diff --git a/CLAUDE.md b/CLAUDE.md index ada3553..72cb37d 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -74,6 +74,11 @@ kubectl apply -f rendered/envs/production// --server-side # Deploy ## Container Images - **Never use bitnami images.** Use `alpine/k8s` or plain `alpine` for utility Jobs instead. -## Secrets (not in git) -- `cert-manager/letsencrypt-account-key` — ACME account key (auto-generated) -- `argocd/argocd-initial-admin-secret` — ArgoCD admin password (auto-generated) +## Secrets +- **Never commit secrets to git.** This is a public repository. +- **All secrets must be generated in-cluster** using init Jobs (ArgoCD PreSync hooks) that create secrets if they don't already exist. See `prototypes/ocis/ytt/s3-secret-job.ytt.yaml` for the pattern. +- **External secrets** (e.g. S3 credentials) that cannot be generated must be created manually in the cluster before deploying. The init Job should validate their existence and fail fast if missing. +- When adding a new application that uses a Helm chart generating secrets, configure all `secretRefs` to point to pre-created secret names and use an init Job to generate them. +- Known external secrets (not in git, created manually): + - `ocis/ocis-s3-credentials` — Hetzner S3 access key and secret key + - `cert-manager/letsencrypt-account-key` — ACME account key (auto-generated by cert-manager) diff --git a/docs/nextcloud-infrastructure-transparency.md b/docs/ocis-infrastructure-transparency.md similarity index 66% rename from docs/nextcloud-infrastructure-transparency.md rename to docs/ocis-infrastructure-transparency.md index 39d47e9..9e01948 100644 --- a/docs/nextcloud-infrastructure-transparency.md +++ b/docs/ocis-infrastructure-transparency.md @@ -1,4 +1,4 @@ -# Nextcloud: Data Safety & Infrastructure Transparency +# oCIS: Data Safety & Infrastructure Transparency This is a quick guide to show how I've set things up, where your data actually lives, and what happens if something breaks. My main goal is to make sure your files are **never permanently lost**, even if the service goes offline for a bit. @@ -6,46 +6,41 @@ This is a quick guide to show how I've set things up, where your data actually l I use a multi-region setup in Europe so that your files and settings aren't stuck in one single building. -| **Data Type** | **Primary Location** | **Infrastructure** | **Privacy** | +| **Data Type** | **Primary Location** | **Infrastructure** | **Privacy** | | :--- | :--- | :--- | :--- | -| **Your Files** (Photos, etc.) | Nuremberg, Germany | S3 Object Storage (NBG1) | EU (GDPR) | -| **Settings & Shares** | Nuremberg, Germany | Replicated PostgreSQL Cluster | EU (GDPR) | -| **Emergency File Backups** | Helsinki, Finland | Storage Box Vault (HEL1) | EU (GDPR) | -| **Database Backups** | Falkenstein, Germany | S3 Object Storage (FSN1) | EU (GDPR) | +| **Your Files** (Photos, etc.) | Nuremberg, Germany | S3 Object Storage (NBG1) | EU (GDPR) | +| **User Accounts & Metadata** | Nuremberg, Germany | Local persistent storage on cluster nodes | EU (GDPR) | +| **Emergency File Backups** | Helsinki, Finland | Storage Box Vault (HEL1) | EU (GDPR) | ## 2. Technical Setup & Reliability -I’m using a modern "cloud-native" stack to keep things stable: +I'm using a modern "cloud-native" stack to keep things stable: -* **3-Node Server Cluster:** The Nextcloud app runs across three different server nodes. I keep at least two active copies running at all times. If one server crashes, the system automatically moves your connection to a healthy one. +* **3-Node Server Cluster:** The oCIS application runs as a set of microservices across three different server nodes. If one server crashes, the system automatically moves your connection to a healthy one. * **S3 Storage Redundancy:** Your files are stored using "Erasure Coding." This means they are split into fragments and spread across many physical disks. The system can handle three disks dying at the exact same time without losing a single byte of your data. -* **SQL Database Replication:** Your account settings and calendars are managed by a PostgreSQL cluster. This is mirrored across multiple volumes so that a single disk failure doesn't lock you out of your account. +* **Self-Contained Architecture:** Unlike traditional setups, oCIS doesn't require an external database. User accounts, metadata, and file structure are managed by built-in services with their own persistent storage. ## 3. The "Never Unrecoverable" Guarantee -I don't guarantee 100% "up-time" (the site might go down for maintenance or if a datacenter has a major issue), but I follow a 3-Region Safety Rule to prevent data loss: +I don't guarantee 100% "up-time" (the site might go down for maintenance or if a datacenter has a major issue), but I follow a multi-region safety approach to prevent data loss: * **Daily Sync to Finland:** Every 24 hours, the system automatically mirrors all files from the Nuremberg storage to a separate **Storage Box** in Helsinki. -* **Database Dumps:** Every day, I export a compressed SQL dump of the database and store it in a different S3 bucket in Falkenstein. - * **Immutable Snapshots:** The backup vault in Helsinki uses "Snapshots." These are read-only versions of the past. If a bug accidentally deletes something, I can "roll back" the storage to how it looked yesterday. ## 4. Technologies I Use If you're curious about the specific tools I'm using to run this, here is the tech stack: -* [**Nextcloud**](https://nextcloud.com/): The core collaboration platform for your files, contacts, and calendars. +* [**oCIS (ownCloud Infinite Scale)**](https://owncloud.dev/ocis/): The core file sync and share platform for your files. A modern, self-contained Go application. * [**Kubernetes**](https://kubernetes.io/): The "brain" that manages my 3-node cluster and ensures the apps stay running. -* [**PostgreSQL**](https://www.postgresql.org/): The high-performance database engine that stores all your account settings and metadata. - * [**Hetzner**](https://www.hetzner.com/): The German cloud provider where all the physical servers are located. - * [**Object Storage (S3)**](https://www.hetzner.com/de/storage/object-storage/): The specific high-durability service used for storing your actual files in Nuremberg and backups in Falkenstein. + * [**Object Storage (S3)**](https://www.hetzner.com/de/storage/object-storage/): The specific high-durability service used for storing your actual files in Nuremberg. * [**Storage Box**](https://www.hetzner.com/storage/storage-box/): The independent storage vault in Helsinki used for the daily file mirrors and snapshots. @@ -55,13 +50,12 @@ The following table shows the total monthly costs for the entire setup. These ar **Note on Server Costs:** I am covering the server node costs myself, as I utilize the cluster for other personal projects as well. -| **Component** | **Description** | **Cost (Approx.)** | +| **Component** | **Description** | **Cost (Approx.)** | | :--- | :--- | :--- | -| **Servers (Nodes)** | 3x Cloud Instances (**CAX11 ARM64**) | \~€13.50 | -| **PostgreSQL Volumes** | High-speed block storage for database replication | \~€2.00 | -| **S3 Object Storage** | Primary storage (NBG1) & DB backups (FSN1) | \~€7.72\* | -| **Storage Box** | 1 TB Backup Vault in Helsinki (BX11) | \~€3.81 | -| **TOTAL** | **Combined platform cost** | **\~€27.03** | +| **Servers (Nodes)** | 3x Cloud Instances (**CAX11 ARM64**) | \~€13.50 | +| **S3 Object Storage** | Primary file storage (NBG1) | \~€7.72\* | +| **Storage Box** | 1 TB Backup Vault in Helsinki (BX11) | \~€3.81 | +| **TOTAL** | **Combined platform cost** | **\~€25.03** | *\*The S3 base price includes the first 1 TB of storage and 1 TB of egress traffic. If usage exceeds these limits, pay-as-you-go rates apply (approx. €7.74 per additional TB).