From 9d89231de4e87ffd649c83a0f639adad30c7bdf2 Mon Sep 17 00:00:00 2001 From: Felix Wolf Date: Mon, 6 Apr 2026 13:08:38 +0200 Subject: [PATCH] fix(ocis): Move secret generation to PreSync init Job Removes all 13 Helm-generated secrets from rendered output and instead generates them at deploy time via an init Job. The Job creates secrets with random credentials only if they don't already exist, ensuring idempotent deploys. Runs as ArgoCD PreSync hook so secrets are ready before oCIS pods start. Co-Authored-By: Claude Opus 4.6 (1M context) --- CLAUDE.md | 11 +- prototypes/ocis/helm/ocis.yaml | 13 ++ prototypes/ocis/ytt/s3-secret-job.ytt.yaml | 115 ++++++++++++++++-- .../ocis/configmap-auth-service.yaml | 2 +- .../envs/production/ocis/configmap-graph.yaml | 2 +- .../ocis/configmap-storage-users.yaml | 2 +- ...b-storage-users-clean-expired-uploads.yaml | 6 +- ...e-users-purge-expired-trash-bin-items.yaml | 6 +- ...-storage-users-restart-postprocessing.yaml | 6 +- .../ocis/deployment-activitylog.yaml | 4 +- .../ocis/deployment-appregistry.yaml | 2 +- .../ocis/deployment-authmachine.yaml | 4 +- .../ocis/deployment-authservice.yaml | 4 +- .../production/ocis/deployment-clientlog.yaml | 4 +- .../production/ocis/deployment-frontend.yaml | 8 +- .../production/ocis/deployment-gateway.yaml | 4 +- .../production/ocis/deployment-graph.yaml | 8 +- .../production/ocis/deployment-groups.yaml | 6 +- .../envs/production/ocis/deployment-idm.yaml | 12 +- .../envs/production/ocis/deployment-idp.yaml | 6 +- .../production/ocis/deployment-ocdav.yaml | 4 +- .../envs/production/ocis/deployment-ocs.yaml | 2 +- .../production/ocis/deployment-proxy.yaml | 6 +- .../production/ocis/deployment-search.yaml | 4 +- .../production/ocis/deployment-settings.yaml | 8 +- .../production/ocis/deployment-sharing.yaml | 10 +- .../envs/production/ocis/deployment-sse.yaml | 2 +- .../ocis/deployment-storagepubliclink.yaml | 2 +- .../ocis/deployment-storageshares.yaml | 2 +- .../ocis/deployment-storagesystem.yaml | 6 +- .../ocis/deployment-storageusers.yaml | 6 +- .../ocis/deployment-thumbnails.yaml | 2 +- .../production/ocis/deployment-userlog.yaml | 4 +- .../production/ocis/deployment-users.yaml | 6 +- .../envs/production/ocis/deployment-web.yaml | 2 +- .../production/ocis/job-ocis-secret-init.yaml | 106 ++++++++++++++-- .../ocis/role-ocis-secret-init.yaml | 2 + .../ocis/rolebinding-ocis-secret-init.yaml | 2 + .../production/ocis/secret-admin-user.yaml | 11 -- .../secret-collaboration-wopi-secret.yaml | 10 -- .../production/ocis/secret-idp-secrets.yaml | 11 -- .../production/ocis/secret-jwt-secret.yaml | 10 -- .../ocis/secret-ldap-bind-secrets.yaml | 12 -- .../envs/production/ocis/secret-ldap-ca.yaml | 10 -- .../production/ocis/secret-ldap-cert.yaml | 11 -- .../ocis/secret-machine-auth-api-key.yaml | 10 -- .../ocis/secret-service-account-secret.yaml | 10 -- .../secret-storage-system-jwt-secret.yaml | 10 -- .../ocis/secret-storage-system.yaml | 11 -- .../secret-thumbnails-transfer-secret.yaml | 10 -- .../ocis/secret-transfer-secret.yaml | 10 -- .../ocis/serviceaccount-ocis-secret-init.yaml | 2 + 52 files changed, 306 insertions(+), 233 deletions(-) delete mode 100644 rendered/envs/production/ocis/secret-admin-user.yaml delete mode 100644 rendered/envs/production/ocis/secret-collaboration-wopi-secret.yaml delete mode 100644 rendered/envs/production/ocis/secret-idp-secrets.yaml delete mode 100644 rendered/envs/production/ocis/secret-jwt-secret.yaml delete mode 100644 rendered/envs/production/ocis/secret-ldap-bind-secrets.yaml delete mode 100644 rendered/envs/production/ocis/secret-ldap-ca.yaml delete mode 100644 rendered/envs/production/ocis/secret-ldap-cert.yaml delete mode 100644 rendered/envs/production/ocis/secret-machine-auth-api-key.yaml delete mode 100644 rendered/envs/production/ocis/secret-service-account-secret.yaml delete mode 100644 rendered/envs/production/ocis/secret-storage-system-jwt-secret.yaml delete mode 100644 rendered/envs/production/ocis/secret-storage-system.yaml delete mode 100644 rendered/envs/production/ocis/secret-thumbnails-transfer-secret.yaml delete mode 100644 rendered/envs/production/ocis/secret-transfer-secret.yaml diff --git a/CLAUDE.md b/CLAUDE.md index ada3553..72cb37d 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -74,6 +74,11 @@ kubectl apply -f rendered/envs/production// --server-side # Deploy ## Container Images - **Never use bitnami images.** Use `alpine/k8s` or plain `alpine` for utility Jobs instead. -## Secrets (not in git) -- `cert-manager/letsencrypt-account-key` — ACME account key (auto-generated) -- `argocd/argocd-initial-admin-secret` — ArgoCD admin password (auto-generated) +## Secrets +- **Never commit secrets to git.** This is a public repository. +- **All secrets must be generated in-cluster** using init Jobs (ArgoCD PreSync hooks) that create secrets if they don't already exist. See `prototypes/ocis/ytt/s3-secret-job.ytt.yaml` for the pattern. +- **External secrets** (e.g. S3 credentials) that cannot be generated must be created manually in the cluster before deploying. The init Job should validate their existence and fail fast if missing. +- When adding a new application that uses a Helm chart generating secrets, configure all `secretRefs` to point to pre-created secret names and use an init Job to generate them. +- Known external secrets (not in git, created manually): + - `ocis/ocis-s3-credentials` — Hetzner S3 access key and secret key + - `cert-manager/letsencrypt-account-key` — ACME account key (auto-generated by cert-manager) diff --git a/prototypes/ocis/helm/ocis.yaml b/prototypes/ocis/helm/ocis.yaml index 10a1832..adda280 100644 --- a/prototypes/ocis/helm/ocis.yaml +++ b/prototypes/ocis/helm/ocis.yaml @@ -21,6 +21,19 @@ resources: cpu: 10m secretRefs: + adminUserSecretRef: ocis-admin-user + idpSecretRef: ocis-idp-secrets + jwtSecretRef: ocis-jwt-secret + ldapSecretRef: ocis-ldap-bind-secrets + ldapCaRef: ocis-ldap-ca + ldapCertRef: ocis-ldap-cert + machineAuthApiKeySecretRef: ocis-machine-auth-api-key + storagesystemJwtSecretRef: ocis-storage-system-jwt-secret + storagesystemSecretRef: ocis-storage-system + thumbnailsSecretRef: ocis-thumbnails-transfer-secret + transferSecretSecretRef: ocis-transfer-secret + serviceAccountSecretRef: ocis-service-account-secret + collaborationWopiSecret: ocis-collaboration-wopi-secret s3CredentialsSecretRef: ocis-s3-credentials services: diff --git a/prototypes/ocis/ytt/s3-secret-job.ytt.yaml b/prototypes/ocis/ytt/s3-secret-job.ytt.yaml index 280afc9..17784bb 100644 --- a/prototypes/ocis/ytt/s3-secret-job.ytt.yaml +++ b/prototypes/ocis/ytt/s3-secret-job.ytt.yaml @@ -8,6 +8,9 @@ kind: ServiceAccount metadata: name: ocis-secret-init namespace: #@ ns + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-2" --- apiVersion: rbac.authorization.k8s.io/v1 @@ -15,6 +18,9 @@ kind: Role metadata: name: ocis-secret-init namespace: #@ ns + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-2" rules: - apiGroups: [""] resources: ["secrets"] @@ -26,6 +32,9 @@ kind: RoleBinding metadata: name: ocis-secret-init namespace: #@ ns + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-2" subjects: - kind: ServiceAccount name: ocis-secret-init @@ -42,6 +51,8 @@ metadata: name: ocis-secret-init namespace: #@ ns annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-1" argocd.argoproj.io/sync-options: Replace=true spec: ttlSecondsAfterFinished: 300 @@ -58,18 +69,104 @@ spec: - | set -e - SECRET_NAME="ocis-s3-credentials" + gen_random() { + head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1" + } - if ! kubectl get secret "${SECRET_NAME}" -n ${NAMESPACE} >/dev/null 2>&1; then - echo "ERROR: Secret ${SECRET_NAME} does not exist in namespace ${NAMESPACE}." - echo "Please create it manually with keys 'accessKey' and 'secretKey':" - echo " kubectl create secret generic ${SECRET_NAME} -n ${NAMESPACE} \\" - echo " --from-literal=accessKey= \\" - echo " --from-literal=secretKey=" + gen_uuid() { + cat /proc/sys/kernel/random/uuid + } + + create_secret_if_missing() { + local name="$1" + shift + if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "Secret $name already exists, skipping" + return + fi + kubectl create secret generic "$name" -n "${NAMESPACE}" "$@" + echo "Created secret $name" + } + + # Validate external secrets exist + if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "ERROR: External secret ocis-s3-credentials must be created manually" exit 1 - else - echo "Secret ${SECRET_NAME} exists, OK" fi + + # Admin user + create_secret_if_missing ocis-admin-user \ + --from-literal=password="$(gen_random 32)" \ + --from-literal=user-id="$(gen_uuid)" + + # JWT secret + create_secret_if_missing ocis-jwt-secret \ + --from-literal=jwt-secret="$(gen_random 32)" + + # Machine auth API key + create_secret_if_missing ocis-machine-auth-api-key \ + --from-literal=machine-auth-api-key="$(gen_random 32)" + + # Storage system JWT secret + create_secret_if_missing ocis-storage-system-jwt-secret \ + --from-literal=storage-system-jwt-secret="$(gen_random 32)" + + # Storage system secret + create_secret_if_missing ocis-storage-system \ + --from-literal=api-key="$(gen_random 32)" \ + --from-literal=user-id="$(gen_uuid)" + + # Transfer secret + create_secret_if_missing ocis-transfer-secret \ + --from-literal=transfer-secret="$(gen_random 32)" + + # Thumbnails transfer secret + create_secret_if_missing ocis-thumbnails-transfer-secret \ + --from-literal=thumbnails-transfer-secret="$(gen_random 32)" + + # Service account secret + create_secret_if_missing ocis-service-account-secret \ + --from-literal=service-account-secret="$(gen_random 32)" + + # Collaboration WOPI secret + create_secret_if_missing ocis-collaboration-wopi-secret \ + --from-literal=wopi-secret="$(gen_random 32)" + + # LDAP bind secrets (three passwords for different bind users) + create_secret_if_missing ocis-ldap-bind-secrets \ + --from-literal=reva-ldap-bind-password="$(gen_random 32)" \ + --from-literal=idp-ldap-bind-password="$(gen_random 32)" \ + --from-literal=graph-ldap-bind-password="$(gen_random 32)" + + # IDP secret (encryption key + RSA private key) + create_secret_if_missing ocis-idp-secrets \ + --from-literal=encryption.key="$(gen_random 32)" \ + --from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)" + + # LDAP CA cert + key (self-signed) + if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then + openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \ + -days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null + kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \ + --from-file=ldap-ca.crt=/tmp/ldap-ca.crt + echo "Created secret ocis-ldap-ca" + + # LDAP server cert signed by the CA + openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \ + -nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null + openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \ + -CAcreateserial -out /tmp/ldap.crt -days 3650 \ + -extfile <(printf "subjectAltName=DNS:idm") 2>/dev/null + kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \ + --from-file=ldap.crt=/tmp/ldap.crt \ + --from-file=ldap.key=/tmp/ldap.key + echo "Created secret ocis-ldap-cert" + rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl + else + echo "Secret ocis-ldap-ca already exists, skipping LDAP certs" + fi + + echo "All secrets initialized successfully" env: - name: NAMESPACE valueFrom: diff --git a/rendered/envs/production/ocis/configmap-auth-service.yaml b/rendered/envs/production/ocis/configmap-auth-service.yaml index 1d05dc1..62be62f 100644 --- a/rendered/envs/production/ocis/configmap-auth-service.yaml +++ b/rendered/envs/production/ocis/configmap-auth-service.yaml @@ -1,6 +1,6 @@ apiVersion: v1 data: - service-account-id: c1561758-95a8-4926-aff8-a689830e1c46 + service-account-id: 4919631a-3752-4536-ad57-662acde05439 kind: ConfigMap metadata: annotations: diff --git a/rendered/envs/production/ocis/configmap-graph.yaml b/rendered/envs/production/ocis/configmap-graph.yaml index 403c3fc..e7cffac 100644 --- a/rendered/envs/production/ocis/configmap-graph.yaml +++ b/rendered/envs/production/ocis/configmap-graph.yaml @@ -1,6 +1,6 @@ apiVersion: v1 data: - application-id: 7ee4ec5b-f9ab-4785-bc57-18b2b0ed19df + application-id: 5ec2e077-3b94-40fb-bd34-5db3330739f5 kind: ConfigMap metadata: annotations: diff --git a/rendered/envs/production/ocis/configmap-storage-users.yaml