkZTVlA5d1Myd2h0TGNqdzh4TWQyMGxoCll0dzc4Qm1zaEJNRVZDYis1d3lxSDFQazJLandjUERPa1hrTzNqTHFManlZNC9QUnl3Uk05RlREQloycmpsMUkKQkdPYm1IVTQwZFVTbXpoZHFMY3dKZkJjU3dEdGQxbmlURHRtbVh0eU44Y09LOVdlY1pNSit4SElzRUtLYTVzQgppZVFFd0VHUVBDMm94TURsRmgzMnNyM0Y4dEZmWDZrQ0F3RUFBYU5oTUY4d0RnWURWUjBQQVFIL0JBUURBZ0trCk1CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFQQmdOVkhSTUJBZjhFQlRBREFRSC8KTUIwR0ExVWREZ1FXQkJTVkRZd25kdTFTU1dnUkdBbnVQa1d4WHJvZmN6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBUUVBSk92UUVkT1FHb1NqVEJZZ0krWk5uVDVtVTdQMlhvT1dkU2FrTTVLY3dSSjlFUFh2ZGJrL2NPN3Y1d3B4CmVGTll0eFJoNGZqMTBxQVZyTWNnbnBRbFN4R3FaSURDNFNqZkRXZWlIdStwcTFGMWRrdlppQUNFbGQ5KzZOZWkKcGhhNmpyMi8vV28yV0FpSWJjNlVXSEx1bjY0azA3cVJreCtFK0g2OXhYd0RWVHN6MFlta2tCN2dhVnpLczY5bApSd2FoNy9tQ0M0eFdQK0xCb1h4N2JYWStuUTRycGJqTGNNeFM2Y1lHOEQ4VGhTNlBkSHNidDk3MnhZMnpsdlJwClA4dll2dUFDdUsyYTBvM3VUTGdhZEdFY1NQVDFKMCtsekFjSHk2S1VoZXhyYUcyVjhYL0hHNWpGcFFUamFmalYKL0hkQWcvbEtJSDZNenE3RGtIUXNmRktTdnc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels: null
|
||||
name: ldap-ca
|
||||
namespace: ocis
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
ldap.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lRQ3I1YkhoWjB5S09vY041dVRrS0JJREFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkc1pHRndMV05oTUI0WERUSTJNRFF3TmpFd05UTXdOVm9YRFRJM01EUXdOakV3TlRNdwpOVm93RGpFTU1Bb0dBMVVFQXhNRGFXUnRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFyRHZXbnYvbnE2SzFRaUd4bURQSTJVN3hkZUFKRitxRG5sZE8yNHlPZkQ0VG9GOUx6Z1M4SExRWmRTKzMKWjhzVlJxYXZYS0hNcmFBcjVzMmJuL2ZzbXNUUkppbEVCM3AwTXZPN2t5YlJCcjlJcEE4WGd2Ynpucmk3TzVoMApUalUvcEcyNE9LaEJvMEhzV2JRSVpqa3J2YmV4ZnF6VXFiaE5lenJhTmRqcEIxcWxvbGF5enBVc0FxYjlnS1E2CkhUTjdhNDErUk56NCt6L0FlaUJPTS8yRmVxMHBVb3hLMWdCbklycCtlSm9BOHkrQTA3a2RMSm54Z01adXpxcHoKZTRjMXVKWFRqRDVmYmlpYkdsVjJzcFZqc2NWZlplVWdwWVFZWlFoclBBbERodjNBQ29ITnBjdWRzRXhPOTdBMwozcmRMVTFaMTN2ZnVRVDZtSjFBMEhJVENlUUlEQVFBQm8zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEClZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGoKQkJnd0ZvQVVsUTJNSjNidFVrbG9FUmdKN2o1RnNWNjZIM013RGdZRFZSMFJCQWN3QllJRGFXUnRNQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFBVVlkZTN3U1p4QVhVcHkwUzFJS21