* @@ -77,10 +71,10 @@ The following table shows the total monthly costs for the entire setup. These ar ## 7. What happens if...? -| **Event** | **What you'll see** | **My Recovery Plan** | +| **Event** | **What you'll see** | **My Recovery Plan** | | :--- | :--- | :--- | -| **A single server fails** | Nothing / Minimal lag | Automatic move to a healthy server node. | -| **You accidentally delete a file** | It's gone | I can try to pull it from the 24h Helsinki Snapshot vault. | -| **Major Datacenter Disaster** | Site goes offline | I'll rebuild the setup in a new region using the SQL dumps and File mirrors. | +| **A single server fails** | Nothing / Minimal lag | Automatic move to a healthy server node. | +| **You accidentally delete a file** | It's gone | I can try to pull it from the 24h Helsinki Snapshot vault. | +| **Major Datacenter Disaster** | Site goes offline | I'll rebuild the setup in a new region using the S3 data and file mirrors. | *I update this whenever I change the hardware or backup routine. Last update: April 2026.* diff --git a/docs/nextcloud-infrastructure-transparency_de.md b/docs/ocis-infrastructure-transparency_de.md similarity index 73% rename from docs/nextcloud-infrastructure-transparency_de.md rename to docs/ocis-infrastructure-transparency_de.md index 5fb74f5..d22cba9 100644 --- a/docs/nextcloud-infrastructure-transparency_de.md +++ b/docs/ocis-infrastructure-transparency_de.md @@ -1,4 +1,4 @@ -# Nextcloud: Datensicherheit & Infrastruktur-Transparenz +# oCIS: Datensicherheit & Infrastruktur-Transparenz Dies ist eine kurze Anleitung, die zeigt, wie ich alles eingerichtet habe, wo eure Daten tatsaechlich liegen und was passiert, wenn etwas schiefgeht. Mein Hauptziel ist es sicherzustellen, dass eure Dateien **niemals dauerhaft verloren gehen**, selbst wenn der Dienst mal kurzzeitig offline ist. @@ -9,43 +9,38 @@ Ich verwende ein Multi-Region-Setup in Europa, damit eure Dateien und Einstellun | **Datentyp** | **Primaerer Standort** | **Infrastruktur** | **Datenschutz** | | :--- | :--- | :--- | :--- | | **Eure Dateien** (Fotos etc.) | Nuernberg, Deutschland | S3 Object Storage (NBG1) | EU (DSGVO) | -| **Einstellungen & Freigaben** | Nuernberg, Deutschland | Replizierter PostgreSQL-Cluster | EU (DSGVO) | +| **Benutzerkonten & Metadaten** | Nuernberg, Deutschland | Lokaler persistenter Speicher auf Cluster-Nodes | EU (DSGVO) | | **Notfall-Datei-Backups** | Helsinki, Finnland | Storage Box Vault (HEL1) | EU (DSGVO) | -| **Datenbank-Backups** | Falkenstein, Deutschland | S3 Object Storage (FSN1) | EU (DSGVO) | ## 2. Technisches Setup & Zuverlaessigkeit Ich verwende einen modernen "Cloud-Native"-Stack, um alles stabil zu halten: -* **3-Node-Server-Cluster:** Die Nextcloud-App laeuft auf drei verschiedenen Server-Nodes. Ich halte immer mindestens zwei aktive Kopien am Laufen. Wenn ein Server abstuerzt, leitet das System eure Verbindung automatisch auf einen funktionierenden um. +* **3-Node-Server-Cluster:** Die oCIS-Anwendung laeuft als eine Reihe von Microservices auf drei verschiedenen Server-Nodes. Wenn ein Server abstuerzt, leitet das System eure Verbindung automatisch auf einen funktionierenden um. * **S3-Speicher-Redundanz:** Eure Dateien werden mittels "Erasure Coding" gespeichert. Das bedeutet, sie werden in Fragmente aufgeteilt und auf viele physische Festplatten verteilt. Das System kann den gleichzeitigen Ausfall von drei Festplatten verkraften, ohne ein einziges Byte eurer Daten zu verlieren. -* **SQL-Datenbank-Replikation:** Eure Kontoeinstellungen und Kalender werden von einem PostgreSQL-Cluster verwaltet. Dieser wird ueber mehrere Volumes gespiegelt, sodass ein einzelner Festplattenausfall euch nicht aus eurem Konto aussperrt. +* **Eigenstaendige Architektur:** Im Gegensatz zu traditionellen Setups benoetigt oCIS keine externe Datenbank. Benutzerkonten, Metadaten und Dateistruktur werden von integrierten Diensten mit eigenem persistentem Speicher verwaltet. ## 3. Die "Niemals unwiederbringlich verloren"-Garantie -Ich garantiere keine 100%ige Verfuegbarkeit (die Seite kann fuer Wartungsarbeiten oder bei einem groesseren Rechenzentrumsproblem offline gehen), aber ich befolge eine 3-Regionen-Sicherheitsregel, um Datenverlust zu verhindern: +Ich garantiere keine 100%ige Verfuegbarkeit (die Seite kann fuer Wartungsarbeiten oder bei einem groesseren Rechenzentrumsproblem offline gehen), aber ich befolge einen Multi-Regionen-Sicherheitsansatz, um Datenverlust zu verhindern: * **Taegliche Synchronisation nach Finnland:** Alle 24 Stunden spiegelt das System automatisch alle Dateien vom Nuernberger Speicher auf eine separate **Storage Box** in Helsinki. -* **Datenbank-Dumps:** Jeden Tag exportiere ich einen komprimierten SQL-Dump der Datenbank und speichere ihn in einem anderen S3-Bucket in Falkenstein. - * **Unveraenderbare Snapshots:** Der Backup-Vault in Helsinki verwendet "Snapshots". Das sind schreibgeschuetzte Versionen der Vergangenheit. Wenn ein Fehler versehentlich etwas loescht, kann ich den Speicher auf den Zustand von gestern "zuruecksetzen". ## 4. Technologien, die ich verwende Falls ihr neugierig seid, welche konkreten Tools ich zum Betrieb verwende, hier ist der Tech-Stack: -* [**Nextcloud**](https://nextcloud.com/): Die zentrale Kollaborationsplattform fuer eure Dateien, Kontakte und Kalender. +* [**oCIS (ownCloud Infinite Scale)**](https://owncloud.dev/ocis/): Die zentrale Datei-Sync- und Share-Plattform fuer eure Dateien. Eine moderne, eigenstaendige Go-Anwendung. * [**Kubernetes**](https://kubernetes.io/): Das "Gehirn", das meinen 3-Node-Cluster verwaltet und sicherstellt, dass die Apps weiterlaufen. -* [**PostgreSQL**](https://www.postgresql.org/): Die Hochleistungs-Datenbank-Engine, die alle Kontoeinstellungen und Metadaten speichert. - * [**Hetzner**](https://www.hetzner.com/): Der deutsche Cloud-Anbieter, bei dem alle physischen Server stehen. - * [**Object Storage (S3)**](https://www.hetzner.com/de/storage/object-storage/): Der spezielle Hochverfuegbarkeits-Speicherdienst fuer eure eigentlichen Dateien in Nuernberg und Backups in Falkenstein. + * [**Object Storage (S3)**](https://www.hetzner.com/de/storage/object-storage/): Der spezielle Hochverfuegbarkeits-Speicherdienst fuer eure eigentlichen Dateien in Nuernberg. * [**Storage Box**](https://www.hetzner.com/storage/storage-box/): Der unabhaengige Speicher-Vault in Helsinki fuer die taeglichen Datei-Spiegelungen und Snapshots. @@ -58,10 +53,9 @@ Die folgende Tabelle zeigt die gesamten monatlichen Kosten fuer das komplette Se | **Komponente** | **Beschreibung** | **Kosten (ca.)** | | :--- | :--- | :--- | | **Server (Nodes)** | 3x Cloud-Instanzen (**CAX11 ARM64**) | \~13,50 EUR | -| **PostgreSQL-Volumes** | Hochgeschwindigkeits-Blockspeicher fuer Datenbank-Replikation | \~2,00 EUR | -| **S3 Object Storage** | Primaerspeicher (NBG1) & DB-Backups (FSN1) | \~7,72 EUR\* | +| **S3 Object Storage** | Primaerer Dateispeicher (NBG1) | \~7,72 EUR\* | | **Storage Box** | 1 TB Backup-Vault in Helsinki (BX11) | \~3,81 EUR | -| **GESAMT** | **Kombinierte Plattformkosten** | **\~27,03 EUR** | +| **GESAMT** | **Kombinierte Plattformkosten** | **\~25,03 EUR** | *\*Der S3-Grundpreis beinhaltet das erste 1 TB Speicher und 1 TB Egress-Traffic. Bei Ueberschreitung gelten nutzungsbasierte Preise (ca. 7,74 EUR pro zusaetzlichem TB).* @@ -81,6 +75,6 @@ Die folgende Tabelle zeigt die gesamten monatlichen Kosten fuer das komplette Se | :--- | :--- | :--- | | **Ein einzelner Server faellt aus** | Nichts / Minimale Verzoegerung | Automatische Umleitung auf einen funktionierenden Server-Node. | | **Ihr loescht versehentlich eine Datei** | Sie ist weg | Ich kann versuchen, sie aus dem 24h-Helsinki-Snapshot-Vault wiederherzustellen. | -| **Groessere Rechenzentrums-Katastrophe** | Seite geht offline | Ich baue das Setup in einer neuen Region mithilfe der SQL-Dumps und Datei-Spiegelungen neu auf. | +| **Groessere Rechenzentrums-Katastrophe** | Seite geht offline | Ich baue das Setup in einer neuen Region mithilfe der S3-Daten und Datei-Spiegelungen neu auf. | *Ich aktualisiere dieses Dokument, wenn ich die Hardware oder Backup-Routine aendere. Letzte Aktualisierung: April 2026.