b/rendered/envs/production/ocis/configmap-storage-users.yaml index 32759c9..24576d0 100644 --- a/rendered/envs/production/ocis/configmap-storage-users.yaml +++ b/rendered/envs/production/ocis/configmap-storage-users.yaml @@ -1,6 +1,6 @@ apiVersion: v1 data: - storage-uuid: 322b777b-988b-40ab-88b0-96f4bcd6b010 + storage-uuid: 94b0c5f9-cb81-4611-98ad-daea8c64ddb4 kind: ConfigMap metadata: annotations: diff --git a/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml b/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml index 65f496b..97bcfe7 100644 --- a/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml +++ b/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml @@ -70,12 +70,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret - name: STORAGE_USERS_MOUNT_ID valueFrom: configMapKeyRef: @@ -90,7 +90,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent name: storage-users-clean-expired-uploads diff --git a/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml b/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml index 909cc44..0485c10 100644 --- a/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml +++ b/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml @@ -51,12 +51,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret - name: STORAGE_USERS_MOUNT_ID valueFrom: configMapKeyRef: @@ -71,7 +71,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent name: storage-users-purge-expired-trash-bin-items diff --git a/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml b/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml index 996bfac..6907bc9 100644 --- a/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml +++ b/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml @@ -53,12 +53,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret - name: STORAGE_USERS_MOUNT_ID valueFrom: configMapKeyRef: @@ -73,7 +73,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent name: storage-users-restart-postprocessing diff --git a/rendered/envs/production/ocis/deployment-activitylog.yaml b/rendered/envs/production/ocis/deployment-activitylog.yaml index cfe871a..18b6bb5 100644 --- a/rendered/envs/production/ocis/deployment-activitylog.yaml +++ b/rendered/envs/production/ocis/deployment-activitylog.yaml @@ -79,12 +79,12 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: ACTIVITYLOG_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-appregistry.yaml b/rendered/envs/production/ocis/deployment-appregistry.yaml index 56f7d97..0934d0c 100644 --- a/rendered/envs/production/ocis/deployment-appregistry.yaml +++ b/rendered/envs/production/ocis/deployment-appregistry.yaml @@ -68,7 +68,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-authmachine.yaml b/rendered/envs/production/ocis/deployment-authmachine.yaml index 43c9639..c3aa607 100644 --- a/rendered/envs/production/ocis/deployment-authmachine.yaml +++ b/rendered/envs/production/ocis/deployment-authmachine.yaml @@ -66,12 +66,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: AUTH_MACHINE_API_KEY valueFrom: secretKeyRef: key: machine-auth-api-key - name: machine-auth-api-key + name: ocis-machine-auth-api-key image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-authservice.yaml b/rendered/envs/production/ocis/deployment-authservice.yaml index af2854f..c7daff0 100644 --- a/rendered/envs/production/ocis/deployment-authservice.yaml +++ b/rendered/envs/production/ocis/deployment-authservice.yaml @@ -66,7 +66,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: AUTH_SERVICE_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: @@ -76,7 +76,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-clientlog.yaml b/rendered/envs/production/ocis/deployment-clientlog.yaml index 022b7d0..625d9d7 100644 --- a/rendered/envs/production/ocis/deployment-clientlog.yaml +++ b/rendered/envs/production/ocis/deployment-clientlog.yaml @@ -71,12 +71,12 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: CLIENTLOG_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-frontend.yaml b/rendered/envs/production/ocis/deployment-frontend.yaml index f794287..0cdbd6b 100644 --- a/rendered/envs/production/ocis/deployment-frontend.yaml +++ b/rendered/envs/production/ocis/deployment-frontend.yaml @@ -76,7 +76,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: FRONTEND_APP_HANDLER_INSECURE value: "false" - name: FRONTEND_ARCHIVER_INSECURE @@ -103,7 +103,7 @@ spec: valueFrom: secretKeyRef: key: machine-auth-api-key - name: machine-auth-api-key + name: ocis-machine-auth-api-key - name: FRONTEND_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: @@ -113,12 +113,12 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret - name: FRONTEND_AUTO_ACCEPT_SHARES value: "true" - name: FRONTEND_MAX_CONCURRENCY diff --git a/rendered/envs/production/ocis/deployment-gateway.yaml b/rendered/envs/production/ocis/deployment-gateway.yaml index 7264bde..5b695b6 100644 --- a/rendered/envs/production/ocis/deployment-gateway.yaml +++ b/rendered/envs/production/ocis/deployment-gateway.yaml @@ -79,12 +79,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-graph.yaml b/rendered/envs/production/ocis/deployment-graph.yaml index d24df65..3e94a57 100644 --- a/rendered/envs/production/ocis/deployment-graph.yaml +++ b/rendered/envs/production/ocis/deployment-graph.yaml @@ -84,7 +84,7 @@ spec: valueFrom: secretKeyRef: key: graph-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: OCIS_SHOW_USER_EMAIL_IN_RESULTS value: "false" - name: GRAPH_APPLICATION_ID @@ -96,7 +96,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_DEFAULT_LANGUAGE value: en - name: GRAPH_SERVICE_ACCOUNT_ID @@ -108,7 +108,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: OCIS_ENABLE_OCM value: "false" image: owncloud/ocis:7.1.4 @@ -152,4 +152,4 @@ spec: name: messaging-system-ca - name: ldap-ca secret: - secretName: ldap-ca + secretName: ocis-ldap-ca diff --git a/rendered/envs/production/ocis/deployment-groups.yaml b/rendered/envs/production/ocis/deployment-groups.yaml index 2f003a9..18dd40c 100644 --- a/rendered/envs/production/ocis/deployment-groups.yaml +++ b/rendered/envs/production/ocis/deployment-groups.yaml @@ -70,14 +70,14 @@ spec: valueFrom: secretKeyRef: key: reva-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: GROUPS_IDP_URL value: https://drive.tr1ceracop.de - name: GROUPS_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -118,4 +118,4 @@ spec: name: tmp-volume - name: ldap-ca secret: - secretName: ldap-ca + secretName: ocis-ldap-ca diff --git a/rendered/envs/production/ocis/deployment-idm.yaml b/rendered/envs/production/ocis/deployment-idm.yaml index 58a8c71..b2a7e2f 100644 --- a/rendered/envs/production/ocis/deployment-idm.yaml +++ b/rendered/envs/production/ocis/deployment-idm.yaml @@ -67,27 +67,27 @@ spec: valueFrom: secretKeyRef: key: password - name: admin-user + name: ocis-admin-user - name: IDM_ADMIN_USER_ID valueFrom: secretKeyRef: key: user-id - name: admin-user + name: ocis-admin-user - name: IDM_SVC_PASSWORD valueFrom: secretKeyRef: key: graph-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: IDM_REVASVC_PASSWORD valueFrom: secretKeyRef: key: reva-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: IDM_IDPSVC_PASSWORD valueFrom: secretKeyRef: key: idp-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: IDM_LDAPS_CERT value: /etc/ocis/ldap-cert/ldap.crt - name: IDM_LDAPS_KEY @@ -150,7 +150,7 @@ spec: volumes: - name: ldap-cert secret: - secretName: ldap-cert + secretName: ocis-ldap-cert - name: idm-data persistentVolumeClaim: claimName: idm-data diff --git a/rendered/envs/production/ocis/deployment-idp.yaml b/rendered/envs/production/ocis/deployment-idp.yaml index 0fee8db..5170266 100644 --- a/rendered/envs/production/ocis/deployment-idp.yaml +++ b/rendered/envs/production/ocis/deployment-idp.yaml @@ -70,7 +70,7 @@ spec: valueFrom: secretKeyRef: key: idp-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: IDP_SIGNING_PRIVATE_KEY_FILES value: /etc/ocis/idp/private-key.pem - name: IDP_ENCRYPTION_SECRET_FILE @@ -118,7 +118,7 @@ spec: name: ocis-data-tmp - name: ldap-ca secret: - secretName: ldap-ca + secretName: ocis-ldap-ca - name: idp-secrets secret: - secretName: idp-secrets + secretName: ocis-idp-secrets diff --git a/rendered/envs/production/ocis/deployment-ocdav.yaml b/rendered/envs/production/ocis/deployment-ocdav.yaml index 68e3c1e..c46c633 100644 --- a/rendered/envs/production/ocis/deployment-ocdav.yaml +++ b/rendered/envs/production/ocis/deployment-ocdav.yaml @@ -74,12 +74,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCDAV_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: key: machine-auth-api-key - name: machine-auth-api-key + name: ocis-machine-auth-api-key image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-ocs.yaml b/rendered/envs/production/ocis/deployment-ocs.yaml index 1bc3d0d..c38f790 100644 --- a/rendered/envs/production/ocis/deployment-ocs.yaml +++ b/rendered/envs/production/ocis/deployment-ocs.yaml @@ -76,7 +76,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-proxy.yaml b/rendered/envs/production/ocis/deployment-proxy.yaml index 9127cd9..efbae0c 100644 --- a/rendered/envs/production/ocis/deployment-proxy.yaml +++ b/rendered/envs/production/ocis/deployment-proxy.yaml @@ -82,12 +82,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: PROXY_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: key: machine-auth-api-key - name: machine-auth-api-key + name: ocis-machine-auth-api-key - name: PROXY_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: @@ -97,7 +97,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: PROXY_CSP_CONFIG_FILE_LOCATION value: /etc/ocis/csp.yaml - name: PROXY_AUTOPROVISION_ACCOUNTS diff --git a/rendered/envs/production/ocis/deployment-search.yaml b/rendered/envs/production/ocis/deployment-search.yaml index 598af51..e8022da 100644 --- a/rendered/envs/production/ocis/deployment-search.yaml +++ b/rendered/envs/production/ocis/deployment-search.yaml @@ -69,7 +69,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: SEARCH_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: @@ -79,7 +79,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: OCIS_ASYNC_UPLOADS value: "true" image: owncloud/ocis:7.1.4 diff --git a/rendered/envs/production/ocis/deployment-settings.yaml b/rendered/envs/production/ocis/deployment-settings.yaml index b365e50..6b9df5e 100644 --- a/rendered/envs/production/ocis/deployment-settings.yaml +++ b/rendered/envs/production/ocis/deployment-settings.yaml @@ -80,12 +80,12 @@ spec: valueFrom: secretKeyRef: key: user-id - name: admin-user + name: ocis-admin-user - name: SETTINGS_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: SETTINGS_SERVICE_ACCOUNT_IDS valueFrom: configMapKeyRef: @@ -95,12 +95,12 @@ spec: valueFrom: secretKeyRef: key: api-key - name: storage-system + name: ocis-storage-system - name: OCIS_SYSTEM_USER_ID valueFrom: secretKeyRef: key: user-id - name: storage-system + name: ocis-storage-system image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-sharing.yaml b/rendered/envs/production/ocis/deployment-sharing.yaml index 6956584..246682d 100644 --- a/rendered/envs/production/ocis/deployment-sharing.yaml +++ b/rendered/envs/production/ocis/deployment-sharing.yaml @@ -68,7 +68,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD value: "false" - name: SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD @@ -91,24 +91,24 @@ spec: valueFrom: secretKeyRef: key: api-key - name: storage-system + name: ocis-storage-system - name: SHARING_USER_JSONCS3_SYSTEM_USER_ID valueFrom: secretKeyRef: key: user-id - name: storage-system + name: ocis-storage-system - name: SHARING_PUBLIC_DRIVER value: jsoncs3 - name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY valueFrom: secretKeyRef: key: api-key - name: storage-system + name: ocis-storage-system - name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID valueFrom: secretKeyRef: key: user-id - name: storage-system + name: ocis-storage-system - name: SHARING_USER_JSONCS3_MAX_CONCURRENCY value: "20" image: owncloud/ocis:7.1.4 diff --git a/rendered/envs/production/ocis/deployment-sse.yaml b/rendered/envs/production/ocis/deployment-sse.yaml index e1bd9c7..77aae6a 100644 --- a/rendered/envs/production/ocis/deployment-sse.yaml +++ b/rendered/envs/production/ocis/deployment-sse.yaml @@ -72,7 +72,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-storagepubliclink.yaml