URTVpOHNWbUx0aXdyOXVsQ3l6WUNiOVd0Cjh6ZXVJaDhDV1lxQzgzais1cjdlaThpbGJzTDc1bzErQ1FSREswM1NWMkdGSjRINkErZmoybXVzMHdCakY0VmEKbXRNL1cxckFIamZmREJ3T1BTM3BvNWp2UWNLN2l2ajhweTNnYzYrVVdnSTlsQnZwZUVXcFM1Z2Jxdy9ZQ1Z1OApvT21yem9vZzZUQlNVWUNtK2VJREZ6TTlzdEJUMWk5RmhYclpYSmpoSTVEcTlaWm50UGpjdVhVZjRFSGFSdFpxCjBqWC9uL0x6eVFpREs4d2dWU1AwY0MyZVVhMjdzMFhUelJld0lQc0piZ3hWMTlhWjJENm03bGVWZ05FVDhkdGwKbkdHbjc2YlBvdVUyY1RpaGQ5OFdlSGpGMTF2ZlpTZnRmeElsTEh3VQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
|
||||
ldap.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBckR2V252L25xNksxUWlHeG1EUEkyVTd4ZGVBSkYrcURubGRPMjR5T2ZENFRvRjlMCnpnUzhITFFaZFMrM1o4c1ZScWF2WEtITXJhQXI1czJibi9mc21zVFJKaWxFQjNwME12TzdreWJSQnI5SXBBOFgKZ3Ziem5yaTdPNWgwVGpVL3BHMjRPS2hCbzBIc1diUUlaamtydmJleGZxelVxYmhOZXpyYU5kanBCMXFsb2xheQp6cFVzQXFiOWdLUTZIVE43YTQxK1JOejQrei9BZWlCT00vMkZlcTBwVW94SzFnQm5JcnArZUpvQTh5K0EwN2tkCkxKbnhnTVp1enFwemU0YzF1SlhUakQ1ZmJpaWJHbFYyc3BWanNjVmZaZVVncFlRWVpRaHJQQWxEaHYzQUNvSE4KcGN1ZHNFeE85N0EzM3JkTFUxWjEzdmZ1UVQ2bUoxQTBISVRDZVFJREFRQUJBb0lCQUE0WEdTQkozRGlZNTQ1QQo5bWYydUpRNmxwdG5tQ2JhT3lsTmlEaUMzN2MvVnRpMFl4MjRHbkdZdEVwM2ZHQWo1NW92a2NJWXhJZGh4cVdyCnBYTXBVN1IzcklxY0xxSVQvUVNjRnZqYllKZFdOOG1nS0hMQTVENVVhNURkRUlyRFpYRDh2dWozcnVMOXhpbXkKaGt0aW12YjYyNno2MDYwTTFGM2oreTBUa1VEV0lhUllwb1llNnlKQkdXbjNRTW1zV3ZXNStmU0c3Yk1VOWlCdwpRTWx2cnZOdlBIbDZJWWhrd0dnSWp1cjVKblRqc0U5SWZBdUR5L2hVNzl0SFpzV252RlRmUDdJTVZNSVBTY2NICnl2SHgwMHpuaE9LOHZXSkFGb3pMUVdpZFpldUFEaEhhblhGaklTd1A3cDBPNDc4T0xxTCtWNjdBMk54bEZaK3UKRTdTdCs5a0NnWUVBNUJMY0Z2UjN3K0k0dkJFWFd6bHVOREd2VFVRdXI4Y1VTbjVkcXAxR1NhWlpkNFhDL0hpcwo1QVI1c2dPaU0zMllLQkFvY1NJRmdJdW9ic2g2VWpNdU8zWktCVU5ibyttZ3ZQNW1qKzF4VkQrNGN0QS92ak9sCnNNT1VYNS95VEJlZ0Z3QkNvKzVqNWVsMHQvSHllcE5wTTJRZjJjUFVVczlCYjlkdDA5NU9PclVDZ1lFQXdWS2kKWFhUZVM3dDdDME5CbFlkWkRTa293ODJldTdQZEdNSzFGM3pRWU5vcXgydG1UTzVTbzI0S20zRTNiZzZwNzF5bgpqU3doV0lkQS9ZSFJsano3cyt2WVJ0VjBPcmtmYlZCQzhGVUtONUVNSlhhL1NDOFlRc1psUWZvUkVXb3BuS0ZECnFUUDV6SzVkelBwYWFNNlhWRm5WMFFlb0UvODYxSEN6aW5DYUR6VUNnWUJ6NnZYN29NTGlSeThvdnRNTkpYSlMKaXRJYlJrVW9SOW1UUndpYU41ZEt4WWFCVGZYZFZnUWhXL2p5TmhDUmRRc0ppYlRVVTBOU295aTNMYU9sOWFkUQp4MzAxa1plWkJwd1Frb2hVTEkxR0VhRFFrZkZqM1dJZ0pqZGFKclFDWXB1V05TYXBwUGNYR29HZElCWnFvRk4rCnNDdlVCVWo3MGFUamtDMmMya2NPWlFLQmdBWTY0NENmZzRwdFFFbmNvUUJ3bkM0UVpYL3A0SE9zR0RQMEVtSHYKWThlN1FDV3RFRjdxVHo5MURHSjJBNU5JWmJHUkN0VkIxdEZEaXBTZzJtQTlGdDkxZWtMT0hqREdSbnovV1NqbApsSzYxdmU1M0pUTHVVWm5WU3U0VllQZHV0R2lYeWRacUZtTENPOE9mVGNxUzNjMmFGNG5rOVVXdnMvV2tyQ1NKCi9HMEJBb0dCQUlFM3FkcTFrcmJKcW5rVTRLK3BQREpsV0FjSUJXUjVERnlPY0U2M1V5ekNvTHdsZDFZVHVlNisKWkVhSnExYW1nRlZVRllkbitiUVJPWnI4ZVY1MldYSktBWmEyclRxUlJPTVVLVHk5RVR0cGpBSXJvV3lEOEp0bApxMkpkTnQ5Rk1LQWJkYWZMc1piaGl3eFdpRjUremJKUkhpU3ZtVG9RTGNDRDhJcXZnUFcyCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels: null
|
||||
name: ldap-cert
|
||||
namespace: ocis
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
machine-auth-api-key: Ymh0RmU1Zko3VWpsZDJRM09RWUJPclJUOHlmNUpS
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels: null
|
||||
name: machine-auth-api-key
|
||||
namespace: ocis
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
service-account-secret: S25hYjNES2pUWDRVOWNrSHI2dlZBaWJyOVFqZ1NT
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels: null
|
||||
name: service-account-secret
|
||||
namespace: ocis
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
storage-system-jwt-secret: T2FTMVBaQW5tamVxQ2RXckZFQ3Q3M2VrdnBKNmx0
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels: null
|
||||
name: storage-system-jwt-secret
|
||||
namespace: ocis
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
api-key: YlJCR2dobmZOTjJzUWQ1NkVyYVRFZEN5S1FMTWx4
|
||||
user-id: MWFlNzk2YmYtMWI0ZS00ZGI2LWI2OTUtM2E5ZGE3MDU1NDc1
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels: null
|
||||
name: storage-system
|
||||
namespace: ocis
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
thumbnails-transfer-secret: MUJMNk44aktWVXlIYW1lS2RBVklaMk9MZ1dKY0M4
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels: null
|
||||
name: thumbnails-transfer-secret
|
||||
namespace: ocis
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
transfer-secret: ajhYWFQyYVBRcEs0a0pCeXc1cjJnWHRBOTVzQjZh
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels: null
|
||||
name: transfer-secret
|
||||
namespace: ocis
|
||||
Loading…
Reference in a new issue