* diff --git a/prototypes/ocis/helm/ocis.yaml b/prototypes/ocis/helm/ocis.yaml index b5485e3..adda280 100644 --- a/prototypes/ocis/helm/ocis.yaml +++ b/prototypes/ocis/helm/ocis.yaml @@ -15,7 +15,25 @@ features: emailNotifications: enabled: false +resources: + requests: + memory: 64Mi + cpu: 10m + secretRefs: + adminUserSecretRef: ocis-admin-user + idpSecretRef: ocis-idp-secrets + jwtSecretRef: ocis-jwt-secret + ldapSecretRef: ocis-ldap-bind-secrets + ldapCaRef: ocis-ldap-ca + ldapCertRef: ocis-ldap-cert + machineAuthApiKeySecretRef: ocis-machine-auth-api-key + storagesystemJwtSecretRef: ocis-storage-system-jwt-secret + storagesystemSecretRef: ocis-storage-system + thumbnailsSecretRef: ocis-thumbnails-transfer-secret + transferSecretSecretRef: ocis-transfer-secret + serviceAccountSecretRef: ocis-service-account-secret + collaborationWopiSecret: ocis-collaboration-wopi-secret s3CredentialsSecretRef: ocis-s3-credentials services: @@ -51,6 +69,10 @@ services: - ReadWriteOnce nats: + resources: + requests: + memory: 96Mi + cpu: 10m persistence: enabled: true storageClassName: local-path @@ -74,7 +96,16 @@ services: accessModes: - ReadWriteOnce + proxy: + resources: + requests: + memory: 96Mi + cpu: 10m thumbnails: + resources: + requests: + memory: 96Mi + cpu: 10m persistence: enabled: true storageClassName: local-path diff --git a/prototypes/ocis/ytt/s3-secret-job.ytt.yaml b/prototypes/ocis/ytt/s3-secret-job.ytt.yaml index 280afc9..02863a5 100644 --- a/prototypes/ocis/ytt/s3-secret-job.ytt.yaml +++ b/prototypes/ocis/ytt/s3-secret-job.ytt.yaml @@ -8,6 +8,9 @@ kind: ServiceAccount metadata: name: ocis-secret-init namespace: #@ ns + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-2" --- apiVersion: rbac.authorization.k8s.io/v1 @@ -15,6 +18,9 @@ kind: Role metadata: name: ocis-secret-init namespace: #@ ns + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-2" rules: - apiGroups: [""] resources: ["secrets"] @@ -26,6 +32,9 @@ kind: RoleBinding metadata: name: ocis-secret-init namespace: #@ ns + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-2" subjects: - kind: ServiceAccount name: ocis-secret-init @@ -42,6 +51,8 @@ metadata: name: ocis-secret-init namespace: #@ ns annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-1" argocd.argoproj.io/sync-options: Replace=true spec: ttlSecondsAfterFinished: 300 @@ -58,18 +69,107 @@ spec: - | set -e - SECRET_NAME="ocis-s3-credentials" + apk add --no-cache openssl >/dev/null 2>&1 - if ! kubectl get secret "${SECRET_NAME}" -n ${NAMESPACE} >/dev/null 2>&1; then - echo "ERROR: Secret ${SECRET_NAME} does not exist in namespace ${NAMESPACE}." - echo "Please create it manually with keys 'accessKey' and 'secretKey':" - echo " kubectl create secret generic ${SECRET_NAME} -n ${NAMESPACE} \\" - echo " --from-literal=accessKey= \\" - echo " --from-literal=secretKey=" + gen_random() { + head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1" + } + + gen_uuid() { + cat /proc/sys/kernel/random/uuid + } + + create_secret_if_missing() { + local name="$1" + shift + if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "Secret $name already exists, skipping" + return + fi + kubectl create secret generic "$name" -n "${NAMESPACE}" "$@" + echo "Created secret $name" + } + + # Validate external secrets exist + if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "ERROR: External secret ocis-s3-credentials must be created manually" exit 1 - else - echo "Secret ${SECRET_NAME} exists, OK" fi + + # Admin user + create_secret_if_missing ocis-admin-user \ + --from-literal=password="$(gen_random 32)" \ + --from-literal=user-id="$(gen_uuid)" + + # JWT secret + create_secret_if_missing ocis-jwt-secret \ + --from-literal=jwt-secret="$(gen_random 32)" + + # Machine auth API key + create_secret_if_missing ocis-machine-auth-api-key \ + --from-literal=machine-auth-api-key="$(gen_random 32)" + + # Storage system JWT secret + create_secret_if_missing ocis-storage-system-jwt-secret \ + --from-literal=storage-system-jwt-secret="$(gen_random 32)" + + # Storage system secret + create_secret_if_missing ocis-storage-system \ + --from-literal=api-key="$(gen_random 32)" \ + --from-literal=user-id="$(gen_uuid)" + + # Transfer secret + create_secret_if_missing ocis-transfer-secret \ + --from-literal=transfer-secret="$(gen_random 32)" + + # Thumbnails transfer secret + create_secret_if_missing ocis-thumbnails-transfer-secret \ + --from-literal=thumbnails-transfer-secret="$(gen_random 32)" + + # Service account secret + create_secret_if_missing ocis-service-account-secret \ + --from-literal=service-account-secret="$(gen_random 32)" + + # Collaboration WOPI secret + create_secret_if_missing ocis-collaboration-wopi-secret \ + --from-literal=wopi-secret="$(gen_random 32)" + + # LDAP bind secrets (three passwords for different bind users) + create_secret_if_missing ocis-ldap-bind-secrets \ + --from-literal=reva-ldap-bind-password="$(gen_random 32)" \ + --from-literal=idp-ldap-bind-password="$(gen_random 32)" \ + --from-literal=graph-ldap-bind-password="$(gen_random 32)" + + # IDP secret (encryption key + RSA private key) + create_secret_if_missing ocis-idp-secrets \ + --from-literal=encryption.key="$(gen_random 32)" \ + --from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)" + + # LDAP CA cert + key (self-signed) + if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then + openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \ + -days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null + kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \ + --from-file=ldap-ca.crt=/tmp/ldap-ca.crt + echo "Created secret ocis-ldap-ca" + + # LDAP server cert signed by the CA + printf "subjectAltName=DNS:idm" > /tmp/ldap-ext.cnf + openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \ + -nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null + openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \ + -CAcreateserial -out /tmp/ldap.crt -days 3650 \ + -extfile /tmp/ldap-ext.cnf 2>/dev/null + kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \ + --from-file=ldap.crt=/tmp/ldap.crt \ + --from-file=ldap.key=/tmp/ldap.key + echo "Created secret ocis-ldap-cert" + rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl /tmp/ldap-ext.cnf + else + echo "Secret ocis-ldap-ca already exists, skipping LDAP certs" + fi + + echo "All secrets initialized successfully" env: - name: NAMESPACE valueFrom: diff --git a/rendered/envs/production/ocis/configmap-auth-service.yaml b/rendered/envs/production/ocis/configmap-auth-service.yaml index e38c65b..7d66f38 100644 --- a/rendered/envs/production/ocis/configmap-auth-service.yaml +++ b/rendered/envs/production/ocis/configmap-auth-service.yaml @@ -1,6 +1,6 @@ apiVersion: v1 data: - service-account-id: 46ec47ba-00e9-4114-950c-5743e5be4cee + service-account-id: 3ccdd552-d559-41f5-865c-2eb088c633e7 kind: ConfigMap metadata: annotations: diff --git a/rendered/envs/production/ocis/configmap-graph.yaml b/rendered/envs/production/ocis/configmap-graph.yaml index 9f92446..fe73679 100644 --- a/rendered/envs/production/ocis/configmap-graph.yaml +++ b/rendered/envs/production/ocis/configmap-graph.yaml @@ -1,6 +1,6 @@ apiVersion: v1 data: - application-id: 1160b6ab-f9d7-464e-96a3-f2a3568ce67f + application-id: c0c2b8df-3962-4255-bf1b-f0c8f49bbe59 kind: ConfigMap metadata: annotations: diff --git a/rendered/envs/production/ocis/configmap-storage-users.yaml b/rendered/envs/production/ocis/configmap-storage-users.yaml index 128007a..e4ce3b1 100644 --- a/rendered/envs/production/ocis/configmap-storage-users.yaml +++ b/rendered/envs/production/ocis/configmap-storage-users.yaml @@ -1,6 +1,6 @@ apiVersion: v1 data: - storage-uuid: e77de552-42dc-4d0d-ab83-2fdd35294451 + storage-uuid: 2948ada8-ec5b-44d5-b91f-b5f7c96d23c3 kind: ConfigMap metadata: annotations: diff --git a/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml b/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml index 65f496b..97bcfe7 100644 --- a/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml +++ b/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml @@ -70,12 +70,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret - name: STORAGE_USERS_MOUNT_ID valueFrom: configMapKeyRef: @@ -90,7 +90,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent name: storage-users-clean-expired-uploads diff --git a/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml b/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml index 909cc44..0485c10 100644 --- a/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml +++ b/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml @@ -51,12 +51,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret - name: STORAGE_USERS_MOUNT_ID valueFrom: configMapKeyRef: @@ -71,7 +71,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent name: storage-users-purge-expired-trash-bin-items diff --git a/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml b/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml index 996bfac..6907bc9 100644 --- a/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml +++ b/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml @@ -53,12 +53,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret - name: STORAGE_USERS_MOUNT_ID valueFrom: configMapKeyRef: @@ -73,7 +73,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent name: storage-users-restart-postprocessing diff --git a/rendered/envs/production/ocis/deployment-activitylog.yaml b/rendered/envs/production/ocis/deployment-activitylog.yaml index 199da6e..18b6bb5 100644 --- a/rendered/envs/production/ocis/deployment-activitylog.yaml +++ b/rendered/envs/production/ocis/deployment-activitylog.yaml @@ -79,12 +79,12 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: ACTIVITYLOG_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -101,7 +101,10 @@ spec: name: http - containerPort: 9197 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-appregistry.yaml b/rendered/envs/production/ocis/deployment-appregistry.yaml index b61f75a..0934d0c 100644 --- a/rendered/envs/production/ocis/deployment-appregistry.yaml +++ b/rendered/envs/production/ocis/deployment-appregistry.yaml @@ -68,7 +68,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -85,7 +85,10 @@ spec: name: grpc - containerPort: 9243 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-audit.yaml b/rendered/envs/production/ocis/deployment-audit.yaml index fe21188..d061c78 100644 --- a/rendered/envs/production/ocis/deployment-audit.yaml +++ b/rendered/envs/production/ocis/deployment-audit.yaml @@ -70,7 +70,10 @@ spec: ports: - containerPort: 9229 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-authmachine.yaml b/rendered/envs/production/ocis/deployment-authmachine.yaml index 96d6720..c3aa607 100644 --- a/rendered/envs/production/ocis/deployment-authmachine.yaml +++ b/rendered/envs/production/ocis/deployment-authmachine.yaml @@ -66,12 +66,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: AUTH_MACHINE_API_KEY valueFrom: secretKeyRef: key: machine-auth-api-key - name: machine-auth-api-key + name: ocis-machine-auth-api-key image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -88,7 +88,10 @@ spec: name: grpc - containerPort: 9167 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-authservice.yaml b/rendered/envs/production/ocis/deployment-authservice.yaml index 6697c28..c7daff0 100644 --- a/rendered/envs/production/ocis/deployment-authservice.yaml +++ b/rendered/envs/production/ocis/deployment-authservice.yaml @@ -66,7 +66,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: AUTH_SERVICE_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: @@ -76,7 +76,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -93,7 +93,10 @@ spec: name: grpc - containerPort: 9617 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-clientlog.yaml b/rendered/envs/production/ocis/deployment-clientlog.yaml index bcbe37a..625d9d7 100644 --- a/rendered/envs/production/ocis/deployment-clientlog.yaml +++ b/rendered/envs/production/ocis/deployment-clientlog.yaml @@ -71,12 +71,12 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: CLIENTLOG_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -91,7 +91,10 @@ spec: ports: - containerPort: 9260 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-eventhistory.yaml b/rendered/envs/production/ocis/deployment-eventhistory.yaml index ce571f0..90b6e0f 100644 --- a/rendered/envs/production/ocis/deployment-eventhistory.yaml +++ b/rendered/envs/production/ocis/deployment-eventhistory.yaml @@ -76,7 +76,10 @@ spec: name: grpc - containerPort: 9270 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-frontend.yaml b/rendered/envs/production/ocis/deployment-frontend.yaml index d82ff6a..0cdbd6b 100644 --- a/rendered/envs/production/ocis/deployment-frontend.yaml +++ b/rendered/envs/production/ocis/deployment-frontend.yaml @@ -76,7 +76,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: FRONTEND_APP_HANDLER_INSECURE value: "false" - name: FRONTEND_ARCHIVER_INSECURE @@ -103,7 +103,7 @@ spec: valueFrom: secretKeyRef: key: machine-auth-api-key - name: machine-auth-api-key + name: ocis-machine-auth-api-key - name: FRONTEND_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: @@ -113,12 +113,12 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret - name: FRONTEND_AUTO_ACCEPT_SHARES value: "true" - name: FRONTEND_MAX_CONCURRENCY @@ -153,7 +153,10 @@ spec: name: http - containerPort: 9141 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-gateway.yaml b/rendered/envs/production/ocis/deployment-gateway.yaml index ec7e442..5b695b6 100644 --- a/rendered/envs/production/ocis/deployment-gateway.yaml +++ b/rendered/envs/production/ocis/deployment-gateway.yaml @@ -79,12 +79,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -101,7 +101,10 @@ spec: name: grpc - containerPort: 9143 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-graph.yaml b/rendered/envs/production/ocis/deployment-graph.yaml index b6fed78..3e94a57 100644 --- a/rendered/envs/production/ocis/deployment-graph.yaml +++ b/rendered/envs/production/ocis/deployment-graph.yaml @@ -84,7 +84,7 @@ spec: valueFrom: secretKeyRef: key: graph-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: OCIS_SHOW_USER_EMAIL_IN_RESULTS value: "false" - name: GRAPH_APPLICATION_ID @@ -96,7 +96,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_DEFAULT_LANGUAGE value: en - name: GRAPH_SERVICE_ACCOUNT_ID @@ -108,7 +108,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: OCIS_ENABLE_OCM value: "false" image: owncloud/ocis:7.1.4 @@ -127,7 +127,10 @@ spec: name: http - containerPort: 9124 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 @@ -149,4 +152,4 @@ spec: name: messaging-system-ca - name: ldap-ca secret: - secretName: ldap-ca + secretName: ocis-ldap-ca diff --git a/rendered/envs/production/ocis/deployment-groups.yaml b/rendered/envs/production/ocis/deployment-groups.yaml index dfd3878..18dd40c 100644 --- a/rendered/envs/production/ocis/deployment-groups.yaml +++ b/rendered/envs/production/ocis/deployment-groups.yaml @@ -70,14 +70,14 @@ spec: valueFrom: secretKeyRef: key: reva-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: GROUPS_IDP_URL value: https://drive.tr1ceracop.de - name: GROUPS_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -94,7 +94,10 @@ spec: name: grpc - containerPort: 9161 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 @@ -115,4 +118,4 @@ spec: name: tmp-volume - name: ldap-ca secret: - secretName: ldap-ca + secretName: ocis-ldap-ca diff --git a/rendered/envs/production/ocis/deployment-idm.yaml b/rendered/envs/production/ocis/deployment-idm.yaml index 525ab51..b2a7e2f 100644 --- a/rendered/envs/production/ocis/deployment-idm.yaml +++ b/rendered/envs/production/ocis/deployment-idm.yaml @@ -67,27 +67,27 @@ spec: valueFrom: secretKeyRef: key: password - name: admin-user + name: ocis-admin-user - name: IDM_ADMIN_USER_ID valueFrom: secretKeyRef: key: user-id - name: admin-user + name: ocis-admin-user - name: IDM_SVC_PASSWORD valueFrom: secretKeyRef: key: graph-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: IDM_REVASVC_PASSWORD valueFrom: secretKeyRef: key: reva-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: IDM_IDPSVC_PASSWORD valueFrom: secretKeyRef: key: idp-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: IDM_LDAPS_CERT value: /etc/ocis/ldap-cert/ldap.crt - name: IDM_LDAPS_KEY @@ -108,7 +108,10 @@ spec: name: ldaps - containerPort: 9239 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 @@ -128,7 +131,10 @@ spec: image: busybox:stable imagePullPolicy: IfNotPresent name: init-dir - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 @@ -144,7 +150,7 @@ spec: volumes: - name: ldap-cert secret: - secretName: ldap-cert + secretName: ocis-ldap-cert - name: idm-data persistentVolumeClaim: claimName: idm-data diff --git a/rendered/envs/production/ocis/deployment-idp.yaml b/rendered/envs/production/ocis/deployment-idp.yaml index a6f893e..5170266 100644 --- a/rendered/envs/production/ocis/deployment-idp.yaml +++ b/rendered/envs/production/ocis/deployment-idp.yaml @@ -70,7 +70,7 @@ spec: valueFrom: secretKeyRef: key: idp-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: IDP_SIGNING_PRIVATE_KEY_FILES value: /etc/ocis/idp/private-key.pem - name: IDP_ENCRYPTION_SECRET_FILE @@ -91,7 +91,10 @@ spec: name: http - containerPort: 9134 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 @@ -115,7 +118,7 @@ spec: name: ocis-data-tmp - name: ldap-ca secret: - secretName: ldap-ca + secretName: ocis-ldap-ca - name: idp-secrets secret: - secretName: idp-secrets + secretName: ocis-idp-secrets diff --git a/rendered/envs/production/ocis/deployment-nats.yaml b/rendered/envs/production/ocis/deployment-nats.yaml index 66cced7..113eae8 100644 --- a/rendered/envs/production/ocis/deployment-nats.yaml +++ b/rendered/envs/production/ocis/deployment-nats.yaml @@ -65,7 +65,10 @@ spec: name: nats - containerPort: 9234 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 96Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-ocdav.yaml b/rendered/envs/production/ocis/deployment-ocdav.yaml index e2e82db..c46c633 100644 --- a/rendered/envs/production/ocis/deployment-ocdav.yaml +++ b/rendered/envs/production/ocis/deployment-ocdav.yaml @@ -74,12 +74,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCDAV_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: key: machine-auth-api-key - name: machine-auth-api-key + name: ocis-machine-auth-api-key image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -96,7 +96,10 @@ spec: name: http - containerPort: 9163 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-ocs.yaml b/rendered/envs/production/ocis/deployment-ocs.yaml index bc53131..c38f790 100644 --- a/rendered/envs/production/ocis/deployment-ocs.yaml +++ b/rendered/envs/production/ocis/deployment-ocs.yaml @@ -76,7 +76,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -93,7 +93,10 @@ spec: name: http - containerPort: 9114 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-postprocessing.yaml b/rendered/envs/production/ocis/deployment-postprocessing.yaml index 0f2eccf..630905c 100644 --- a/rendered/envs/production/ocis/deployment-postprocessing.yaml +++ b/rendered/envs/production/ocis/deployment-postprocessing.yaml @@ -74,7 +74,10 @@ spec: ports: - containerPort: 9255 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-proxy.yaml b/rendered/envs/production/ocis/deployment-proxy.yaml index 0dea1e6..efbae0c 100644 --- a/rendered/envs/production/ocis/deployment-proxy.yaml +++ b/rendered/envs/production/ocis/deployment-proxy.yaml @@ -82,12 +82,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: PROXY_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: key: machine-auth-api-key - name: machine-auth-api-key + name: ocis-machine-auth-api-key - name: PROXY_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: @@ -97,7 +97,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: PROXY_CSP_CONFIG_FILE_LOCATION value: /etc/ocis/csp.yaml - name: PROXY_AUTOPROVISION_ACCOUNTS @@ -118,7 +118,10 @@ spec: name: http - containerPort: 9205 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 96Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-search.yaml b/rendered/envs/production/ocis/deployment-search.yaml index 97130e7..e8022da 100644 --- a/rendered/envs/production/ocis/deployment-search.yaml +++ b/rendered/envs/production/ocis/deployment-search.yaml @@ -69,7 +69,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: SEARCH_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: @@ -79,7 +79,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: OCIS_ASYNC_UPLOADS value: "true" image: owncloud/ocis:7.1.4 @@ -98,7 +98,10 @@ spec: name: grpc - containerPort: 9224 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-settings.yaml b/rendered/envs/production/ocis/deployment-settings.yaml index 257fff9..6b9df5e 100644 --- a/rendered/envs/production/ocis/deployment-settings.yaml +++ b/rendered/envs/production/ocis/deployment-settings.yaml @@ -80,12 +80,12 @@ spec: valueFrom: secretKeyRef: key: user-id - name: admin-user + name: ocis-admin-user - name: SETTINGS_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: SETTINGS_SERVICE_ACCOUNT_IDS valueFrom: configMapKeyRef: @@ -95,12 +95,12 @@ spec: valueFrom: secretKeyRef: key: api-key - name: storage-system + name: ocis-storage-system - name: OCIS_SYSTEM_USER_ID valueFrom: secretKeyRef: key: user-id - name: storage-system + name: ocis-storage-system image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -119,7 +119,10 @@ spec: name: grpc - containerPort: 9194 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-sharing.yaml b/rendered/envs/production/ocis/deployment-sharing.yaml index 389c9e8..246682d 100644 --- a/rendered/envs/production/ocis/deployment-sharing.yaml +++ b/rendered/envs/production/ocis/deployment-sharing.yaml @@ -68,7 +68,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD value: "false" - name: SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD @@ -91,24 +91,24 @@ spec: valueFrom: secretKeyRef: key: api-key - name: storage-system + name: ocis-storage-system - name: SHARING_USER_JSONCS3_SYSTEM_USER_ID valueFrom: secretKeyRef: key: user-id - name: storage-system + name: ocis-storage-system - name: SHARING_PUBLIC_DRIVER value: jsoncs3 - name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY valueFrom: secretKeyRef: key: api-key - name: storage-system + name: ocis-storage-system - name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID valueFrom: secretKeyRef: key: user-id - name: storage-system + name: ocis-storage-system - name: SHARING_USER_JSONCS3_MAX_CONCURRENCY value: "20" image: owncloud/ocis:7.1.4 @@ -127,7 +127,10 @@ spec: name: grpc - containerPort: 9151 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-sse.yaml b/rendered/envs/production/ocis/deployment-sse.yaml index 19c59f4..77aae6a 100644 --- a/rendered/envs/production/ocis/deployment-sse.yaml +++ b/rendered/envs/production/ocis/deployment-sse.yaml @@ -72,7 +72,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -89,7 +89,10 @@ spec: name: http - containerPort: 9135 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-storagepubliclink.yaml b/rendered/envs/production/ocis/deployment-storagepubliclink.yaml index 69bab8c..148e1cc 100644 --- a/rendered/envs/production/ocis/deployment-storagepubliclink.yaml +++ b/rendered/envs/production/ocis/deployment-storagepubliclink.yaml @@ -70,7 +70,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -87,7 +87,10 @@ spec: name: grpc - containerPort: 9179 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-storageshares.yaml b/rendered/envs/production/ocis/deployment-storageshares.yaml index 5b9b60b..a399d0b 100644 --- a/rendered/envs/production/ocis/deployment-storageshares.yaml +++ b/rendered/envs/production/ocis/deployment-storageshares.yaml @@ -66,7 +66,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -83,7 +83,10 @@ spec: name: grpc - containerPort: 9156 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-storagesystem.yaml b/rendered/envs/production/ocis/deployment-storagesystem.yaml index fad7e5f..77a5ec5 100644 --- a/rendered/envs/production/ocis/deployment-storagesystem.yaml +++ b/rendered/envs/production/ocis/deployment-storagesystem.yaml @@ -78,17 +78,17 @@ spec: valueFrom: secretKeyRef: key: storage-system-jwt-secret - name: storage-system-jwt-secret + name: ocis-storage-system-jwt-secret - name: OCIS_SYSTEM_USER_API_KEY valueFrom: secretKeyRef: key: api-key - name: storage-system + name: ocis-storage-system - name: OCIS_SYSTEM_USER_ID valueFrom: secretKeyRef: key: user-id - name: storage-system + name: ocis-storage-system image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -107,7 +107,10 @@ spec: name: http - containerPort: 9217 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-storageusers.yaml b/rendered/envs/production/ocis/deployment-storageusers.yaml index 66d97cf..dfc7416 100644 --- a/rendered/envs/production/ocis/deployment-storageusers.yaml +++ b/rendered/envs/production/ocis/deployment-storageusers.yaml @@ -125,7 +125,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: STORAGE_USERS_STAT_CACHE_STORE value: noop - name: STORAGE_USERS_MOUNT_ID @@ -137,12 +137,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret - name: OCIS_ASYNC_UPLOADS value: "true" - name: STORAGE_USERS_EVENTS_NUM_CONSUMERS @@ -167,7 +167,10 @@ spec: name: http - containerPort: 9159 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-thumbnails.yaml b/rendered/envs/production/ocis/deployment-thumbnails.yaml index 9a26502..986986b 100644 --- a/rendered/envs/production/ocis/deployment-thumbnails.yaml +++ b/rendered/envs/production/ocis/deployment-thumbnails.yaml @@ -84,7 +84,7 @@ spec: valueFrom: secretKeyRef: key: thumbnails-transfer-secret - name: thumbnails-transfer-secret + name: ocis-thumbnails-transfer-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -103,7 +103,10 @@ spec: name: http - containerPort: 9189 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 96Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-userlog.yaml b/rendered/envs/production/ocis/deployment-userlog.yaml index 1fd4f27..c91c7d1 100644 --- a/rendered/envs/production/ocis/deployment-userlog.yaml +++ b/rendered/envs/production/ocis/deployment-userlog.yaml @@ -73,12 +73,12 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: USERLOG_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: USERLOG_MAX_CONCURRENCY value: "1" image: owncloud/ocis:7.1.4 @@ -97,7 +97,10 @@ spec: name: http - containerPort: 9210 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-users.yaml b/rendered/envs/production/ocis/deployment-users.yaml index a6fce3a..80948ef 100644 --- a/rendered/envs/production/ocis/deployment-users.yaml +++ b/rendered/envs/production/ocis/deployment-users.yaml @@ -70,14 +70,14 @@ spec: valueFrom: secretKeyRef: key: reva-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: USERS_IDP_URL value: https://drive.tr1ceracop.de - name: USERS_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -94,7 +94,10 @@ spec: name: grpc - containerPort: 9145 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 @@ -115,4 +118,4 @@ spec: name: tmp-volume - name: ldap-ca secret: - secretName: ldap-ca + secretName: ocis-ldap-ca diff --git a/rendered/envs/production/ocis/deployment-web.yaml b/rendered/envs/production/ocis/deployment-web.yaml index a5e7545..fb1bdb0 100644 --- a/rendered/envs/production/ocis/deployment-web.yaml +++ b/rendered/envs/production/ocis/deployment-web.yaml @@ -88,7 +88,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -105,7 +105,10 @@ spec: name: http - containerPort: 9104 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-webdav.yaml b/rendered/envs/production/ocis/deployment-webdav.yaml index 8104fcf..4507889 100644 --- a/rendered/envs/production/ocis/deployment-webdav.yaml +++ b/rendered/envs/production/ocis/deployment-webdav.yaml @@ -82,7 +82,10 @@ spec: name: http - containerPort: 9119 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/deployment-webfinger.yaml b/rendered/envs/production/ocis/deployment-webfinger.yaml index 6aaf363..8464312 100644 --- a/rendered/envs/production/ocis/deployment-webfinger.yaml +++ b/rendered/envs/production/ocis/deployment-webfinger.yaml @@ -86,7 +86,10 @@ spec: name: http - containerPort: 8081 name: metrics-debug - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 1000 diff --git a/rendered/envs/production/ocis/job-ocis-secret-init.yaml b/rendered/envs/production/ocis/job-ocis-secret-init.yaml index 3af091c..a3ac4dc 100644 --- a/rendered/envs/production/ocis/job-ocis-secret-init.yaml +++ b/rendered/envs/production/ocis/job-ocis-secret-init.yaml @@ -3,7 +3,9 @@ kind: Job metadata: annotations: a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/hook: PreSync argocd.argoproj.io/sync-options: Replace=true + argocd.argoproj.io/sync-wave: "-1" name: ocis-secret-init namespace: ocis spec: @@ -16,18 +18,107 @@ spec: - | set -e - SECRET_NAME="ocis-s3-credentials" + apk add --no-cache openssl >/dev/null 2>&1 - if ! kubectl get secret "${SECRET_NAME}" -n ${NAMESPACE} >/dev/null 2>&1; then - echo "ERROR: Secret ${SECRET_NAME} does not exist in namespace ${NAMESPACE}." - echo "Please create it manually with keys 'accessKey' and 'secretKey':" - echo " kubectl create secret generic ${SECRET_NAME} -n ${NAMESPACE} \\" - echo " --from-literal=accessKey= \\" - echo " --from-literal=secretKey=" + gen_random() { + head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1" + } + + gen_uuid() { + cat /proc/sys/kernel/random/uuid + } + + create_secret_if_missing() { + local name="$1" + shift + if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "Secret $name already exists, skipping" + return + fi + kubectl create secret generic "$name" -n "${NAMESPACE}" "$@" + echo "Created secret $name" + } + + # Validate external secrets exist + if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "ERROR: External secret ocis-s3-credentials must be created manually" exit 1 - else - echo "Secret ${SECRET_NAME} exists, OK" fi + + # Admin user + create_secret_if_missing ocis-admin-user \ + --from-literal=password="$(gen_random 32)" \ + --from-literal=user-id="$(gen_uuid)" + + # JWT secret + create_secret_if_missing ocis-jwt-secret \ + --from-literal=jwt-secret="$(gen_random 32)" + + # Machine auth API key + create_secret_if_missing ocis-machine-auth-api-key \ + --from-literal=machine-auth-api-key="$(gen_random 32)" + + # Storage system JWT secret + create_secret_if_missing ocis-storage-system-jwt-secret \ + --from-literal=storage-system-jwt-secret="$(gen_random 32)" + + # Storage system secret + create_secret_if_missing ocis-storage-system \ + --from-literal=api-key="$(gen_random 32)" \ + --from-literal=user-id="$(gen_uuid)" + + # Transfer secret + create_secret_if_missing ocis-transfer-secret \ + --from-literal=transfer-secret="$(gen_random 32)" + + # Thumbnails transfer secret + create_secret_if_missing ocis-thumbnails-transfer-secret \ + --from-literal=thumbnails-transfer-secret="$(gen_random 32)" + + # Service account secret + create_secret_if_missing ocis-service-account-secret \ + --from-literal=service-account-secret="$(gen_random 32)" + + # Collaboration WOPI secret + create_secret_if_missing ocis-collaboration-wopi-secret \ + --from-literal=wopi-secret="$(gen_random 32)" + + # LDAP bind secrets (three passwords for different bind users) + create_secret_if_missing ocis-ldap-bind-secrets \ + --from-literal=reva-ldap-bind-password="$(gen_random 32)" \ + --from-literal=idp-ldap-bind-password="$(gen_random 32)" \ + --from-literal=graph-ldap-bind-password="$(gen_random 32)" + + # IDP secret (encryption key + RSA private key) + create_secret_if_missing ocis-idp-secrets \ + --from-literal=encryption.key="$(gen_random 32)" \ + --from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)" + + # LDAP CA cert + key (self-signed) + if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then + openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \ + -days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null + kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \ + --from-file=ldap-ca.crt=/tmp/ldap-ca.crt + echo "Created secret ocis-ldap-ca" + + # LDAP server cert signed by the CA + printf "subjectAltName=DNS:idm" > /tmp/ldap-ext.cnf + openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \ + -nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null + openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \ + -CAcreateserial -out /tmp/ldap.crt -days 3650 \ + -extfile /tmp/ldap-ext.cnf 2>/dev/null + kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \ + --from-file=ldap.crt=/tmp/ldap.crt \ + --from-file=ldap.key=/tmp/ldap.key + echo "Created secret ocis-ldap-cert" + rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl /tmp/ldap-ext.cnf + else + echo "Secret ocis-ldap-ca already exists, skipping LDAP certs" + fi + + echo "All secrets initialized successfully" env: - name: NAMESPACE valueFrom: diff --git a/rendered/envs/production/ocis/role-ocis-secret-init.yaml b/rendered/envs/production/ocis/role-ocis-secret-init.yaml index cd5b69b..d7369c5 100644 --- a/rendered/envs/production/ocis/role-ocis-secret-init.yaml +++ b/rendered/envs/production/ocis/role-ocis-secret-init.yaml @@ -3,6 +3,8 @@ kind: Role metadata: annotations: a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-2" name: ocis-secret-init namespace: ocis rules: diff --git a/rendered/envs/production/ocis/rolebinding-ocis-secret-init.yaml b/rendered/envs/production/ocis/rolebinding-ocis-secret-init.yaml index 93d3e50..81aad86 100644 --- a/rendered/envs/production/ocis/rolebinding-ocis-secret-init.yaml +++ b/rendered/envs/production/ocis/rolebinding-ocis-secret-init.yaml @@ -3,6 +3,8 @@ kind: RoleBinding metadata: annotations: a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-2" name: ocis-secret-init namespace: ocis roleRef: diff --git a/rendered/envs/production/ocis/secret-admin-user.yaml b/rendered/envs/production/ocis/secret-admin-user.yaml deleted file mode 100644 index a7df7a2..0000000 --- a/rendered/envs/production/ocis/secret-admin-user.