b/rendered/envs/production/ocis/deployment-storagepubliclink.yaml index 2e8505f..148e1cc 100644 --- a/rendered/envs/production/ocis/deployment-storagepubliclink.yaml +++ b/rendered/envs/production/ocis/deployment-storagepubliclink.yaml @@ -70,7 +70,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-storageshares.yaml b/rendered/envs/production/ocis/deployment-storageshares.yaml index e90bf54..a399d0b 100644 --- a/rendered/envs/production/ocis/deployment-storageshares.yaml +++ b/rendered/envs/production/ocis/deployment-storageshares.yaml @@ -66,7 +66,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-storagesystem.yaml b/rendered/envs/production/ocis/deployment-storagesystem.yaml index daa37db..77a5ec5 100644 --- a/rendered/envs/production/ocis/deployment-storagesystem.yaml +++ b/rendered/envs/production/ocis/deployment-storagesystem.yaml @@ -78,17 +78,17 @@ spec: valueFrom: secretKeyRef: key: storage-system-jwt-secret - name: storage-system-jwt-secret + name: ocis-storage-system-jwt-secret - name: OCIS_SYSTEM_USER_API_KEY valueFrom: secretKeyRef: key: api-key - name: storage-system + name: ocis-storage-system - name: OCIS_SYSTEM_USER_ID valueFrom: secretKeyRef: key: user-id - name: storage-system + name: ocis-storage-system image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-storageusers.yaml b/rendered/envs/production/ocis/deployment-storageusers.yaml index 3b8aa9d..dfc7416 100644 --- a/rendered/envs/production/ocis/deployment-storageusers.yaml +++ b/rendered/envs/production/ocis/deployment-storageusers.yaml @@ -125,7 +125,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: STORAGE_USERS_STAT_CACHE_STORE value: noop - name: STORAGE_USERS_MOUNT_ID @@ -137,12 +137,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret - name: OCIS_ASYNC_UPLOADS value: "true" - name: STORAGE_USERS_EVENTS_NUM_CONSUMERS diff --git a/rendered/envs/production/ocis/deployment-thumbnails.yaml b/rendered/envs/production/ocis/deployment-thumbnails.yaml index 0b0c923..986986b 100644 --- a/rendered/envs/production/ocis/deployment-thumbnails.yaml +++ b/rendered/envs/production/ocis/deployment-thumbnails.yaml @@ -84,7 +84,7 @@ spec: valueFrom: secretKeyRef: key: thumbnails-transfer-secret - name: thumbnails-transfer-secret + name: ocis-thumbnails-transfer-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-userlog.yaml b/rendered/envs/production/ocis/deployment-userlog.yaml index d72dda0..c91c7d1 100644 --- a/rendered/envs/production/ocis/deployment-userlog.yaml +++ b/rendered/envs/production/ocis/deployment-userlog.yaml @@ -73,12 +73,12 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: USERLOG_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: USERLOG_MAX_CONCURRENCY value: "1" image: owncloud/ocis:7.1.4 diff --git a/rendered/envs/production/ocis/deployment-users.yaml b/rendered/envs/production/ocis/deployment-users.yaml index a4a92d9..80948ef 100644 --- a/rendered/envs/production/ocis/deployment-users.yaml +++ b/rendered/envs/production/ocis/deployment-users.yaml @@ -70,14 +70,14 @@ spec: valueFrom: secretKeyRef: key: reva-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: USERS_IDP_URL value: https://drive.tr1ceracop.de - name: USERS_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -118,4 +118,4 @@ spec: name: tmp-volume - name: ldap-ca secret: - secretName: ldap-ca + secretName: ocis-ldap-ca diff --git a/rendered/envs/production/ocis/deployment-web.yaml b/rendered/envs/production/ocis/deployment-web.yaml index 3ceca77..fb1bdb0 100644 --- a/rendered/envs/production/ocis/deployment-web.yaml +++ b/rendered/envs/production/ocis/deployment-web.yaml @@ -88,7 +88,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/job-ocis-secret-init.yaml b/rendered/envs/production/ocis/job-ocis-secret-init.yaml index 3af091c..8bf96db 100644 --- a/rendered/envs/production/ocis/job-ocis-secret-init.yaml +++ b/rendered/envs/production/ocis/job-ocis-secret-init.yaml @@ -3,7 +3,9 @@ kind: Job metadata: annotations: a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/hook: PreSync argocd.argoproj.io/sync-options: Replace=true + argocd.argoproj.io/sync-wave: "-1" name: ocis-secret-init namespace: ocis spec: @@ -16,18 +18,104 @@ spec: - | set -e - SECRET_NAME="ocis-s3-credentials" + gen_random() { + head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1" + } - if ! kubectl get secret "${SECRET_NAME}" -n ${NAMESPACE} >/dev/null 2>&1; then - echo "ERROR: Secret ${SECRET_NAME} does not exist in namespace ${NAMESPACE}." - echo "Please create it manually with keys 'accessKey' and 'secretKey':" - echo " kubectl create secret generic ${SECRET_NAME} -n ${NAMESPACE} \\" - echo " --from-literal=accessKey= \\" - echo " --from-literal=secretKey=" + gen_uuid() { + cat /proc/sys/kernel/random/uuid + } + + create_secret_if_missing() { + local name="$1" + shift + if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "Secret $name already exists, skipping" + return + fi + kubectl create secret generic "$name" -n "${NAMESPACE}" "$@" + echo "Created secret $name" + } + + # Validate external secrets exist + if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "ERROR: External secret ocis-s3-credentials must be created manually" exit 1 - else - echo "Secret ${SECRET_NAME} exists, OK" fi + + # Admin user + create_secret_if_missing ocis-admin-user \ + --from-literal=password="$(gen_random 32)" \ + --from-literal=user-id="$(gen_uuid)" + + # JWT secret + create_secret_if_missing ocis-jwt-secret \ + --from-literal=jwt-secret="$(gen_random 32)" + + # Machine auth API key + create_secret_if_missing ocis-machine-auth-api-key \ + --from-literal=machine-auth-api-key="$(gen_random 32)" + + # Storage system JWT secret + create_secret_if_missing ocis-storage-system-jwt-secret \ + --from-literal=storage-system-jwt-secret="$(gen_random 32)" + + # Storage system secret + create_secret_if_missing ocis-storage-system \ + --from-literal=api-key="$(gen_random 32)" \ + --from-literal=user-id="$(gen_uuid)" + + # Transfer secret + create_secret_if_missing ocis-transfer-secret \ + --from-literal=transfer-secret="$(gen_random 32)" + + # Thumbnails transfer secret + create_secret_if_missing ocis-thumbnails-transfer-secret \ + --from-literal=thumbnails-transfer-secret="$(gen_random 32)" + + # Service account secret + create_secret_if_missing ocis-service-account-secret \ + --from-literal=service-account-secret="$(gen_random 32)" + + # Collaboration WOPI secret + create_secret_if_missing ocis-collaboration-wopi-secret \ + --from-literal=wopi-secret="$(gen_random 32)" + + # LDAP bind secrets (three passwords for different bind users) + create_secret_if_missing ocis-ldap-bind-secrets \ + --from-literal=reva-ldap-bind-password="$(gen_random 32)" \ + --from-literal=idp-ldap-bind-password="$(gen_random 32)" \ + --from-literal=graph-ldap-bind-password="$(gen_random 32)" + + # IDP secret (encryption key + RSA private key) + create_secret_if_missing ocis-idp-secrets \ + --from-literal=encryption.key="$(gen_random 32)" \ + --from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)" + + # LDAP CA cert + key (self-signed) + if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then + openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \ + -days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null + kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \ + --from-file=ldap-ca.crt=/tmp/ldap-ca.crt + echo "Created secret ocis-ldap-ca" + + # LDAP server cert signed by the CA + openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \ + -nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null + openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \ + -CAcreateserial -out /tmp/ldap.crt -days 3650 \ + -extfile <(printf "subjectAltName=DNS:idm") 2>/dev/null + kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \ + --from-file=ldap.crt=/tmp/ldap.crt \ + --from-file=ldap.key=/tmp/ldap.key + echo "Created secret ocis-ldap-cert" + rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl + else + echo "Secret ocis-ldap-ca already exists, skipping LDAP certs" + fi + + echo "All secrets initialized successfully" env: - name: NAMESPACE valueFrom: diff --git a/rendered/envs/production/ocis/role-ocis-secret-init.yaml b/rendered/envs/production/ocis/role-ocis-secret-init.yaml index cd5b69b..d7369c5 100644 --- a/rendered/envs/production/ocis/role-ocis-secret-init.yaml +++ b/rendered/envs/production/ocis/role-ocis-secret-init.yaml @@ -3,6 +3,8 @@ kind: Role metadata: annotations: a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-2" name: ocis-secret-init namespace: ocis rules: diff --git a/rendered/envs/production/ocis/rolebinding-ocis-secret-init.yaml b/rendered/envs/production/ocis/rolebinding-ocis-secret-init.yaml index 93d3e50..81aad86 100644 --- a/rendered/envs/production/ocis/rolebinding-ocis-secret-init.yaml +++ b/rendered/envs/production/ocis/rolebinding-ocis-secret-init.yaml @@ -3,6 +3,8 @@ kind: RoleBinding metadata: annotations: a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-2" name: ocis-secret-init namespace: ocis roleRef: diff --git a/rendered/envs/production/ocis/secret-admin-user.yaml b/rendered/envs/production/ocis/secret-admin-user.yaml deleted file mode 100644 index 3d7afe8..0000000 --- a/rendered/envs/production/ocis/secret-admin-user.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - password: cHNCME40QW85Y3NDYTYxOVNpUVVrY0VJZTYxajdU - user-id: MTJjNDE0OGUtZGIxZC00ZTUxLWIwZDQtMjc4YzhlMTExZjcz -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: admin-user - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-collaboration-wopi-secret.yaml b/rendered/envs/production/ocis/secret-collaboration-wopi-secret.yaml deleted file mode 100644 index a56cefc..0000000 --- a/rendered/envs/production/ocis/secret-collaboration-wopi-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - wopi-secret: Wno2dmFISjdBTFVKZ3BWeXFhdTM4eDNiWVVVeHlv -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: collaboration-wopi-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-idp-secrets.yaml b/rendered/envs/production/ocis/secret-idp-secrets.yaml deleted file mode 100644 index 9816e66..0000000 --- a/rendered/envs/production/ocis/secret-idp-secrets.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - encryption.key: NU1FOHBzQ2Q3akZSJz0qP352czZ5cUlYJEhPUEl7fnc= - private-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBM0k3d1J5a0hXRE1zblNFY1FSaUpPWHFvY2t1U2xiajhzbFRUYmRvMmI0SVo0UHlCCnFaRHNTZkpIa1pnUkxTUE4yN3hMazM5bDlZQUM2MjF6YThKMk9hK05qYSsreXJXUFZBSGxOUm5lRHMwTENmM28KOFhnMDBkT0dNRkNJbmZ5UEE3VThEYm10RlRHeXBPQTVGMnZqVVhqV3JOejhHWUF5Z0J4NmlxSmRNVHRLVFpxaQpyWVdWY0poN1dTdzFKYkd0N2ZjUk9NK3JJbDhxVFJlRUE1czVNeTR4S3JNeWVTa0MxMW5LVy9UNzZUQjNzaFBuCi91dmYyTENSOUxMZkFoS0JJSDVGK1piUHNDQzlaT05MVkJDRlkvTUZPbUxzYmlIR1BTVklrRktoMFU2cFd3cjEKSzlVSm5ISWJCcXBSU2NPaVgzSk41Mkpzdnl6RHVqS1NKcmJYVCt0UGNpcHRmOTU1Q0RGaFcyL2pZeVJSZlBHTgoxeTlBYTRMLytocFF2ellMUnRicWxJQXpXQ1dFdTJ4cEVIRzAzTlpzeE44aW5LbVYyeXVVRXBNb080RkVUSklyClFTTnA1R09HVEpXVmhCdjNsdXUvUlg2Y0diVUZHYVorbVNlM1BobWJORlMxbUlqZGZacHhkd1lnRWtnYjNpYVMKOFdSU2VIWlBhQXdQeFowai9aVVA1S0hwT1ArUmVHU1Q5bzRmVGNKY1h6MEpFT1BiRXhEaEF5NkM0UFRVR0VVbgpWSGRjOUsyTXV0QjFnS2FvN05EUW9IQU9MbEptamxaMGxZSk44MDFLRklHdWlINGp4bk82SHNhUFRNZ3NRWUZwClBBcUpxWlFyblBiL09JNkw0UE5tTVR2a1AwTTBUSUd6UTZXSE5UZ0JRR0NOZzhUbHJ1d29qQmtpcFpFQ0F3RUEKQVFLQ0FnQkRSeHJHS2g3Q2FjSEhJRzEwOGQ0UitYZGVmZXoxM05yQUx4M2JXWC9YWGRFMUR2RWlYMEdrZ05JUgorRmZzOUFuOGFDQ0ptb2ZvYmliMTE0b29xY1hVYk5kNkM4emdHcWZnMFQ4d2huWjAvMWpKc0hrWkJ6amRkRzl2ClYzR0U5NkJNV2tFNlVwUVliZk4zVmFvMG1jVmFlY2pLTEJKK1dOdU90cUV1bnI1Y29TQldNY0JEdkFiTXRNYVQKZWVld1d0V2FUQTRselRyL25oWFNORVVoc0h5dlB2emljSTBKNWxlbWh3NHlKTFdlK1JqWjZqYVBUVFlYN0N4cApmeEtGbUUxcE12dDNXZWg2YWxJN2J4WHdTNlhVeWpHakVML2NERk5qSFhkWUJzeXpneEluNGx6TkJRd01lOFlBCnIzMWlTZG5DMGFRdjI1Y2ViYkk2bnVoMEJMd0NaTmFQZzBUK2htNlkrVEZBdVZiajlPRHZVLy8ybUFPVXlpeUMKaE1XRHFreVAxQ1IrdDZvTU9JVmtXYjArQk4vRXhqblhxa2kybTNGemR3QkVlVExBdm9pRDRoWEhhVEtQMUJ6UApEcTVPcFQvaVhoNUlKVGlNTmdoR1R5QkNDSEQ2a1puZnhZbmFVTmMvOUVDaHZqdG1ZcW9DbVUzVXlEenFTSlpWCnA0OTUzK0M1bGhBMytvbWMvVGU3RENqeE1tNC9rcFlUZm9sL21nRGNMMXlmUU00dmt2akNDendtOWVqc0JtT2oKZ3lqMk9GRFRLUDBQUFNaV3hwZXhqSkhzdUV4OHBNQkpmR0xySzQyV2xPVEhTazNCSllKL3R2ODRxbXJFR3BiUgpydkgvQ3NQd05xaW12SndXL3VRMlNNWXdHT0JPcHg5elY5b3lEU1dDVlJYQU1OU3dmUUtDQVFFQTlMZjFxY0l4CkdZejhEMnRJQ0cxVStwblpoTUVqVjRnUjNIWUJPV2RuYVdHVGJGQ0ZzWmFob0RMNjBxaUJKR0ZIcTdzWjhXYkgKR3FpQ1ZFb3lnLzVoREU4eDFtVU05UFltSzAvQlNlQVhrM1RJa0hQWDYwVDlaKytYOHloVmRwOGsrZUMyV1hHeAo0MzNBNEZrWGpSK1BPMXM3dXhIUGVtdHhWb2l4bDNjMjBEd21hMHpDaXpVVEc4VTJrKytyYWw1WG9uTjA5MldiCkU4R2twYUlEUjkzU0lBaS9oak5IVWFmdExLOXZ3SmJLTFJJdHJkOFRDRWpoWWlEM050UzIxNGJ1YXhVQjI1NDYKcUp5cEx6Y0VoK2hqZzVmRE56TnVMYWwyb2E5aDBpZithcExud21hRVJUaXQ1MDhodTNiclQ0c2ZyZ0c0bmtaYwpIMmpYL0dSR3ZlVzBsd0tDQVFFQTVybmFQak5sckZ2cDBOOUxvRzBXWm1lOWxvZWxiN3d1ZjQzcm1HcnJQQTZzCk1wK24zMUJhaXVITEQ2eEF3QUU3dXp6UkJqQVpZQ2psSDAvRnllVHJzSlBuUW1zWTU4MldnMWxmcGIzSUxVMHgKZVNMMVhJWFNDSGJxYThJZ0ZUSldSdDY2UjArSHpER2REVVlndzd3T3BRVk84cTB5TFJYYUVTZ3NuWlhqZmtIOApzeFMzMTZkQ04rV2I3amtrcEFsRFFZRDdocjQ4TzFReHpuRW00NWRqcXRub0YvMUJsZ3B4MEJYT2FjeDhQbHlUCnBvaGpkcnUxd1MzVmRXZDdlSVpqbmh0dXc4U1RrWGZmcmJUejk1NHNBaFdTa1Y5amgwT0Rpc2tDeWV5RjlDU3UKQTVETVhDVXdickQrZ1VpUU8zSXNEeE1IQzFjNk1wWlJJbVpNZUExMEZ3S0NBUUJuYURpUmxESkZOckxvSFJBaQpKM2pxTUFxZk16R284aUdDQkFjK1ozaG1La291VWRROGw0Y1NkNWhQWGM2OFBiTVlXUVo4WUU2djhCYXFZWFA1CkhJdUx0UWM5TGhRTWl0clVJRzV2dGhhZ1E0L2dvbUxSMHFRMXdDTjRKMG45eHYvTDZ1MkMzQzBzRU41b3JwenEKRURUcEF3TTVhQ3hBOFpmQjFoOGMvczRWcmVVYUlDUnd5R3VicDNrSmlCUHA3WldnV3FOSlN4RDloeXo0cEg0NApadjQ4ZFJYaE1sZm5wRXJ2UCs2NzlidlcwY0Nsb1FhYzBKY1ViUk9wZ3JjRVdjcnpTcnd2UGl4UlJXbWtQdDVXClE1ZVJhcGFlQThpQjJRTDlEV3dMYnNUdDZjZXUrTHpadHpxYzdHNDNsZWVYQkJYTjVJSkx0eldFUER4UU5WdEQKTVFaZkFvSUJBRVpRMjg5YkVLQnZ2cGwyZy9EWGJoMDFmcFVTci91V2lVRThlbEdRUERLb2NoaFhpZXpINjJBcQpJaDJickh3WHBDR1REa3pwZWNKUmxFcHZvR0xBVG9nWSswREZyT2h3UW0relhEQUIzN0RXdHI0cFJrZTFUT1poCmYxM3A0cWN6R1JJdUxPMHdzcjByWGFhKytadE5nOVVOQWh0NVp6SlFWNDRsQlR2ZGcyQm1NZUpON1IxZkR4SkQKK3JxbVZhRmNaVS9nUkVlelVGM3djZUZ0b0tGNThOa1A0ZWoxdVBoR0pKdDdHZFlxaUs3a3ZlYmg2QlkyYk5UNwo1L01JMzV0Q3NiZHN1dHdVMjdoWXBTV21ZVGZVejZxdThtVTFnZnFtTzcrZk5TZGUyeEFsNFphYW1YMTNwQVFJCkV2aEpxaE5EMzJPVXMrL2ozSXV3UGZmUzMza3krRzhDZ2dFQkFNNkVySXovbDdFS0RNN0NWd2VOMUhIUk1NV0MKQldKRTdaNi9LUlZ2TDE4bjhkWUV4NEJaYTdCcjhNZnRQejVTSHRCOUxqZmZlbWNxcVhqRzdhcXV3NDFRSFFkLwpPV0lRVGl4RWNrRDlaYmwwOG1MU2h1WCtLZlhJejMwK0gybG51UTdQVWo1N0N1V0pndGdGY05EeFdwaG1ncFkxCkp0djNYdEVhM0lNVDRBNHVLSGdHbDZyOTdxSFQvRXF4MmljTGxOWFU2aEFjYjV2QmgzK2JaOGFQbUpWWi84QlcKakJZWmxYMTFmaWFnSWF4NThHUTM4VS9GQTFHaEJyeGVGcU50WG9PSGU0QS82Tmxmb0E1dDRGVExmWjVMUW9SKwpkRmxNMlBSM016dnEwSFB3RFdTQ2kvR3RqQzB4WXZ4U0FmQ3BucFptWkNORTNEMU94b29FUUNzWW5sbz0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: idp-secrets - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-jwt-secret.yaml b/rendered/envs/production/ocis/secret-jwt-secret.yaml deleted file mode 100644 index 13e076a..0000000 --- a/rendered/envs/production/ocis/secret-jwt-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - jwt-secret: N0FxeFRwa2xVdDZ1MmJ0MVlNbGIzQ3E3Y2paRXQw -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: jwt-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-ldap-bind-secrets.yaml b/rendered/envs/production/ocis/secret-ldap-bind-secrets.yaml deleted file mode 100644 index f61a1f8..0000000 --- a/rendered/envs/production/ocis/secret-ldap-bind-secrets.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -data: - graph-ldap-bind-password: OXhsb0V0N3YwM2Zrc24xY0lpanBwZmRhTlYybEV5 - idp-ldap-bind-password: eFNndGZaRzF0SzhNeXB4c0doSTJhd3B6aDZGQWE3 - reva-ldap-bind-password: aWZRZXVtQ3hYVERFdWx6bElHQXQ4TUdHazF4cGQ0 -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: ldap-bind-secrets - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-ldap-ca.yaml b/rendered/envs/production/ocis/secret-ldap-ca.yaml deleted file mode 100644 index e111b1e..0000000 --- a/rendered/envs/production/ocis/secret-ldap-ca.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - ldap-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREekNDQWZlZ0F3SUJBZ0lRVXQ5V0d1aHd0aWtFcngzL2c3Zkl1VEFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkc1pHRndMV05oTUI0WERUSTJNRFF3TmpFd05UTXdOVm9YRFRJM01EUXdOakV3TlRNdwpOVm93RWpFUU1BNEdBMVVFQXhNSGJHUmhjQzFqWVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDCkFRb0NnZ0VCQUw5cjVqZnlHVnZEL1RLT3BXcHA0RW9IcWFRc3kyZ1pxelRpWDNjNHk0MmV6M2NsU29lWHcyNlEKcmZSTnhGd3hJUVFLUEZyZ1FkMGFjcmtsdzc1VWViZjc4blZQaE0rUHJqRjdJc1cvbTZvSlRSenE2L0s5NkRBMwpMNk5FWlZXVVlDNHU4Szg3SjA0TWdPb2kxMlZXbFJUNmlRZldDVTNhUkZTVlA5d1Myd2h0TGNqdzh4TWQyMGxoCll0dzc4Qm1zaEJNRVZDYis1d3lxSDFQazJLandjUERPa1hrTzNqTHFManlZNC9QUnl3Uk05RlREQloycmpsMUkKQkdPYm1IVTQwZFVTbXpoZHFMY3dKZkJjU3dEdGQxbmlURHRtbVh0eU44Y09LOVdlY1pNSit4SElzRUtLYTVzQgppZVFFd0VHUVBDMm94TURsRmgzMnNyM0Y4dEZmWDZrQ0F3RUFBYU5oTUY4d0RnWURWUjBQQVFIL0JBUURBZ0trCk1CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFQQmdOVkhSTUJBZjhFQlRBREFRSC8KTUIwR0ExVWREZ1FXQkJTVkRZd25kdTFTU1dnUkdBbnVQa1d4WHJvZmN6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBUUVBSk92UUVkT1FHb1NqVEJZZ0krWk5uVDVtVTdQMlhvT1dkU2FrTTVLY3dSSjlFUFh2ZGJrL2NPN3Y1d3B4CmVGTll0eFJoNGZqMTBxQVZyTWNnbnBRbFN4R3FaSURDNFNqZkRXZWlIdStwcTFGMWRrdlppQUNFbGQ5KzZOZWkKcGhhNmpyMi8vV28yV0FpSWJjNlVXSEx1bjY0azA3cVJreCtFK0g2OXhYd0RWVHN6MFlta2tCN2dhVnpLczY5bApSd2FoNy9tQ0M0eFdQK0xCb1h4N2JYWStuUTRycGJqTGNNeFM2Y1lHOEQ4VGhTNlBkSHNidDk3MnhZMnpsdlJwClA4dll2dUFDdUsyYTBvM3VUTGdhZEdFY1NQVDFKMCtsekFjSHk2S1VoZXhyYUcyVjhYL0hHNWpGcFFUamFmalYKL0hkQWcvbEtJSDZNenE3RGtIUXNmRktTdnc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: ldap-ca - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-ldap-cert.yaml b/rendered/envs/production/ocis/secret-ldap-cert.yaml deleted file mode 100644 index b87d394..0000000 --- a/rendered/envs/production/ocis/secret-ldap-cert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - ldap.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lRQ3I1YkhoWjB5S09vY041dVRrS0JJREFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkc1pHRndMV05oTUI0WERUSTJNRFF3TmpFd05UTXdOVm9YRFRJM01EUXdOakV3TlRNdwpOVm93RGpFTU1Bb0dBMVVFQXhNRGFXUnRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFyRHZXbnYvbnE2SzFRaUd4bURQSTJVN3hkZUFKRitxRG5sZE8yNHlPZkQ0VG9GOUx6Z1M4SExRWmRTKzMKWjhzVlJxYXZYS0hNcmFBcjVzMmJuL2ZzbXNUUkppbEVCM3AwTXZPN2t5YlJCcjlJcEE4WGd2Ynpucmk3TzVoMApUalUvcEcyNE9LaEJvMEhzV2JRSVpqa3J2YmV4ZnF6VXFiaE5lenJhTmRqcEIxcWxvbGF5enBVc0FxYjlnS1E2CkhUTjdhNDErUk56NCt6L0FlaUJPTS8yRmVxMHBVb3hLMWdCbklycCtlSm9BOHkrQTA3a2RMSm54Z01adXpxcHoKZTRjMXVKWFRqRDVmYmlpYkdsVjJzcFZqc2NWZlplVWdwWVFZWlFoclBBbERodjNBQ29ITnBjdWRzRXhPOTdBMwozcmRMVTFaMTN2ZnVRVDZtSjFBMEhJVENlUUlEQVFBQm8zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEClZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGoKQkJnd0ZvQVVsUTJNSjNidFVrbG9FUmdKN2o1RnNWNjZIM013RGdZRFZSMFJCQWN3QllJRGFXUnRNQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFBVVlkZTN3U1p4QVhVcHkwUzFJS21URTVpOHNWbUx0aXdyOXVsQ3l6WUNiOVd0Cjh6ZXVJaDhDV1lxQzgzais1cjdlaThpbGJzTDc1bzErQ1FSREswM1NWMkdGSjRINkErZmoybXVzMHdCakY0VmEKbXRNL1cxckFIamZmREJ3T1BTM3BvNWp2UWNLN2l2ajhweTNnYzYrVVdnSTlsQnZwZUVXcFM1Z2Jxdy9ZQ1Z1OApvT21yem9vZzZUQlNVWUNtK2VJREZ6TTlzdEJUMWk5RmhYclpYSmpoSTVEcTlaWm50UGpjdVhVZjRFSGFSdFpxCjBqWC9uL0x6eVFpREs4d2dWU1AwY0MyZVVhMjdzMFhUelJld0lQc0piZ3hWMTlhWjJENm03bGVWZ05FVDhkdGwKbkdHbjc2YlBvdVUyY1RpaGQ5OFdlSGpGMTF2ZlpTZnRmeElsTEh3VQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - ldap.