diff --git a/CLAUDE.md b/CLAUDE.md index ada3553..72cb37d 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -74,6 +74,11 @@ kubectl apply -f rendered/envs/production// --server-side # Deploy ## Container Images - **Never use bitnami images.** Use `alpine/k8s` or plain `alpine` for utility Jobs instead. -## Secrets (not in git) -- `cert-manager/letsencrypt-account-key` — ACME account key (auto-generated) -- `argocd/argocd-initial-admin-secret` — ArgoCD admin password (auto-generated) +## Secrets +- **Never commit secrets to git.** This is a public repository. +- **All secrets must be generated in-cluster** using init Jobs (ArgoCD PreSync hooks) that create secrets if they don't already exist. See `prototypes/ocis/ytt/s3-secret-job.ytt.yaml` for the pattern. +- **External secrets** (e.g. S3 credentials) that cannot be generated must be created manually in the cluster before deploying. The init Job should validate their existence and fail fast if missing. +- When adding a new application that uses a Helm chart generating secrets, configure all `secretRefs` to point to pre-created secret names and use an init Job to generate them. +- Known external secrets (not in git, created manually): + - `ocis/ocis-s3-credentials` — Hetzner S3 access key and secret key + - `cert-manager/letsencrypt-account-key` — ACME account key (auto-generated by cert-manager) diff --git a/prototypes/ocis/helm/ocis.yaml b/prototypes/ocis/helm/ocis.yaml index 10a1832..adda280 100644 --- a/prototypes/ocis/helm/ocis.yaml +++ b/prototypes/ocis/helm/ocis.yaml @@ -21,6 +21,19 @@ resources: cpu: 10m secretRefs: + adminUserSecretRef: ocis-admin-user + idpSecretRef: ocis-idp-secrets + jwtSecretRef: ocis-jwt-secret + ldapSecretRef: ocis-ldap-bind-secrets + ldapCaRef: ocis-ldap-ca + ldapCertRef: ocis-ldap-cert + machineAuthApiKeySecretRef: ocis-machine-auth-api-key + storagesystemJwtSecretRef: ocis-storage-system-jwt-secret + storagesystemSecretRef: ocis-storage-system + thumbnailsSecretRef: ocis-thumbnails-transfer-secret + transferSecretSecretRef: ocis-transfer-secret + serviceAccountSecretRef: ocis-service-account-secret + collaborationWopiSecret: ocis-collaboration-wopi-secret s3CredentialsSecretRef: ocis-s3-credentials services: diff --git a/prototypes/ocis/ytt/s3-secret-job.ytt.yaml b/prototypes/ocis/ytt/s3-secret-job.ytt.yaml index 280afc9..7eacece 100644 --- a/prototypes/ocis/ytt/s3-secret-job.ytt.yaml +++ b/prototypes/ocis/ytt/s3-secret-job.ytt.yaml @@ -8,6 +8,8 @@ kind: ServiceAccount metadata: name: ocis-secret-init namespace: #@ ns + annotations: + argocd.argoproj.io/hook: PreSync --- apiVersion: rbac.authorization.k8s.io/v1 @@ -15,6 +17,8 @@ kind: Role metadata: name: ocis-secret-init namespace: #@ ns + annotations: + argocd.argoproj.io/hook: PreSync rules: - apiGroups: [""] resources: ["secrets"] @@ -26,6 +30,8 @@ kind: RoleBinding metadata: name: ocis-secret-init namespace: #@ ns + annotations: + argocd.argoproj.io/hook: PreSync subjects: - kind: ServiceAccount name: ocis-secret-init @@ -42,6 +48,8 @@ metadata: name: ocis-secret-init namespace: #@ ns annotations: + argocd.argoproj.io/sync-wave: "-1" + argocd.argoproj.io/hook: PreSync argocd.argoproj.io/sync-options: Replace=true spec: ttlSecondsAfterFinished: 300 @@ -58,18 +66,104 @@ spec: - | set -e - SECRET_NAME="ocis-s3-credentials" + gen_random() { + head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1" + } - if ! kubectl get secret "${SECRET_NAME}" -n ${NAMESPACE} >/dev/null 2>&1; then - echo "ERROR: Secret ${SECRET_NAME} does not exist in namespace ${NAMESPACE}." - echo "Please create it manually with keys 'accessKey' and 'secretKey':" - echo " kubectl create secret generic ${SECRET_NAME} -n ${NAMESPACE} \\" - echo " --from-literal=accessKey= \\" - echo " --from-literal=secretKey=" + gen_uuid() { + cat /proc/sys/kernel/random/uuid + } + + create_secret_if_missing() { + local name="$1" + shift + if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "Secret $name already exists, skipping" + return + fi + kubectl create secret generic "$name" -n "${NAMESPACE}" "$@" + echo "Created secret $name" + } + + # Validate external secrets exist + if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "ERROR: External secret ocis-s3-credentials must be created manually" exit 1 - else - echo "Secret ${SECRET_NAME} exists, OK" fi + + # Admin user + create_secret_if_missing ocis-admin-user \ + --from-literal=password="$(gen_random 32)" \ + --from-literal=user-id="$(gen_uuid)" + + # JWT secret + create_secret_if_missing ocis-jwt-secret \ + --from-literal=jwt-secret="$(gen_random 32)" + + # Machine auth API key + create_secret_if_missing ocis-machine-auth-api-key \ + --from-literal=machine-auth-api-key="$(gen_random 32)" + + # Storage system JWT secret + create_secret_if_missing ocis-storage-system-jwt-secret \ + --from-literal=storage-system-jwt-secret="$(gen_random 32)" + + # Storage system secret + create_secret_if_missing ocis-storage-system \ + --from-literal=api-key="$(gen_random 32)" \ + --from-literal=user-id="$(gen_uuid)" + + # Transfer secret + create_secret_if_missing ocis-transfer-secret \ + --from-literal=transfer-secret="$(gen_random 32)" + + # Thumbnails transfer secret + create_secret_if_missing ocis-thumbnails-transfer-secret \ + --from-literal=thumbnails-transfer-secret="$(gen_random 32)" + + # Service account secret + create_secret_if_missing ocis-service-account-secret \ + --from-literal=service-account-secret="$(gen_random 32)" + + # Collaboration WOPI secret + create_secret_if_missing ocis-collaboration-wopi-secret \ + --from-literal=wopi-secret="$(gen_random 32)" + + # LDAP bind secrets (three passwords for different bind users) + create_secret_if_missing ocis-ldap-bind-secrets \ + --from-literal=reva-ldap-bind-password="$(gen_random 32)" \ + --from-literal=idp-ldap-bind-password="$(gen_random 32)" \ + --from-literal=graph-ldap-bind-password="$(gen_random 32)" + + # IDP secret (encryption key + RSA private key) + create_secret_if_missing ocis-idp-secrets \ + --from-literal=encryption.key="$(gen_random 32)" \ + --from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)" + + # LDAP CA cert + key (self-signed) + if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then + openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \ + -days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null + kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \ + --from-file=ldap-ca.crt=/tmp/ldap-ca.crt + echo "Created secret ocis-ldap-ca" + + # LDAP server cert signed by the CA + openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \ + -nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null + openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \ + -CAcreateserial -out /tmp/ldap.crt -days 3650 \ + -extfile <(printf "subjectAltName=DNS:idm") 2>/dev/null + kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \ + --from-file=ldap.crt=/tmp/ldap.crt \ + --from-file=ldap.key=/tmp/ldap.key + echo "Created secret ocis-ldap-cert" + rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl + else + echo "Secret ocis-ldap-ca already exists, skipping LDAP certs" + fi + + echo "All secrets initialized successfully" env: - name: NAMESPACE valueFrom: diff --git a/rendered/envs/production/ocis/configmap-auth-service.yaml b/rendered/envs/production/ocis/configmap-auth-service.yaml index 1d05dc1..472c2a0 100644 --- a/rendered/envs/production/ocis/configmap-auth-service.yaml +++ b/rendered/envs/production/ocis/configmap-auth-service.yaml @@ -1,6 +1,6 @@ apiVersion: v1 data: - service-account-id: c1561758-95a8-4926-aff8-a689830e1c46 + service-account-id: c74606e0-92eb-4dbd-91b0-a34e369faa68 kind: ConfigMap metadata: annotations: diff --git a/rendered/envs/production/ocis/configmap-graph.yaml b/rendered/envs/production/ocis/configmap-graph.yaml index 403c3fc..216958d 100644 --- a/rendered/envs/production/ocis/configmap-graph.yaml +++ b/rendered/envs/production/ocis/configmap-graph.yaml @@ -1,6 +1,6 @@ apiVersion: v1 data: - application-id: 7ee4ec5b-f9ab-4785-bc57-18b2b0ed19df + application-id: ac644617-90d8-4a6e-a92e-d9b884802488 kind: ConfigMap metadata: annotations: diff --git a/rendered/envs/production/ocis/configmap-storage-users.yaml b/rendered/envs/production/ocis/configmap-storage-users.yaml index 32759c9..7496c0f 100644 --- a/rendered/envs/production/ocis/configmap-storage-users.yaml +++ b/rendered/envs/production/ocis/configmap-storage-users.yaml @@ -1,6 +1,6 @@ apiVersion: v1 data: - storage-uuid: 322b777b-988b-40ab-88b0-96f4bcd6b010 + storage-uuid: eb302a83-0266-48b5-aa8f-78a12c0d8be1 kind: ConfigMap metadata: annotations: diff --git a/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml b/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml index 65f496b..97bcfe7 100644 --- a/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml +++ b/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml @@ -70,12 +70,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret - name: STORAGE_USERS_MOUNT_ID valueFrom: configMapKeyRef: @@ -90,7 +90,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent name: storage-users-clean-expired-uploads diff --git a/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml b/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml index 909cc44..0485c10 100644 --- a/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml +++ b/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml @@ -51,12 +51,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret - name: STORAGE_USERS_MOUNT_ID valueFrom: configMapKeyRef: @@ -71,7 +71,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent name: storage-users-purge-expired-trash-bin-items diff --git a/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml b/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml index 996bfac..6907bc9 100644 --- a/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml +++ b/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml @@ -53,12 +53,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret - name: STORAGE_USERS_MOUNT_ID valueFrom: configMapKeyRef: @@ -73,7 +73,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent name: storage-users-restart-postprocessing diff --git a/rendered/envs/production/ocis/deployment-activitylog.yaml b/rendered/envs/production/ocis/deployment-activitylog.yaml index cfe871a..18b6bb5 100644 --- a/rendered/envs/production/ocis/deployment-activitylog.yaml +++ b/rendered/envs/production/ocis/deployment-activitylog.yaml @@ -79,12 +79,12 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: ACTIVITYLOG_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-appregistry.yaml b/rendered/envs/production/ocis/deployment-appregistry.yaml index 56f7d97..0934d0c 100644 --- a/rendered/envs/production/ocis/deployment-appregistry.yaml +++ b/rendered/envs/production/ocis/deployment-appregistry.yaml @@ -68,7 +68,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-authmachine.yaml b/rendered/envs/production/ocis/deployment-authmachine.yaml index 43c9639..c3aa607 100644 --- a/rendered/envs/production/ocis/deployment-authmachine.yaml +++ b/rendered/envs/production/ocis/deployment-authmachine.yaml @@ -66,12 +66,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: AUTH_MACHINE_API_KEY valueFrom: secretKeyRef: key: machine-auth-api-key - name: machine-auth-api-key + name: ocis-machine-auth-api-key image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-authservice.yaml