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - password: YlpRdWlYYVdXZXhJRzI3cE5BMzR6RWVMajFLVzBr - user-id: NzE4ZTlmOTEtNmU3ZS00ZDMwLWE0MjktODcxMmQ4NDU1ODZl -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: admin-user - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-collaboration-wopi-secret.yaml b/rendered/envs/production/ocis/secret-collaboration-wopi-secret.yaml deleted file mode 100644 index 0c19b12..0000000 --- a/rendered/envs/production/ocis/secret-collaboration-wopi-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - wopi-secret: T1FDSW0wNmZ3bWJldFpta0JwU29td2FRU3lkMk4x -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: collaboration-wopi-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-idp-secrets.yaml b/rendered/envs/production/ocis/secret-idp-secrets.yaml deleted file mode 100644 index cc46efb..0000000 --- a/rendered/envs/production/ocis/secret-idp-secrets.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - encryption.key: LktHOEQ0U1JpTmEofERhYi9EMjBKbWEzYDRmJkVaJlg= - private-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBdm5BTUxGMW1JUzd3M0pETEhPeCtMUjY5U2hCSUxReXorQXFkN0d1TUNlcytzKzFlCkVORHVQRW85VE5iZVJHdzBtbjVWMU9iY2lPSG1CaFlSMjh6UHl4RFhmZUhuWVFpczl0cFFUQ3hhNmJPTDcwOFIKd2JDdkM3eW53QURQU05kRUFUbFNDR3NBbTZJaHpOZUhOc3ZUVlZCVU03NDhWd3lmT1F2MU1lQnN2MDlDOWxIVAovb2xpU1RQbkhIeEZXUFVZOHJ0QTEvRzM2cnJCaGtLYkhKWnd2S242Vi9jdXNnbDVZMHQzNmdCMEYyMlkrd0ppCjU3ejZEdGQ1SWo0VEtSNWVEN1dGM0ZsamYrWElGQVNPVFRJUEtUcWRQZTQ5TFcvaWxwMVlnZXdQTnBiSWwrTy8KZ3pwQ0o1ZUlzMlhIYmVnRFRVRTZTU1FrenVWUUlCY2luY2dicTA1MzJnVmpkRklVdEptaTg4elg0US9sNkZuZQptZDVGV2diY29KYjg0YXk3VmZ2NjNLMHpqcXlxK2taU0Roay91eW1wM3NxY3ZqU1BkOW01Vk1VYnFSUUw5cUpyCnczUVBhRlNKdlFvMjQyTG5WZE1TakRJVEgwZUtJdExLNkwxQW9KVW8zRFlpb3U4V0ExOUZGS2NHVE5MeHhONzEKRGk5dmQ0Q1BYR2pvRjQyTFFHVFVFY2hDRDRBZzRaZHVqZUVmb0ZTWEhXQmtHM0M4SjJJODFqeDdSTXdNMVFXdAphWjVRMmVTb2xyWHVJTFpnQTc4SWZmc2NYRGZQK0NOQ1l3RTI2dWUxVnFDd2FnMUxEV0UyWFY0ZFdQWUpuQnR6CndwN0p2aGR2MHpBeUprVGhLYVloUlgvVFljTDF0djV3VnZvSnZtTDV6UXBNeTBsWnZscFFtSDlEaHNNQ0F3RUEKQVFLQ0FnQmJJUUVpUmJ0Mmk2RGsyMERtNFdCcnRQYjl0eGJpdjk1ckJxR1ZuYzFRZmNydWpOcmpqeWRCb0lELwpBUjh4Zk5vYlIvTkl3d1NyVi9ZYjJYbklSWlQxNW1SSUw4N3FCeDNGcnFpWUd1MlNRY0huelYyQTQweVFnRUdCCnhxRnFpT0JZK1pZQXd6dHlQajZRYUY2aTRSeUxDYnFSWENwQnVaK0R5KzRVWlFHRTlxZmplVHJKNWZJcmQzUFQKbE1BV2xvck90TDZOMTNTY0Zhdy8xQ1dubzNIbFJpMnU1SERxNzArd0xVLy9vU0hzaUJ5Wm1RVzlRUmdqL0FaUwpWWVFUdkIxa3hRZCtieVFHOHUwd2J4R3RiUlFHTmE5REVIc2tBQk5jNFlTVi8yRTBUU2xHVGN5NlBpbWtDb1oyCjJuQjVibm9PQVBXa1JIQjh0UTBIbmlxSmVGV01hN2UzRW1BZ2UzYzM0Y0VXSVZkKzcxcUNoQlFGVG0ySWlTVE8KU3NKUXZKVHM3QTJ6SnZTRmJDSWpKTUZ3VzZaWGVBR3ZlSHp2d3NEdnNmTjRiS3BFVVpjVkorUTFDWlRKKzRQYwo0RU15ZnJBN2ozcXpld0liRFFuNWlKMFFEd2d0SHNQVURaenNncWIvcUQyWiswNEdDY2xGWXY3cDBiWnZQU2FjCmxXaGdzeUcrZWl5Y1BPaHVSdjV2N3VSYWlJZjVQUUxkNVBONWczdkhGeThRdjlYSXBlSUp1V1F4VXAyVlJCVEMKOEpOK1Ria2FsdXhKYlRnSzRTRzhGV1JnTVBYTlRheWRiOXlhUTZERkR2NkFFTTBUYmtvNUlVZ1R0MWtNdDFNagpOK1JJOXdjWW9aRWVJNUdhRDlwWlNLOUE2eDRDNGhuUUJRYUpjSW55WUxGcUJlYjE0UUtDQVFFQTVNZ2ppRFZpClQxczJFVlJLOFBEV2xZRE5MZEV6Q01lRzJ3d3dkVXoxekpTL05haWhyZXVLd21jNS9kdGpVWmQ0NXh4MHNHRlAKOURNTTJNdjNFT3RHWEVLcWwxRGo1ekxwYmFLTTdGZGdSYk0rUjJaVjU5OVczbytxZC9raTJRazRVVVJ6MFJBeAp6S0o5NGt3WjQwdTZZb0dHUHBtMjNuVTZtNzM4dWFXN29GNXVXL3RXRDN1QnRoM2YwRFQ1MDNPNEhEWFlpbncvCnd1RE1HUmpDTlhVYlJXRzk4cnhwU29IQUpnTjRCbituSTlHaUNmNWwwUUFGMHMxSXlyZWpQOGJwYWlJcUZUTGUKUEtyMEFUM3JTSXk5dGhtOEVxOWUwcEllWDRkR2FVbnA4TW44M3ozYkZUZmJ6U1RKbi9VdHNUNkdIc3Q1YnRlSAptZmplb0gvQ282Z0tjUUtDQVFFQTFSZ1dOU2Y1UjdJK0lHYVAwK1hNUXNzSHpmeFVhQWo2M01DeU9RdDFFRnNsCmZSb21JSkNHTVBub0EyWlhGWHBHa1RPaVF6VUZTMFR0NmlhczZJeU40cExSdUpEY3BWd2kwaDhQZncyV0RaMUgKUnV2M0tOZnNrQlpQT1lpelVlSnQzWkhDUkJHMjVCTFdGbldlWUY1Z1VlWHJ6V2Z1RU1vcWxGVDBsZmgxWWZuVQpVQTFDUkxOTHV3anpRT2lTeCtvY2NHanpkOTFuMnNhSEw4a05tSVo0K0p3d0RKMmloUXAwYWZoTSs2dWtLayt2Cjd0dm52dDZWWXhaUXNkMnlYWlJjbUF4V0tnWVlpeE9JNUVGdU9wVTdwRU5lLzF5V3pndzJaNGRLbTRBWDNKM0UKOGp4bks0em9CdCthYXBVYlJnc2d3WWJCWkpEREF0RkhlUEFhSFVNMmN3S0NBUUF0cjJXaENvQUNOc1dhT2tubwp5VDhnaGFMelZrWXBwNlpmVVpUUHA3bWh5OFpQRWNpUGNXeTVHMkh5Tm9BangrcWx4QUh0UXRGemcwbzZkS2gyCm9YVGdjWk9kT2RMNDFTclY4TkxSVXpWdlZiYkhEVUYwVng0Q3ZZK2QrNHNnNmYxc0JRNVhuak5EbU9Nb2NHZnYKQXExS2hIRHBTVXJDSzRpemx3SERsTHZkNzExOFVybEJ5RGtEdy8xd2wxT1lEUkNqMllEUFRyWncxUEVNeGV2cQpQdU5lUElGdzJuendHdTdpNkdoc2E4dFZsTVFWMk00K0tSSUFvV3U2eDJiN0VsNkVDaVI3TFRoQnh5V0lwZk80Ci9obllKbFZ2S2NQMnFxVVVFSEJZRUNGK0t1ZXJNSy95RWNCN3U2L2ptRk15aExqRnAzNHRTeTdSNldlVGgwKzMKM0pPUkFvSUJBUUNFYitybGNJbWFTS29hQXdRaXd2QlhGczRyOUVZVlBuZURHWFBxeGpja1NqR2JkZFA2YXpncgpXalliWHRDQ3RiTUQ3VjVNZkxoa2xsdHpLa1JPWjRTTEs0cVNOZDRjRzQ0OG56ZEhWSTlNdU5JaXZ1YW1pTVFxCnJPTGlOQmFXcnE1dmhYYUNUYXdvUlppdTdyelcwZkQxRlh1ZTlwZmI4WG5USkpXNlcyZkEwNzlqWFVveFhtbVQKdmJWSlF3SnVvdzYzd2xLR3phRU5ORk95bkRjSjg1RmRtZHkzQ29XR1FBQW9HRHpvTVQzZldoVlMwM05OaWhLNApPWmMvWkRURnVqNXQ5VVRiNjF2M205VjVYeno5eGVBQ2NDaXJkc1QzSEZuM3IvcnJlQW5jZ0dWMTA1cWZVM3lsClFQVThocDBqeENqQWZsclZnSzdpb21UVVFnMUk0SXdIQW9JQkFGd3JGVFRtbk14dCt4RitHUmRVbTMwVXBYMGsKVVlpOENLV0llZ3ErR1ViOW1hU0o4LytEYmJRRDZwdks3Zmw2S0swOXR0WjNabGN0M050dnd1cnR2TWw5eDRtRgo3Q2RFRkp3RWhoSmdyTVdhMUJzc25LYndibGVNRUR2T0xOc2piS1V4UlRNaWFEdHA5RXBKNkV6dmxFZU1YOEZyCno0aXRwTXpoZW5uWlNwWU9FS0JsVVJhSGFERVdZTDdGblhIc1BNakZNaGRHdmJROUFLTUk5N1RtazNvNG9Ld1gKQmluNm1FQStaM3NFd1ljYk1tNHFDbTZ2NUMrVW90WWN0SjFOMGFldXRMWkhDZnlia0RBWkVTaTlITkNua2h5UQp2M3RqY3NVQmVRWk0rUFRMK3dJVGd4TEF6Q0lMT0d6Y1YzZFRXK3d6SzE4aUhaTXNxeHROOWF4ajBvND0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: idp-secrets - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-jwt-secret.yaml b/rendered/envs/production/ocis/secret-jwt-secret.yaml deleted file mode 100644 index 042cd44..0000000 --- a/rendered/envs/production/ocis/secret-jwt-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - jwt-secret: eWU2dHdSTjlYM3R0SkZhT0lFdnFpWHJzclRaMDND -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: jwt-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-ldap-bind-secrets.yaml b/rendered/envs/production/ocis/secret-ldap-bind-secrets.yaml deleted file mode 100644 index a356cbe..0000000 --- a/rendered/envs/production/ocis/secret-ldap-bind-secrets.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -data: - graph-ldap-bind-password: b09yM2dZZDE0VFlEUWlBOEJZWDlGY2FlZFBXUWhG - idp-ldap-bind-password: a3lYWWtER3FlSlhLcXpQb25uYTRySDU3SGh0WHFO - reva-ldap-bind-password: SGoybVlLSFZVaDRKZkhxMkxlcmJJam9pOWVUT0p4 -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: ldap-bind-secrets - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-ldap-ca.yaml b/rendered/envs/production/ocis/secret-ldap-ca.yaml deleted file mode 100644 index 679f2d6..0000000 --- a/rendered/envs/production/ocis/secret-ldap-ca.