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBckR2V252L25xNksxUWlHeG1EUEkyVTd4ZGVBSkYrcURubGRPMjR5T2ZENFRvRjlMCnpnUzhITFFaZFMrM1o4c1ZScWF2WEtITXJhQXI1czJibi9mc21zVFJKaWxFQjNwME12TzdreWJSQnI5SXBBOFgKZ3Ziem5yaTdPNWgwVGpVL3BHMjRPS2hCbzBIc1diUUlaamtydmJleGZxelVxYmhOZXpyYU5kanBCMXFsb2xheQp6cFVzQXFiOWdLUTZIVE43YTQxK1JOejQrei9BZWlCT00vMkZlcTBwVW94SzFnQm5JcnArZUpvQTh5K0EwN2tkCkxKbnhnTVp1enFwemU0YzF1SlhUakQ1ZmJpaWJHbFYyc3BWanNjVmZaZVVncFlRWVpRaHJQQWxEaHYzQUNvSE4KcGN1ZHNFeE85N0EzM3JkTFUxWjEzdmZ1UVQ2bUoxQTBISVRDZVFJREFRQUJBb0lCQUE0WEdTQkozRGlZNTQ1QQo5bWYydUpRNmxwdG5tQ2JhT3lsTmlEaUMzN2MvVnRpMFl4MjRHbkdZdEVwM2ZHQWo1NW92a2NJWXhJZGh4cVdyCnBYTXBVN1IzcklxY0xxSVQvUVNjRnZqYllKZFdOOG1nS0hMQTVENVVhNURkRUlyRFpYRDh2dWozcnVMOXhpbXkKaGt0aW12YjYyNno2MDYwTTFGM2oreTBUa1VEV0lhUllwb1llNnlKQkdXbjNRTW1zV3ZXNStmU0c3Yk1VOWlCdwpRTWx2cnZOdlBIbDZJWWhrd0dnSWp1cjVKblRqc0U5SWZBdUR5L2hVNzl0SFpzV252RlRmUDdJTVZNSVBTY2NICnl2SHgwMHpuaE9LOHZXSkFGb3pMUVdpZFpldUFEaEhhblhGaklTd1A3cDBPNDc4T0xxTCtWNjdBMk54bEZaK3UKRTdTdCs5a0NnWUVBNUJMY0Z2UjN3K0k0dkJFWFd6bHVOREd2VFVRdXI4Y1VTbjVkcXAxR1NhWlpkNFhDL0hpcwo1QVI1c2dPaU0zMllLQkFvY1NJRmdJdW9ic2g2VWpNdU8zWktCVU5ibyttZ3ZQNW1qKzF4VkQrNGN0QS92ak9sCnNNT1VYNS95VEJlZ0Z3QkNvKzVqNWVsMHQvSHllcE5wTTJRZjJjUFVVczlCYjlkdDA5NU9PclVDZ1lFQXdWS2kKWFhUZVM3dDdDME5CbFlkWkRTa293ODJldTdQZEdNSzFGM3pRWU5vcXgydG1UTzVTbzI0S20zRTNiZzZwNzF5bgpqU3doV0lkQS9ZSFJsano3cyt2WVJ0VjBPcmtmYlZCQzhGVUtONUVNSlhhL1NDOFlRc1psUWZvUkVXb3BuS0ZECnFUUDV6SzVkelBwYWFNNlhWRm5WMFFlb0UvODYxSEN6aW5DYUR6VUNnWUJ6NnZYN29NTGlSeThvdnRNTkpYSlMKaXRJYlJrVW9SOW1UUndpYU41ZEt4WWFCVGZYZFZnUWhXL2p5TmhDUmRRc0ppYlRVVTBOU295aTNMYU9sOWFkUQp4MzAxa1plWkJwd1Frb2hVTEkxR0VhRFFrZkZqM1dJZ0pqZGFKclFDWXB1V05TYXBwUGNYR29HZElCWnFvRk4rCnNDdlVCVWo3MGFUamtDMmMya2NPWlFLQmdBWTY0NENmZzRwdFFFbmNvUUJ3bkM0UVpYL3A0SE9zR0RQMEVtSHYKWThlN1FDV3RFRjdxVHo5MURHSjJBNU5JWmJHUkN0VkIxdEZEaXBTZzJtQTlGdDkxZWtMT0hqREdSbnovV1NqbApsSzYxdmU1M0pUTHVVWm5WU3U0VllQZHV0R2lYeWRacUZtTENPOE9mVGNxUzNjMmFGNG5rOVVXdnMvV2tyQ1NKCi9HMEJBb0dCQUlFM3FkcTFrcmJKcW5rVTRLK3BQREpsV0FjSUJXUjVERnlPY0U2M1V5ekNvTHdsZDFZVHVlNisKWkVhSnExYW1nRlZVRllkbitiUVJPWnI4ZVY1MldYSktBWmEyclRxUlJPTVVLVHk5RVR0cGpBSXJvV3lEOEp0bApxMkpkTnQ5Rk1LQWJkYWZMc1piaGl3eFdpRjUremJKUkhpU3ZtVG9RTGNDRDhJcXZnUFcyCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: ldap-cert - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-machine-auth-api-key.yaml b/rendered/envs/production/ocis/secret-machine-auth-api-key.yaml deleted file mode 100644 index 039f672..0000000 --- a/rendered/envs/production/ocis/secret-machine-auth-api-key.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - machine-auth-api-key: Ymh0RmU1Zko3VWpsZDJRM09RWUJPclJUOHlmNUpS -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: machine-auth-api-key - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-service-account-secret.yaml b/rendered/envs/production/ocis/secret-service-account-secret.yaml deleted file mode 100644 index 4a7914a..0000000 --- a/rendered/envs/production/ocis/secret-service-account-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - service-account-secret: S25hYjNES2pUWDRVOWNrSHI2dlZBaWJyOVFqZ1NT -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: service-account-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-storage-system-jwt-secret.yaml b/rendered/envs/production/ocis/secret-storage-system-jwt-secret.yaml deleted file mode 100644 index 4f0b8ef..0000000 --- a/rendered/envs/production/ocis/secret-storage-system-jwt-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - storage-system-jwt-secret: T2FTMVBaQW5tamVxQ2RXckZFQ3Q3M2VrdnBKNmx0 -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: storage-system-jwt-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-storage-system.yaml b/rendered/envs/production/ocis/secret-storage-system.yaml deleted file mode 100644 index fec9310..0000000 --- a/rendered/envs/production/ocis/secret-storage-system.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - api-key: YlJCR2dobmZOTjJzUWQ1NkVyYVRFZEN5S1FMTWx4 - user-id: MWFlNzk2YmYtMWI0ZS00ZGI2LWI2OTUtM2E5ZGE3MDU1NDc1 -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: storage-system - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-thumbnails-transfer-secret.yaml b/rendered/envs/production/ocis/secret-thumbnails-transfer-secret.yaml deleted file mode 100644 index 43c4fc5..0000000 --- a/rendered/envs/production/ocis/secret-thumbnails-transfer-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - thumbnails-transfer-secret: MUJMNk44aktWVXlIYW1lS2RBVklaMk9MZ1dKY0M4 -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: thumbnails-transfer-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-transfer-secret.yaml b/rendered/envs/production/ocis/secret-transfer-secret.yaml deleted file mode 100644 index 53eab5c..0000000 --- a/rendered/envs/production/ocis/secret-transfer-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - transfer-secret: ajhYWFQyYVBRcEs0a0pCeXc1cjJnWHRBOTVzQjZh -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: transfer-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/serviceaccount-ocis-secret-init.yaml b/rendered/envs/production/ocis/serviceaccount-ocis-secret-init.yaml index f623792..22f0e96 100644 --- a/rendered/envs/production/ocis/serviceaccount-ocis-secret-init.yaml +++ b/rendered/envs/production/ocis/serviceaccount-ocis-secret-init.yaml @@ -3,5 +3,7 @@ kind: ServiceAccount metadata: annotations: a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-2" name: ocis-secret-init namespace: ocis