b/rendered/envs/production/ocis/deployment-authservice.yaml index af2854f..c7daff0 100644 --- a/rendered/envs/production/ocis/deployment-authservice.yaml +++ b/rendered/envs/production/ocis/deployment-authservice.yaml @@ -66,7 +66,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: AUTH_SERVICE_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: @@ -76,7 +76,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-clientlog.yaml b/rendered/envs/production/ocis/deployment-clientlog.yaml index 022b7d0..625d9d7 100644 --- a/rendered/envs/production/ocis/deployment-clientlog.yaml +++ b/rendered/envs/production/ocis/deployment-clientlog.yaml @@ -71,12 +71,12 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: CLIENTLOG_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-frontend.yaml b/rendered/envs/production/ocis/deployment-frontend.yaml index f794287..0cdbd6b 100644 --- a/rendered/envs/production/ocis/deployment-frontend.yaml +++ b/rendered/envs/production/ocis/deployment-frontend.yaml @@ -76,7 +76,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: FRONTEND_APP_HANDLER_INSECURE value: "false" - name: FRONTEND_ARCHIVER_INSECURE @@ -103,7 +103,7 @@ spec: valueFrom: secretKeyRef: key: machine-auth-api-key - name: machine-auth-api-key + name: ocis-machine-auth-api-key - name: FRONTEND_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: @@ -113,12 +113,12 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret - name: FRONTEND_AUTO_ACCEPT_SHARES value: "true" - name: FRONTEND_MAX_CONCURRENCY diff --git a/rendered/envs/production/ocis/deployment-gateway.yaml b/rendered/envs/production/ocis/deployment-gateway.yaml index 7264bde..5b695b6 100644 --- a/rendered/envs/production/ocis/deployment-gateway.yaml +++ b/rendered/envs/production/ocis/deployment-gateway.yaml @@ -79,12 +79,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-graph.yaml b/rendered/envs/production/ocis/deployment-graph.yaml index d24df65..3e94a57 100644 --- a/rendered/envs/production/ocis/deployment-graph.yaml +++ b/rendered/envs/production/ocis/deployment-graph.yaml @@ -84,7 +84,7 @@ spec: valueFrom: secretKeyRef: key: graph-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: OCIS_SHOW_USER_EMAIL_IN_RESULTS value: "false" - name: GRAPH_APPLICATION_ID @@ -96,7 +96,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_DEFAULT_LANGUAGE value: en - name: GRAPH_SERVICE_ACCOUNT_ID @@ -108,7 +108,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: OCIS_ENABLE_OCM value: "false" image: owncloud/ocis:7.1.4 @@ -152,4 +152,4 @@ spec: name: messaging-system-ca - name: ldap-ca secret: - secretName: ldap-ca + secretName: ocis-ldap-ca diff --git a/rendered/envs/production/ocis/deployment-groups.yaml b/rendered/envs/production/ocis/deployment-groups.yaml index 2f003a9..18dd40c 100644 --- a/rendered/envs/production/ocis/deployment-groups.yaml +++ b/rendered/envs/production/ocis/deployment-groups.yaml @@ -70,14 +70,14 @@ spec: valueFrom: secretKeyRef: key: reva-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: GROUPS_IDP_URL value: https://drive.tr1ceracop.de - name: GROUPS_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -118,4 +118,4 @@ spec: name: tmp-volume - name: ldap-ca secret: - secretName: ldap-ca + secretName: ocis-ldap-ca diff --git a/rendered/envs/production/ocis/deployment-idm.yaml b/rendered/envs/production/ocis/deployment-idm.yaml index 58a8c71..b2a7e2f 100644 --- a/rendered/envs/production/ocis/deployment-idm.yaml +++ b/rendered/envs/production/ocis/deployment-idm.yaml @@ -67,27 +67,27 @@ spec: valueFrom: secretKeyRef: key: password - name: admin-user + name: ocis-admin-user - name: IDM_ADMIN_USER_ID valueFrom: secretKeyRef: key: user-id - name: admin-user + name: ocis-admin-user - name: IDM_SVC_PASSWORD valueFrom: secretKeyRef: key: graph-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: IDM_REVASVC_PASSWORD valueFrom: secretKeyRef: key: reva-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: IDM_IDPSVC_PASSWORD valueFrom: secretKeyRef: key: idp-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: IDM_LDAPS_CERT value: /etc/ocis/ldap-cert/ldap.crt - name: IDM_LDAPS_KEY @@ -150,7 +150,7 @@ spec: volumes: - name: ldap-cert secret: - secretName: ldap-cert + secretName: ocis-ldap-cert - name: idm-data persistentVolumeClaim: claimName: idm-data diff --git a/rendered/envs/production/ocis/deployment-idp.yaml b/rendered/envs/production/ocis/deployment-idp.yaml index 0fee8db..5170266 100644 --- a/rendered/envs/production/ocis/deployment-idp.yaml +++ b/rendered/envs/production/ocis/deployment-idp.yaml @@ -70,7 +70,7 @@ spec: valueFrom: secretKeyRef: key: idp-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: IDP_SIGNING_PRIVATE_KEY_FILES value: /etc/ocis/idp/private-key.pem - name: IDP_ENCRYPTION_SECRET_FILE @@ -118,7 +118,7 @@ spec: name: ocis-data-tmp - name: ldap-ca secret: - secretName: ldap-ca + secretName: ocis-ldap-ca - name: idp-secrets secret: - secretName: idp-secrets + secretName: ocis-idp-secrets diff --git a/rendered/envs/production/ocis/deployment-ocdav.yaml b/rendered/envs/production/ocis/deployment-ocdav.yaml index 68e3c1e..c46c633 100644 --- a/rendered/envs/production/ocis/deployment-ocdav.yaml +++ b/rendered/envs/production/ocis/deployment-ocdav.yaml @@ -74,12 +74,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCDAV_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: key: machine-auth-api-key - name: machine-auth-api-key + name: ocis-machine-auth-api-key image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-ocs.yaml b/rendered/envs/production/ocis/deployment-ocs.yaml index 1bc3d0d..c38f790 100644 --- a/rendered/envs/production/ocis/deployment-ocs.yaml +++ b/rendered/envs/production/ocis/deployment-ocs.yaml @@ -76,7 +76,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-proxy.yaml b/rendered/envs/production/ocis/deployment-proxy.yaml index 9127cd9..efbae0c 100644 --- a/rendered/envs/production/ocis/deployment-proxy.yaml +++ b/rendered/envs/production/ocis/deployment-proxy.yaml @@ -82,12 +82,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: PROXY_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: key: machine-auth-api-key - name: machine-auth-api-key + name: ocis-machine-auth-api-key - name: PROXY_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: @@ -97,7 +97,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: PROXY_CSP_CONFIG_FILE_LOCATION value: /etc/ocis/csp.yaml - name: PROXY_AUTOPROVISION_ACCOUNTS diff --git a/rendered/envs/production/ocis/deployment-search.yaml b/rendered/envs/production/ocis/deployment-search.yaml index 598af51..e8022da 100644 --- a/rendered/envs/production/ocis/deployment-search.yaml +++ b/rendered/envs/production/ocis/deployment-search.yaml @@ -69,7 +69,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: SEARCH_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: @@ -79,7 +79,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: OCIS_ASYNC_UPLOADS value: "true" image: owncloud/ocis:7.1.4 diff --git a/rendered/envs/production/ocis/deployment-settings.yaml b/rendered/envs/production/ocis/deployment-settings.yaml index b365e50..6b9df5e 100644 --- a/rendered/envs/production/ocis/deployment-settings.yaml +++ b/rendered/envs/production/ocis/deployment-settings.yaml @@ -80,12 +80,12 @@ spec: valueFrom: secretKeyRef: key: user-id - name: admin-user + name: ocis-admin-user - name: SETTINGS_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: SETTINGS_SERVICE_ACCOUNT_IDS valueFrom: configMapKeyRef: @@ -95,12 +95,12 @@ spec: valueFrom: secretKeyRef: key: api-key - name: storage-system + name: ocis-storage-system - name: OCIS_SYSTEM_USER_ID valueFrom: secretKeyRef: key: user-id - name: storage-system + name: ocis-storage-system image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-sharing.yaml b/rendered/envs/production/ocis/deployment-sharing.yaml index 6956584..246682d 100644 --- a/rendered/envs/production/ocis/deployment-sharing.yaml +++ b/rendered/envs/production/ocis/deployment-sharing.yaml @@ -68,7 +68,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD value: "false" - name: SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD @@ -91,24 +91,24 @@ spec: valueFrom: secretKeyRef: key: api-key - name: storage-system + name: ocis-storage-system - name: SHARING_USER_JSONCS3_SYSTEM_USER_ID valueFrom: secretKeyRef: key: user-id - name: storage-system + name: ocis-storage-system - name: SHARING_PUBLIC_DRIVER value: jsoncs3 - name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY valueFrom: secretKeyRef: key: api-key - name: storage-system + name: ocis-storage-system - name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID valueFrom: secretKeyRef: key: user-id - name: storage-system + name: ocis-storage-system - name: SHARING_USER_JSONCS3_MAX_CONCURRENCY value: "20" image: owncloud/ocis:7.1.4 diff --git a/rendered/envs/production/ocis/deployment-sse.yaml b/rendered/envs/production/ocis/deployment-sse.yaml index e1bd9c7..77aae6a 100644 --- a/rendered/envs/production/ocis/deployment-sse.yaml +++ b/rendered/envs/production/ocis/deployment-sse.yaml @@ -72,7 +72,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-storagepubliclink.yaml b/rendered/envs/production/ocis/deployment-storagepubliclink.yaml index 2e8505f..148e1cc 100644 --- a/rendered/envs/production/ocis/deployment-storagepubliclink.yaml +++ b/rendered/envs/production/ocis/deployment-storagepubliclink.yaml @@ -70,7 +70,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-storageshares.yaml b/rendered/envs/production/ocis/deployment-storageshares.yaml index e90bf54..a399d0b 100644 --- a/rendered/envs/production/ocis/deployment-storageshares.yaml +++ b/rendered/envs/production/ocis/deployment-storageshares.yaml @@ -66,7 +66,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-storagesystem.yaml b/rendered/envs/production/ocis/deployment-storagesystem.yaml index daa37db..77a5ec5 100644 --- a/rendered/envs/production/ocis/deployment-storagesystem.yaml +++ b/rendered/envs/production/ocis/deployment-storagesystem.yaml @@ -78,17 +78,17 @@ spec: valueFrom: secretKeyRef: key: storage-system-jwt-secret - name: storage-system-jwt-secret + name: ocis-storage-system-jwt-secret - name: OCIS_SYSTEM_USER_API_KEY valueFrom: secretKeyRef: key: api-key - name: storage-system + name: ocis-storage-system - name: OCIS_SYSTEM_USER_ID valueFrom: secretKeyRef: key: user-id - name: storage-system + name: ocis-storage-system image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-storageusers.yaml b/rendered/envs/production/ocis/deployment-storageusers.yaml index 3b8aa9d..dfc7416 100644 --- a/rendered/envs/production/ocis/deployment-storageusers.yaml +++ b/rendered/envs/production/ocis/deployment-storageusers.yaml @@ -125,7 +125,7 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: STORAGE_USERS_STAT_CACHE_STORE value: noop - name: STORAGE_USERS_MOUNT_ID @@ -137,12 +137,12 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: key: transfer-secret - name: transfer-secret + name: ocis-transfer-secret - name: OCIS_ASYNC_UPLOADS value: "true" - name: STORAGE_USERS_EVENTS_NUM_CONSUMERS diff --git a/rendered/envs/production/ocis/deployment-thumbnails.yaml b/rendered/envs/production/ocis/deployment-thumbnails.yaml index 0b0c923..986986b 100644 --- a/rendered/envs/production/ocis/deployment-thumbnails.yaml +++ b/rendered/envs/production/ocis/deployment-thumbnails.yaml @@ -84,7 +84,7 @@ spec: valueFrom: secretKeyRef: key: thumbnails-transfer-secret - name: thumbnails-transfer-secret + name: ocis-thumbnails-transfer-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/deployment-userlog.yaml b/rendered/envs/production/ocis/deployment-userlog.yaml index d72dda0..c91c7d1 100644 --- a/rendered/envs/production/ocis/deployment-userlog.yaml +++ b/rendered/envs/production/ocis/deployment-userlog.yaml @@ -73,12 +73,12 @@ spec: valueFrom: secretKeyRef: key: service-account-secret - name: service-account-secret + name: ocis-service-account-secret - name: USERLOG_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret - name: USERLOG_MAX_CONCURRENCY value: "1" image: owncloud/ocis:7.1.4 diff --git a/rendered/envs/production/ocis/deployment-users.yaml b/rendered/envs/production/ocis/deployment-users.yaml index a4a92d9..80948ef 100644 --- a/rendered/envs/production/ocis/deployment-users.yaml +++ b/rendered/envs/production/ocis/deployment-users.yaml @@ -70,14 +70,14 @@ spec: valueFrom: secretKeyRef: key: reva-ldap-bind-password - name: ldap-bind-secrets + name: ocis-ldap-bind-secrets - name: USERS_IDP_URL value: https://drive.tr1ceracop.de - name: USERS_JWT_SECRET valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: @@ -118,4 +118,4 @@ spec: name: tmp-volume - name: ldap-ca secret: - secretName: ldap-ca + secretName: ocis-ldap-ca diff --git a/rendered/envs/production/ocis/deployment-web.yaml b/rendered/envs/production/ocis/deployment-web.yaml index 3ceca77..fb1bdb0 100644 --- a/rendered/envs/production/ocis/deployment-web.yaml +++ b/rendered/envs/production/ocis/deployment-web.yaml @@ -88,7 +88,7 @@ spec: valueFrom: secretKeyRef: key: jwt-secret - name: jwt-secret + name: ocis-jwt-secret image: owncloud/ocis:7.1.4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/rendered/envs/production/ocis/job-ocis-secret-init.yaml b/rendered/envs/production/ocis/job-ocis-secret-init.yaml index 3af091c..8bf96db 100644 --- a/rendered/envs/production/ocis/job-ocis-secret-init.yaml +++ b/rendered/envs/production/ocis/job-ocis-secret-init.yaml @@ -3,7 +3,9 @@ kind: Job metadata: annotations: a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/hook: PreSync argocd.argoproj.io/sync-options: Replace=true + argocd.argoproj.io/sync-wave: "-1" name: ocis-secret-init namespace: ocis spec: @@ -16,18 +18,104 @@ spec: - | set -e - SECRET_NAME="ocis-s3-credentials" + gen_random() { + head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1" + } - if ! kubectl get secret "${SECRET_NAME}" -n ${NAMESPACE} >/dev/null 2>&1; then - echo "ERROR: Secret ${SECRET_NAME} does not exist in namespace ${NAMESPACE}." - echo "Please create it manually with keys 'accessKey' and 'secretKey':" - echo " kubectl create secret generic ${SECRET_NAME} -n ${NAMESPACE} \\" - echo " --from-literal=accessKey= \\" - echo " --from-literal=secretKey=" + gen_uuid() { + cat /proc/sys/kernel/random/uuid + } + + create_secret_if_missing() { + local name="$1" + shift + if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "Secret $name already exists, skipping" + return + fi + kubectl create secret generic "$name" -n "${NAMESPACE}" "$@" + echo "Created secret $name" + } + + # Validate external secrets exist + if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "ERROR: External secret ocis-s3-credentials must be created manually" exit 1 - else - echo "Secret ${SECRET_NAME} exists, OK" fi + + # Admin user + create_secret_if_missing ocis-admin-user \ + --from-literal=password="$(gen_random 32)" \ + --from-literal=user-id="$(gen_uuid)" + + # JWT secret + create_secret_if_missing ocis-jwt-secret \ + --from-literal=jwt-secret="$(gen_random 32)" + + # Machine auth API key + create_secret_if_missing ocis-machine-auth-api-key \ + --from-literal=machine-auth-api-key="$(gen_random 32)" + + # Storage system JWT secret + create_secret_if_missing ocis-storage-system-jwt-secret \ + --from-literal=storage-system-jwt-secret="$(gen_random 32)" + + # Storage system secret + create_secret_if_missing ocis-storage-system \ + --from-literal=api-key="$(gen_random 32)" \ + --from-literal=user-id="$(gen_uuid)" + + # Transfer secret + create_secret_if_missing ocis-transfer-secret \ + --from-literal=transfer-secret="$(gen_random 32)" + + # Thumbnails transfer secret + create_secret_if_missing ocis-thumbnails-transfer-secret \ + --from-literal=thumbnails-transfer-secret="$(gen_random 32)" + + # Service account secret + create_secret_if_missing ocis-service-account-secret \ + --from-literal=service-account-secret="$(gen_random 32)" + + # Collaboration WOPI secret + create_secret_if_missing ocis-collaboration-wopi-secret \ + --from-literal=wopi-secret="$(gen_random 32)" + + # LDAP bind secrets (three passwords for different bind users) + create_secret_if_missing ocis-ldap-bind-secrets \ + --from-literal=reva-ldap-bind-password="$(gen_random 32)" \ + --from-literal=idp-ldap-bind-password="$(gen_random 32)" \ + --from-literal=graph-ldap-bind-password="$(gen_random 32)" + + # IDP secret (encryption key + RSA private key) + create_secret_if_missing ocis-idp-secrets \ + --from-literal=encryption.key="$(gen_random 32)" \ + --from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)" + + # LDAP CA cert + key (self-signed) + if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then + openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \ + -days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null + kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \ + --from-file=ldap-ca.crt=/tmp/ldap-ca.crt + echo "Created secret ocis-ldap-ca" + + # LDAP server cert signed by the CA + openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \ + -nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null + openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \ + -CAcreateserial -out /tmp/ldap.crt -days 3650 \ + -extfile <(printf "subjectAltName=DNS:idm") 2>/dev/null + kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \ + --from-file=ldap.crt=/tmp/ldap.crt \ + --from-file=ldap.key=/tmp/ldap.key + echo "Created secret ocis-ldap-cert" + rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl + else + echo "Secret ocis-ldap-ca already exists, skipping LDAP certs" + fi + + echo "All secrets initialized successfully" env: - name: NAMESPACE valueFrom: diff --git a/rendered/envs/production/ocis/role-ocis-secret-init.yaml b/rendered/envs/production/ocis/role-ocis-secret-init.yaml index cd5b69b..95e21d9 100644 --- a/rendered/envs/production/ocis/role-ocis-secret-init.yaml +++ b/rendered/envs/production/ocis/role-ocis-secret-init.yaml @@ -3,6 +3,7 @@ kind: Role metadata: annotations: a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/hook: PreSync name: ocis-secret-init namespace: ocis rules: diff --git a/rendered/envs/production/ocis/rolebinding-ocis-secret-init.yaml b/rendered/envs/production/ocis/rolebinding-ocis-secret-init.yaml index 93d3e50..5325653 100644 --- a/rendered/envs/production/ocis/rolebinding-ocis-secret-init.yaml +++ b/rendered/envs/production/ocis/rolebinding-ocis-secret-init.yaml @@ -3,6 +3,7 @@ kind: RoleBinding metadata: annotations: a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/hook: PreSync name: ocis-secret-init namespace: ocis roleRef: diff --git a/rendered/envs/production/ocis/secret-admin-user.yaml b/rendered/envs/production/ocis/secret-admin-user.yaml deleted file mode 100644 index 3d7afe8..0000000 --- a/rendered/envs/production/ocis/secret-admin-user.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - password: cHNCME40QW85Y3NDYTYxOVNpUVVrY0VJZTYxajdU - user-id: MTJjNDE0OGUtZGIxZC00ZTUxLWIwZDQtMjc4YzhlMTExZjcz -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: admin-user - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-collaboration-wopi-secret.yaml b/rendered/envs/production/ocis/secret-collaboration-wopi-secret.yaml deleted file mode 100644 index a56cefc..0000000 --- a/rendered/envs/production/ocis/secret-collaboration-wopi-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - wopi-secret: Wno2dmFISjdBTFVKZ3BWeXFhdTM4eDNiWVVVeHlv -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: collaboration-wopi-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-idp-secrets.yaml b/rendered/envs/production/ocis/secret-idp-secrets.yaml deleted file mode 100644 index 9816e66..0000000 --- a/rendered/envs/production/ocis/secret-idp-secrets.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - encryption.key: NU1FOHBzQ2Q3akZSJz0qP352czZ5cUlYJEhPUEl7fnc= - private-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBM0k3d1J5a0hXRE1zblNFY1FSaUpPWHFvY2t1U2xiajhzbFRUYmRvMmI0SVo0UHlCCnFaRHNTZkpIa1pnUkxTUE4yN3hMazM5bDlZQUM2MjF6YThKMk9hK05qYSsreXJXUFZBSGxOUm5lRHMwTENmM28KOFhnMDBkT0dNRkNJbmZ5UEE3VThEYm10RlRHeXBPQTVGMnZqVVhqV3JOejhHWUF5Z0J4NmlxSmRNVHRLVFpxaQpyWVdWY0poN1dTdzFKYkd0N2ZjUk9NK3JJbDhxVFJlRUE1czVNeTR4S3JNeWVTa0MxMW5LVy9UNzZUQjNzaFBuCi91dmYyTENSOUxMZkFoS0JJSDVGK1piUHNDQzlaT05MVkJDRlkvTUZPbUxzYmlIR1BTVklrRktoMFU2cFd3cjEKSzlVSm5ISWJCcXBSU2NPaVgzSk41Mkpzdnl6RHVqS1NKcmJYVCt0UGNpcHRmOTU1Q0RGaFcyL2pZeVJSZlBHTgoxeTlBYTRMLytocFF2ellMUnRicWxJQXpXQ1dFdTJ4cEVIRzAzTlpzeE44aW5LbVYyeXVVRXBNb080RkVUSklyClFTTnA1R09HVEpXVmhCdjNsdXUvUlg2Y0diVUZHYVorbVNlM1BobWJORlMxbUlqZGZacHhkd1lnRWtnYjNpYVMKOFdSU2VIWlBhQXdQeFowai9aVVA1S0hwT1ArUmVHU1Q5bzRmVGNKY1h6MEpFT1BiRXhEaEF5NkM0UFRVR0VVbgpWSGRjOUsyTXV0QjFnS2FvN05EUW9IQU9MbEptamxaMGxZSk44MDFLRklHdWlINGp4bk82SHNhUFRNZ3NRWUZwClBBcUpxWlFyblBiL09JNkw0UE5tTVR2a1AwTTBUSUd6UTZXSE5UZ0JRR0NOZzhUbHJ1d29qQmtpcFpFQ0F3RUEKQVFLQ0FnQkRSeHJHS2g3Q2FjSEhJRzEwOGQ0UitYZGVmZXoxM05yQUx4M2JXWC9YWGRFMUR2RWlYMEdrZ05JUgorRmZzOUFuOGFDQ0ptb2ZvYmliMTE0b29xY1hVYk5kNkM4emdHcWZnMFQ4d2huWjAvMWpKc0hrWkJ6amRkRzl2ClYzR0U5NkJNV2tFNlVwUVliZk4zVmFvMG1jVmFlY2pLTEJKK1dOdU90cUV1bnI1Y29TQldNY0JEdkFiTXRNYVQKZWVld1d0V2FUQTRselRyL25oWFNORVVoc0h5dlB2emljSTBKNWxlbWh3NHlKTFdlK1JqWjZqYVBUVFlYN0N4cApmeEtGbUUxcE12dDNXZWg2YWxJN2J4WHdTNlhVeWpHakVML2NERk5qSFhkWUJzeXpneEluNGx6TkJRd01lOFlBCnIzMWlTZG5DMGFRdjI1Y2ViYkk2bnVoMEJMd0NaTmFQZzBUK2htNlkrVEZBdVZiajlPRHZVLy8ybUFPVXlpeUMKaE1XRHFreVAxQ1IrdDZvTU9JVmtXYjArQk4vRXhqblhxa2kybTNGemR3QkVlVExBdm9pRDRoWEhhVEtQMUJ6UApEcTVPcFQvaVhoNUlKVGlNTmdoR1R5QkNDSEQ2a1puZnhZbmFVTmMvOUVDaHZqdG1ZcW9DbVUzVXlEenFTSlpWCnA0OTUzK0M1bGhBMytvbWMvVGU3RENqeE1tNC9rcFlUZm9sL21nRGNMMXlmUU00dmt2akNDendtOWVqc0JtT2oKZ3lqMk9GRFRLUDBQUFNaV3hwZXhqSkhzdUV4OHBNQkpmR0xySzQyV2xPVEhTazNCSllKL3R2ODRxbXJFR3BiUgpydkgvQ3NQd05xaW12SndXL3VRMlNNWXdHT0JPcHg5elY5b3lEU1dDVlJYQU1OU3dmUUtDQVFFQTlMZjFxY0l4CkdZejhEMnRJQ0cxVStwblpoTUVqVjRnUjNIWUJPV2RuYVdHVGJGQ0ZzWmFob0RMNjBxaUJKR0ZIcTdzWjhXYkgKR3FpQ1ZFb3lnLzVoREU4eDFtVU05UFltSzAvQlNlQVhrM1RJa0hQWDYwVDlaKytYOHloVmRwOGsrZUMyV1hHeAo0MzNBNEZrWGpSK1BPMXM3dXhIUGVtdHhWb2l4bDNjMjBEd21hMHpDaXpVVEc4VTJrKytyYWw1WG9uTjA5MldiCkU4R2twYUlEUjkzU0lBaS9oak5IVWFmdExLOXZ3SmJLTFJJdHJkOFRDRWpoWWlEM050UzIxNGJ1YXhVQjI1NDYKcUp5cEx6Y0VoK2hqZzVmRE56TnVMYWwyb2E5aDBpZithcExud21hRVJUaXQ1MDhodTNiclQ0c2ZyZ0c0bmtaYwpIMmpYL0dSR3ZlVzBsd0tDQVFFQTVybmFQak5sckZ2cDBOOUxvRzBXWm1lOWxvZWxiN3d1ZjQzcm1HcnJQQTZzCk1wK24zMUJhaXVITEQ2eEF3QUU3dXp6UkJqQVpZQ2psSDAvRnllVHJzSlBuUW1zWTU4MldnMWxmcGIzSUxVMHgKZVNMMVhJWFNDSGJxYThJZ0ZUSldSdDY2UjArSHpER2REVVlndzd3T3BRVk84cTB5TFJYYUVTZ3NuWlhqZmtIOApzeFMzMTZkQ04rV2I3amtrcEFsRFFZRDdocjQ4TzFReHpuRW00NWRqcXRub0YvMUJsZ3B4MEJYT2FjeDhQbHlUCnBvaGpkcnUxd1MzVmRXZDdlSVpqbmh0dXc4U1RrWGZmcmJUejk1NHNBaFdTa1Y5amgwT0Rpc2tDeWV5RjlDU3UKQTVETVhDVXdickQrZ1VpUU8zSXNEeE1IQzFjNk1wWlJJbVpNZUExMEZ3S0NBUUJuYURpUmxESkZOckxvSFJBaQpKM2pxTUFxZk16R284aUdDQkFjK1ozaG1La291VWRROGw0Y1NkNWhQWGM2OFBiTVlXUVo4WUU2djhCYXFZWFA1CkhJdUx0UWM5TGhRTWl0clVJRzV2dGhhZ1E0L2dvbUxSMHFRMXdDTjRKMG45eHYvTDZ1MkMzQzBzRU41b3JwenEKRURUcEF3TTVhQ3hBOFpmQjFoOGMvczRWcmVVYUlDUnd5R3VicDNrSmlCUHA3WldnV3FOSlN4RDloeXo0cEg0NApadjQ4ZFJYaE1sZm5wRXJ2UCs2NzlidlcwY0Nsb1FhYzBKY1ViUk9wZ3JjRVdjcnpTcnd2UGl4UlJXbWtQdDVXClE1ZVJhcGFlQThpQjJRTDlEV3dMYnNUdDZjZXUrTHpadHpxYzdHNDNsZWVYQkJYTjVJSkx0eldFUER4UU5WdEQKTVFaZkFvSUJBRVpRMjg5YkVLQnZ2cGwyZy9EWGJoMDFmcFVTci91V2lVRThlbEdRUERLb2NoaFhpZXpINjJBcQpJaDJickh3WHBDR1REa3pwZWNKUmxFcHZvR0xBVG9nWSswREZyT2h3UW0relhEQUIzN0RXdHI0cFJrZTFUT1poCmYxM3A0cWN6R1JJdUxPMHdzcjByWGFhKytadE5nOVVOQWh0NVp6SlFWNDRsQlR2ZGcyQm1NZUpON1IxZkR4SkQKK3JxbVZhRmNaVS9nUkVlelVGM3djZUZ0b0tGNThOa1A0ZWoxdVBoR0pKdDdHZFlxaUs3a3ZlYmg2QlkyYk5UNwo1L01JMzV0Q3NiZHN1dHdVMjdoWXBTV21ZVGZVejZxdThtVTFnZnFtTzcrZk5TZGUyeEFsNFphYW1YMTNwQVFJCkV2aEpxaE5EMzJPVXMrL2ozSXV3UGZmUzMza3krRzhDZ2dFQkFNNkVySXovbDdFS0RNN0NWd2VOMUhIUk1NV0MKQldKRTdaNi9LUlZ2TDE4bjhkWUV4NEJaYTdCcjhNZnRQejVTSHRCOUxqZmZlbWNxcVhqRzdhcXV3NDFRSFFkLwpPV0lRVGl4RWNrRDlaYmwwOG1MU2h1WCtLZlhJejMwK0gybG51UTdQVWo1N0N1V0pndGdGY05EeFdwaG1ncFkxCkp0djNYdEVhM0lNVDRBNHVLSGdHbDZyOTdxSFQvRXF4MmljTGxOWFU2aEFjYjV2QmgzK2JaOGFQbUpWWi84QlcKakJZWmxYMTFmaWFnSWF4NThHUTM4VS9GQTFHaEJyeGVGcU50WG9PSGU0QS82Tmxmb0E1dDRGVExmWjVMUW9SKwpkRmxNMlBSM016dnEwSFB3RFdTQ2kvR3RqQzB4WXZ4U0FmQ3BucFptWkNORTNEMU94b29FUUNzWW5sbz0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: idp-secrets - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-jwt-secret.yaml b/rendered/envs/production/ocis/secret-jwt-secret.yaml deleted file mode 100644 index 13e076a..0000000 --- a/rendered/envs/production/ocis/secret-jwt-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - jwt-secret: N0FxeFRwa2xVdDZ1MmJ0MVlNbGIzQ3E3Y2paRXQw -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: jwt-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-ldap-bind-secrets.yaml b/rendered/envs/production/ocis/secret-ldap-bind-secrets.yaml deleted file mode 100644 index f61a1f8..0000000 --- a/rendered/envs/production/ocis/secret-ldap-bind-secrets.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -data: - graph-ldap-bind-password: OXhsb0V0N3YwM2Zrc24xY0lpanBwZmRhTlYybEV5 - idp-ldap-bind-password: eFNndGZaRzF0SzhNeXB4c0doSTJhd3B6aDZGQWE3 - reva-ldap-bind-password: aWZRZXVtQ3hYVERFdWx6bElHQXQ4TUdHazF4cGQ0 -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: ldap-bind-secrets - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-ldap-ca.yaml b/rendered/envs/production/ocis/secret-ldap-ca.yaml deleted file mode 100644 index e111b1e..0000000 --- a/rendered/envs/production/ocis/secret-ldap-ca.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - ldap-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREekNDQWZlZ0F3SUJBZ0lRVXQ5V0d1aHd0aWtFcngzL2c3Zkl1VEFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkc1pHRndMV05oTUI0WERUSTJNRFF3TmpFd05UTXdOVm9YRFRJM01EUXdOakV3TlRNdwpOVm93RWpFUU1BNEdBMVVFQXhNSGJHUmhjQzFqWVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDCkFRb0NnZ0VCQUw5cjVqZnlHVnZEL1RLT3BXcHA0RW9IcWFRc3kyZ1pxelRpWDNjNHk0MmV6M2NsU29lWHcyNlEKcmZSTnhGd3hJUVFLUEZyZ1FkMGFjcmtsdzc1VWViZjc4blZQaE0rUHJqRjdJc1cvbTZvSlRSenE2L0s5NkRBMwpMNk5FWlZXVVlDNHU4Szg3SjA0TWdPb2kxMlZXbFJUNmlRZldDVTNhUkZTVlA5d1Myd2h0TGNqdzh4TWQyMGxoCll0dzc4Qm1zaEJNRVZDYis1d3lxSDFQazJLandjUERPa1hrTzNqTHFManlZNC9QUnl3Uk05RlREQloycmpsMUkKQkdPYm1IVTQwZFVTbXpoZHFMY3dKZkJjU3dEdGQxbmlURHRtbVh0eU44Y09LOVdlY1pNSit4SElzRUtLYTVzQgppZVFFd0VHUVBDMm94TURsRmgzMnNyM0Y4dEZmWDZrQ0F3RUFBYU5oTUY4d0RnWURWUjBQQVFIL0JBUURBZ0trCk1CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFQQmdOVkhSTUJBZjhFQlRBREFRSC8KTUIwR0ExVWREZ1FXQkJTVkRZd25kdTFTU1dnUkdBbnVQa1d4WHJvZmN6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBUUVBSk92UUVkT1FHb1NqVEJZZ0krWk5uVDVtVTdQMlhvT1dkU2FrTTVLY3dSSjlFUFh2ZGJrL2NPN3Y1d3B4CmVGTll0eFJoNGZqMTBxQVZyTWNnbnBRbFN4R3FaSURDNFNqZkRXZWlIdStwcTFGMWRrdlppQUNFbGQ5KzZOZWkKcGhhNmpyMi8vV28yV0FpSWJjNlVXSEx1bjY0azA3cVJreCtFK0g2OXhYd0RWVHN6MFlta2tCN2dhVnpLczY5bApSd2FoNy9tQ0M0eFdQK0xCb1h4N2JYWStuUTRycGJqTGNNeFM2Y1lHOEQ4VGhTNlBkSHNidDk3MnhZMnpsdlJwClA4dll2dUFDdUsyYTBvM3VUTGdhZEdFY1NQVDFKMCtsekFjSHk2S1VoZXhyYUcyVjhYL0hHNWpGcFFUamFmalYKL0hkQWcvbEtJSDZNenE3RGtIUXNmRktTdnc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: ldap-ca - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-ldap-cert.yaml b/rendered/envs/production/ocis/secret-ldap-cert.yaml deleted file mode 100644 index b87d394..0000000 --- a/rendered/envs/production/ocis/secret-ldap-cert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - ldap.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lRQ3I1YkhoWjB5S09vY041dVRrS0JJREFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkc1pHRndMV05oTUI0WERUSTJNRFF3TmpFd05UTXdOVm9YRFRJM01EUXdOakV3TlRNdwpOVm93RGpFTU1Bb0dBMVVFQXhNRGFXUnRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFyRHZXbnYvbnE2SzFRaUd4bURQSTJVN3hkZUFKRitxRG5sZE8yNHlPZkQ0VG9GOUx6Z1M4SExRWmRTKzMKWjhzVlJxYXZYS0hNcmFBcjVzMmJuL2ZzbXNUUkppbEVCM3AwTXZPN2t5YlJCcjlJcEE4WGd2Ynpucmk3TzVoMApUalUvcEcyNE9LaEJvMEhzV2JRSVpqa3J2YmV4ZnF6VXFiaE5lenJhTmRqcEIxcWxvbGF5enBVc0FxYjlnS1E2CkhUTjdhNDErUk56NCt6L0FlaUJPTS8yRmVxMHBVb3hLMWdCbklycCtlSm9BOHkrQTA3a2RMSm54Z01adXpxcHoKZTRjMXVKWFRqRDVmYmlpYkdsVjJzcFZqc2NWZlplVWdwWVFZWlFoclBBbERodjNBQ29ITnBjdWRzRXhPOTdBMwozcmRMVTFaMTN2ZnVRVDZtSjFBMEhJVENlUUlEQVFBQm8zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEClZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGoKQkJnd0ZvQVVsUTJNSjNidFVrbG9FUmdKN2o1RnNWNjZIM013RGdZRFZSMFJCQWN3QllJRGFXUnRNQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFBVVlkZTN3U1p4QVhVcHkwUzFJS21URTVpOHNWbUx0aXdyOXVsQ3l6WUNiOVd0Cjh6ZXVJaDhDV1lxQzgzais1cjdlaThpbGJzTDc1bzErQ1FSREswM1NWMkdGSjRINkErZmoybXVzMHdCakY0VmEKbXRNL1cxckFIamZmREJ3T1BTM3BvNWp2UWNLN2l2ajhweTNnYzYrVVdnSTlsQnZwZUVXcFM1Z2Jxdy9ZQ1Z1OApvT21yem9vZzZUQlNVWUNtK2VJREZ6TTlzdEJUMWk5RmhYclpYSmpoSTVEcTlaWm50UGpjdVhVZjRFSGFSdFpxCjBqWC9uL0x6eVFpREs4d2dWU1AwY0MyZVVhMjdzMFhUelJld0lQc0piZ3hWMTlhWjJENm03bGVWZ05FVDhkdGwKbkdHbjc2YlBvdVUyY1RpaGQ5OFdlSGpGMTF2ZlpTZnRmeElsTEh3VQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - ldap.