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - ldap-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREekNDQWZlZ0F3SUJBZ0lRWTZUaXZOUjZhQ3JmV1l5OWtVTjVCakFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkc1pHRndMV05oTUI0WERUSTJNRFF3TkRFNE1UWXhOMW9YRFRJM01EUXdOREU0TVRZeApOMW93RWpFUU1BNEdBMVVFQXhNSGJHUmhjQzFqWVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDCkFRb0NnZ0VCQUxPNC95N3NyRGFYVUg2ZjJRN2I3UmZKd2Rvb2JuL1dDMGhqaEFLOVpacXdFUjB6ZUtvTWY3NHMKendMc3BhSm1sYjZCV3ZzWDh2Z3BJOXhJcUoxcVdBWVNlRCtKa0xVT3B0UER0R0R5U3RTVWlDb2xuUWZPZGxzQQp4K2FhOGNqU3A4OHQ2RmFOR3ZxNGxIMXljdnRSektRaTJHNkQrOUpFcDdDOVFPOWg4bFJaSkFMODJ1bHR6T3B5ClVWTUR4OWxQR2NmWEFhZklUTUxPQ1o1c0xVWmNMeU9aRlVWbnROS3NBT0Fqc1greWltUnc1NVZSMEczSWcrMFIKMWpaSVZmVFA2OTZqcWFPN3BuU1pNdlBSUkk1OFB0S0x1bU9oT0RxZHhsUEtEWU5LYUZ3TmlwNmJZUGd5Y2x3Tgo5dzlodkdUZ2t3dzZPSFdRenp3akw0Y0tWOCt6RnhjQ0F3RUFBYU5oTUY4d0RnWURWUjBQQVFIL0JBUURBZ0trCk1CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFQQmdOVkhSTUJBZjhFQlRBREFRSC8KTUIwR0ExVWREZ1FXQkJTZlR0cEp2R1V4UjZhbXdxZllkem1EU0U0bnRUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBUUVBYkdvZVJaTk9IWDlZWWpWZ3JaZjRDZ0txMlhkb0VkcEVETEdyNGwyZ1c3Z0xHdjd1ZmFpa0ltODhLRHNjClFrbjlLdmhwYU1EdHloajN3NnZNdHQ4T3R2MjRIc2dibFo1SUtFREN1aU50ajVvUXhoWHY5WEMwM3AxUkFwU0oKY3BRbElnNEtWbE5TWUVHcmYwUTI1aVNYL1NjbnJXWHJUK1luR2pOM0xXdEo3UElNb214b3lWMnpjdFdTVVp4NQpsOXpsYnMwRTNZV0RCWFdXRXkrOThPTitWeFlQSTZSQS9HbHIyUnJTY2M2RHdZMWhPMFpoY0Jnd0lwcXEzbmlhCjVBbWdCY3JNcTB5R0NISVR1UUpUc0pzU3RhWGN3ZURYWTNUa2ZucW5FN0p5TCtONVFlc0gwakdIeEZ0aTFTRlUKdWRsNmFYbFFDVVo0T0ZYeE1VSkp3cGNTRlE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: ldap-ca - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-ldap-cert.yaml b/rendered/envs/production/ocis/secret-ldap-cert.yaml deleted file mode 100644 index 15ad5c0..0000000 --- a/rendered/envs/production/ocis/secret-ldap-cert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - ldap.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lRVnJvZnVmVWRSR0JBeXVacEQrMTRsREFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkc1pHRndMV05oTUI0WERUSTJNRFF3TkRFNE1UWXhOMW9YRFRJM01EUXdOREU0TVRZeApOMW93RGpFTU1Bb0dBMVVFQXhNRGFXUnRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUExOUdMWjBEQW5UMGF5OGpCM0tCS1ZzVDVnVVhGNFpvNGZ5aXZmODJqTlVMQXhWa0I5OWFQMWJiby8wNXMKVjk4Ylk2UjNuMHhqVENxTGRkbXhwdjlwdi9rcVlRb1ZCMnpKZ0NWWVFLK2NvK0dNTGpoUnpBV1FHaG1Lb0RwNwpKb2VBeHVzK0xBbWVyM2ZiWFNpeG4vd3FUaUNrd3QxcHk4cVUyRVc2QnNKRUJJNlovZlZiMWhrQ2oybjJVVE9xCmM4RUdyLzdzTXhoUGdOaE5BQW9NVnFUMCt2Nmk3dWdDRVVtYm0xb3RHTm9NVjZCOVJXbWFBdHZlRlVLSytaYkgKMEVUZHVTRXZYWE40VitsYkMzQlFoWUI4UTFMYjROdlNTaXhudFRRb2R0ZWRiMXdDQlpBeWRkSVNoWkxJZVdMbApOOUxkYWZDTVppQUtuaUxXM251VDRiWlRkUUlEQVFBQm8zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEClZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGoKQkJnd0ZvQVVuMDdhU2J4bE1VZW1wc0tuMkhjNWcwaE9KN1V3RGdZRFZSMFJCQWN3QllJRGFXUnRNQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFCVHFlaTJXay9VUTl3aEtBbytmcm5NYTBLeURUVFpWTklPMDhHRi9rNWt3MmlXCmZlWGdtakJtTHA2N2NWdEN6MjBsN2REWTBrUHVnNUtTbW5aWHA5VE5tSUVOMDlnOHoyT3Z0eGpHV1hPM2RpUm8KSS83TmNpQWpUbmYyKzIxeXRlazRSUUlucWIzWjZyczg4aVhMeUlKQ2JPdEVyNGRyQTJibjdINk04a29OZ2JLbwpJb014bzlBOEFpdzVrRElzZkNxYXg2NWFJcnNhUy8wbGZ5NTBITHRTU1VaSWs4TFFtM0FtQmVmRnBCVUdHVi9RCnBNSUFlYkVzbmNLKy9lY052dVZDTGNLVFIrWE05Q1JCd3NZQzlBc0tNdGFtTFdlMHp6aDV1SUIzTDg2Y1FOTnQKZ2JkNC9YVENpV2xWVGtDNTZEbjFDWlRzRHUzdHYvaSswMVpqcnlTeQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - ldap.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMTlHTFowREFuVDBheThqQjNLQktWc1Q1Z1VYRjRabzRmeWl2Zjgyak5VTEF4VmtCCjk5YVAxYmJvLzA1c1Y5OGJZNlIzbjB4alRDcUxkZG14cHY5cHYva3FZUW9WQjJ6SmdDVllRSytjbytHTUxqaFIKekFXUUdobUtvRHA3Sm9lQXh1cytMQW1lcjNmYlhTaXhuL3dxVGlDa3d0MXB5OHFVMkVXNkJzSkVCSTZaL2ZWYgoxaGtDajJuMlVUT3FjOEVHci83c014aFBnTmhOQUFvTVZxVDArdjZpN3VnQ0VVbWJtMW90R05vTVY2QjlSV21hCkF0dmVGVUtLK1piSDBFVGR1U0V2WFhONFYrbGJDM0JRaFlCOFExTGI0TnZTU2l4bnRUUW9kdGVkYjF3Q0JaQXkKZGRJU2haTEllV0xsTjlMZGFmQ01aaUFLbmlMVzNudVQ0YlpUZFFJREFRQUJBb0lCQUEvMXB2c0c3VGVBVHVMNQpaelkrVVEzUC8vYWtJS1lERm1EZHN2WlNIUTRFMW4vQmloSWVuV2VPNE1KenRXWER1RlJrYlMzRnZTVkprMWFWClVRa1FjSi93RWVDZVpqKzB0dmhYeXFPOThta01FQXp1SnQ1ZDZ2SWN3V3ViR3Jhd1MxcHFiam5EZGZQYVI1YU4Kb0tIVnJ5czByc2RBcUdDWURDQXJ4OWVJSEkrTXhoa2pvZlVaeW5EdnZ6ZFRwekR4eVRjT0FMTmQ4b3RqZVR4VApLam5QZjRhQm9WVlJmQ25zeDN4dEdONnhQTUJ4K2Z6Ynp0OCtwaDZyOVRHeFZ0VkRUK1E4ajlpV0RCME11WDBGCkZCVE40MDNJN0h6VXpaamxVbDdPYXFtR3dGMDBkY2o1UVNtenA4NTFTdjltamRidWI4b0xhMVJWYVpndUNTaGwKNkF2ZW9HRUNnWUVBOFlabDBJVk4yNVJsdGQzRnZiK2dYcXVHTjdZSDZLTkdMeThnYlVNOHd3RlU1QXRDaHdpNApJUTcrWkVhaDBtZC9ROWNJN1p3RWx3N2cxTWZremJEZHBrS205bExEQXhtRlhoS08xVXlRcnlObjQ1UHUrSDhWCmt3UHd1UUFMWldrZHF5V09ub2xtM21kMlh6b3BKcDN3TG8vNGRhR3d3SFp6c2paamxBNkpmK2NDZ1lFQTVNQysKdGJROWh1NTZKTnpzV3RiUDZlVlRoK0JGN1MwSlN6WkV6bnJ1MS94NXY3U1hTYi9WbTk1WjBIc2tHVG5QaVowNwpTZ2hRUm1mamFMdHpKMVFITC9iMTZIcXpRSmh3MDg0YlVSNUxhVWt4S3VBVm9OM0lPaVhGRnlYQm81TGduekFDClpRZWh6bFV6SjFSeEZGbFh1S0ZDR0UwNlBRTmNsYWMycDcva0ZrTUNnWUVBalBUSzV1OWxpUWtLY3lHRERrS1AKN2JCZEhKWjM5eVdUQ0dhUW5qUG5la2VFcTdLR21SaFZuYldLY2l0bXRjMEJVUzVtWDRYMmg5Si9GSyswc1BiUAo1UUJ4UU1EOFh3cTk4ekVSZXhxOE5mcUwzeDJ2RWdmWkozdmRPWnIxQzdKVlJsVWM3eGx4bDhyNklvbG5Dc3FTCktocUwvdHJtdE94c2lVMkV3QnZiMDNFQ2dZRUFweGtJOW5Cb05XV0V3ZUxEb0lPa013WTY0MWwzbXc0MzZNSUcKdHhIajROQmtHeDZQR09kUjRWOG1HbjJwVytmMzYxMTRqdGJOMVBCVWxRL0F5V3kvSjFGdVJsbERFWitKWTU3KwpJMTVPMWVVS1RuaU1OQXR1Rk5POFNmRmhwdHhHeXVIbURlanFVRys2UXpPU3VydWNzWmpTVURBeHA1b0tDcU92CjhBL2pURU1DZ1lBd1hWOHQ2RWpTaFZINEJZL01BTTdkNk96NlVMWXBHbzlzT05EdDV3bUc0MDdoMVczRkpsNkIKOERoV0NVWEdQRUN2T1ZBMnhXTDJlVFFZWUxWY3BQYk0wNGZnT2pLNjFocVpHY2pxUWcyT0Z3emUrdXAzY2ttYQpTQXdQcE9LWGRETWE5VWFrVUQ3UTk0VVRlbDJZeU0yeTVSdXZWRk5iOURVd25TWVJxZm9BeEE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: ldap-cert - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-machine-auth-api-key.yaml b/rendered/envs/production/ocis/secret-machine-auth-api-key.yaml deleted file mode 100644 index 9a03cb0..0000000 --- a/rendered/envs/production/ocis/secret-machine-auth-api-key.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - machine-auth-api-key: aEZZMkdWcVVBWWhjejNFRjRQRUNRVXZLbHpzUUpL -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: machine-auth-api-key - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-service-account-secret.yaml b/rendered/envs/production/ocis/secret-service-account-secret.yaml deleted file mode 100644 index 6b5fed7..0000000 --- a/rendered/envs/production/ocis/secret-service-account-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - service-account-secret: NThMNVYzMnBsUUJ5UlBsZE10aDZuUEJOZnRNTU1W -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: service-account-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-storage-system-jwt-secret.yaml b/rendered/envs/production/ocis/secret-storage-system-jwt-secret.yaml deleted file mode 100644 index 64b49b0..0000000 --- a/rendered/envs/production/ocis/secret-storage-system-jwt-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - storage-system-jwt-secret: TWRKWW0zUFRFS2NwSDI1UFFXN3ZkZGdCdURIUnN6 -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: storage-system-jwt-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-storage-system.yaml b/rendered/envs/production/ocis/secret-storage-system.yaml deleted file mode 100644 index fb0b775..0000000 --- a/rendered/envs/production/ocis/secret-storage-system.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - api-key: RDhWVTFYblF6cjZHeGF6OHpPZnhHNEYxTHhHQ0ZI - user-id: MDQ1NzJjMGUtZGUxZi00ODZiLWE4YTEtMmYxZjI1NmM1Nzc1 -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: storage-system - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-thumbnails-transfer-secret.yaml b/rendered/envs/production/ocis/secret-thumbnails-transfer-secret.yaml deleted file mode 100644 index 939b0a8..0000000 --- a/rendered/envs/production/ocis/secret-thumbnails-transfer-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - thumbnails-transfer-secret: NGtlWEw4c3BJcm9sZzBiRFpBdWlhbExrMnJKM2N5 -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: thumbnails-transfer-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-transfer-secret.yaml b/rendered/envs/production/ocis/secret-transfer-secret.yaml deleted file mode 100644 index 75260fb..0000000 --- a/rendered/envs/production/ocis/secret-transfer-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - transfer-secret: aU0wdXNRM2RIRXNTQXdzeHgxTXNkTnlqamQwV0p3 -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: transfer-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/serviceaccount-ocis-secret-init.yaml b/rendered/envs/production/ocis/serviceaccount-ocis-secret-init.yaml index f623792..22f0e96 100644 --- a/rendered/envs/production/ocis/serviceaccount-ocis-secret-init.yaml +++ b/rendered/envs/production/ocis/serviceaccount-ocis-secret-init.yaml @@ -3,5 +3,7 @@ kind: ServiceAccount metadata: annotations: a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-2" name: ocis-secret-init namespace: ocis