Migrate ~180 LOC of openssl/kubectl init Jobs to declarative Secret
manifests reconciled by mittwald/kubernetes-secret-generator (random
strings, SSH keypair) and cert-manager Certificates (RSA private key +
self-signed CA chain). mittwald only fills empty fields, so existing
populated Secrets keep their current values across the migration.
Changes:
- New prototype kubernetes-secret-generator (chart 3.4.1, mittwald helm
repo). Cluster-wide informer reconciler, no webhook -> cold-bootstrap
safe via ArgoCD retries.
- New cert-manager selfsigned ClusterIssuer (in-cluster trust root).
letsencrypt remains for public-DNS endpoints.
- forgejo: admin-secret Job replaced with a mittwald-annotated Secret
(hex-encoded 24-char password). Deploy-key Job split: mittwald
ssh-keypair Secret + slim Job that uploads pubkey to Forgejo and
copies privkey into the argocd repo Secret.
- ocis: 13 Secrets / 16 random fields now mittwald-managed (UUIDs
replaced with opaque random hex; ocis treats user-id as opaque). IDP
RSA signing key, LDAP self-signed CA, and LDAP server cert produced
by cert-manager. Per-Deployment ytt overlay remaps volume key paths
(tls.crt -> ldap-ca.crt, tls.key -> private-key.pem, etc.) since the
ocis chart mounts Secrets raw without items support. Old multi-secret
s3-secret-job replaced with a slim external-secret precheck Job that
only validates pre-created Hetzner S3/Storage Box credentials.
- Application sync-wave -10 on cert-manager and kubernetes-secret-
generator so they install before consumers. ArgoCD selfHeal handles
any residual races.
CLAUDE.md: remove the "all namespaces use privileged PodSecurity"
convention. Existing namespaces still carry the label and will be
audited separately.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 00:00:07 +02:00
Renamed from rendered/envs/production/ocis/serviceaccount-ocis-secret-init.yaml (Browse further)