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBckR2V252L25xNksxUWlHeG1EUEkyVTd4ZGVBSkYrcURubGRPMjR5T2ZENFRvRjlMCnpnUzhITFFaZFMrM1o4c1ZScWF2WEtITXJhQXI1czJibi9mc21zVFJKaWxFQjNwME12TzdreWJSQnI5SXBBOFgKZ3Ziem5yaTdPNWgwVGpVL3BHMjRPS2hCbzBIc1diUUlaamtydmJleGZxelVxYmhOZXpyYU5kanBCMXFsb2xheQp6cFVzQXFiOWdLUTZIVE43YTQxK1JOejQrei9BZWlCT00vMkZlcTBwVW94SzFnQm5JcnArZUpvQTh5K0EwN2tkCkxKbnhnTVp1enFwemU0YzF1SlhUakQ1ZmJpaWJHbFYyc3BWanNjVmZaZVVncFlRWVpRaHJQQWxEaHYzQUNvSE4KcGN1ZHNFeE85N0EzM3JkTFUxWjEzdmZ1UVQ2bUoxQTBISVRDZVFJREFRQUJBb0lCQUE0WEdTQkozRGlZNTQ1QQo5bWYydUpRNmxwdG5tQ2JhT3lsTmlEaUMzN2MvVnRpMFl4MjRHbkdZdEVwM2ZHQWo1NW92a2NJWXhJZGh4cVdyCnBYTXBVN1IzcklxY0xxSVQvUVNjRnZqYllKZFdOOG1nS0hMQTVENVVhNURkRUlyRFpYRDh2dWozcnVMOXhpbXkKaGt0aW12YjYyNno2MDYwTTFGM2oreTBUa1VEV0lhUllwb1llNnlKQkdXbjNRTW1zV3ZXNStmU0c3Yk1VOWlCdwpRTWx2cnZOdlBIbDZJWWhrd0dnSWp1cjVKblRqc0U5SWZBdUR5L2hVNzl0SFpzV252RlRmUDdJTVZNSVBTY2NICnl2SHgwMHpuaE9LOHZXSkFGb3pMUVdpZFpldUFEaEhhblhGaklTd1A3cDBPNDc4T0xxTCtWNjdBMk54bEZaK3UKRTdTdCs5a0NnWUVBNUJMY0Z2UjN3K0k0dkJFWFd6bHVOREd2VFVRdXI4Y1VTbjVkcXAxR1NhWlpkNFhDL0hpcwo1QVI1c2dPaU0zMllLQkFvY1NJRmdJdW9ic2g2VWpNdU8zWktCVU5ibyttZ3ZQNW1qKzF4VkQrNGN0QS92ak9sCnNNT1VYNS95VEJlZ0Z3QkNvKzVqNWVsMHQvSHllcE5wTTJRZjJjUFVVczlCYjlkdDA5NU9PclVDZ1lFQXdWS2kKWFhUZVM3dDdDME5CbFlkWkRTa293ODJldTdQZEdNSzFGM3pRWU5vcXgydG1UTzVTbzI0S20zRTNiZzZwNzF5bgpqU3doV0lkQS9ZSFJsano3cyt2WVJ0VjBPcmtmYlZCQzhGVUtONUVNSlhhL1NDOFlRc1psUWZvUkVXb3BuS0ZECnFUUDV6SzVkelBwYWFNNlhWRm5WMFFlb0UvODYxSEN6aW5DYUR6VUNnWUJ6NnZYN29NTGlSeThvdnRNTkpYSlMKaXRJYlJrVW9SOW1UUndpYU41ZEt4WWFCVGZYZFZnUWhXL2p5TmhDUmRRc0ppYlRVVTBOU295aTNMYU9sOWFkUQp4MzAxa1plWkJwd1Frb2hVTEkxR0VhRFFrZkZqM1dJZ0pqZGFKclFDWXB1V05TYXBwUGNYR29HZElCWnFvRk4rCnNDdlVCVWo3MGFUamtDMmMya2NPWlFLQmdBWTY0NENmZzRwdFFFbmNvUUJ3bkM0UVpYL3A0SE9zR0RQMEVtSHYKWThlN1FDV3RFRjdxVHo5MURHSjJBNU5JWmJHUkN0VkIxdEZEaXBTZzJtQTlGdDkxZWtMT0hqREdSbnovV1NqbApsSzYxdmU1M0pUTHVVWm5WU3U0VllQZHV0R2lYeWRacUZtTENPOE9mVGNxUzNjMmFGNG5rOVVXdnMvV2tyQ1NKCi9HMEJBb0dCQUlFM3FkcTFrcmJKcW5rVTRLK3BQREpsV0FjSUJXUjVERnlPY0U2M1V5ekNvTHdsZDFZVHVlNisKWkVhSnExYW1nRlZVRllkbitiUVJPWnI4ZVY1MldYSktBWmEyclRxUlJPTVVLVHk5RVR0cGpBSXJvV3lEOEp0bApxMkpkTnQ5Rk1LQWJkYWZMc1piaGl3eFdpRjUremJKUkhpU3ZtVG9RTGNDRDhJcXZnUFcyCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: ldap-cert - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-machine-auth-api-key.yaml b/rendered/envs/production/ocis/secret-machine-auth-api-key.yaml deleted file mode 100644 index 039f672..0000000 --- a/rendered/envs/production/ocis/secret-machine-auth-api-key.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - machine-auth-api-key: Ymh0RmU1Zko3VWpsZDJRM09RWUJPclJUOHlmNUpS -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: machine-auth-api-key - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-service-account-secret.yaml b/rendered/envs/production/ocis/secret-service-account-secret.yaml deleted file mode 100644 index 4a7914a..0000000 --- a/rendered/envs/production/ocis/secret-service-account-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - service-account-secret: S25hYjNES2pUWDRVOWNrSHI2dlZBaWJyOVFqZ1NT -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: service-account-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-storage-system-jwt-secret.yaml b/rendered/envs/production/ocis/secret-storage-system-jwt-secret.yaml deleted file mode 100644 index 4f0b8ef..0000000 --- a/rendered/envs/production/ocis/secret-storage-system-jwt-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - storage-system-jwt-secret: T2FTMVBaQW5tamVxQ2RXckZFQ3Q3M2VrdnBKNmx0 -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: storage-system-jwt-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-storage-system.yaml b/rendered/envs/production/ocis/secret-storage-system.yaml deleted file mode 100644 index fec9310..0000000 --- a/rendered/envs/production/ocis/secret-storage-system.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - api-key: YlJCR2dobmZOTjJzUWQ1NkVyYVRFZEN5S1FMTWx4 - user-id: MWFlNzk2YmYtMWI0ZS00ZGI2LWI2OTUtM2E5ZGE3MDU1NDc1 -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: storage-system - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-thumbnails-transfer-secret.yaml b/rendered/envs/production/ocis/secret-thumbnails-transfer-secret.yaml deleted file mode 100644 index 43c4fc5..0000000 --- a/rendered/envs/production/ocis/secret-thumbnails-transfer-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - thumbnails-transfer-secret: MUJMNk44aktWVXlIYW1lS2RBVklaMk9MZ1dKY0M4 -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: thumbnails-transfer-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/secret-transfer-secret.yaml b/rendered/envs/production/ocis/secret-transfer-secret.yaml deleted file mode 100644 index 53eab5c..0000000 --- a/rendered/envs/production/ocis/secret-transfer-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - transfer-secret: ajhYWFQyYVBRcEs0a0pCeXc1cjJnWHRBOTVzQjZh -kind: Secret -metadata: - annotations: - a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git - labels: null - name: transfer-secret - namespace: ocis diff --git a/rendered/envs/production/ocis/serviceaccount-ocis-secret-init.yaml b/rendered/envs/production/ocis/serviceaccount-ocis-secret-init.yaml index f623792..f1c6586 100644 --- a/rendered/envs/production/ocis/serviceaccount-ocis-secret-init.yaml +++ b/rendered/envs/production/ocis/serviceaccount-ocis-secret-init.yaml @@ -3,5 +3,6 @@ kind: ServiceAccount metadata: annotations: a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/hook: PreSync name: ocis-secret-init namespace: ocis