apiVersion: batch/v1 kind: Job metadata: annotations: a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git argocd.argoproj.io/hook: PreSync argocd.argoproj.io/sync-options: Replace=true argocd.argoproj.io/sync-wave: "-1" name: ocis-secret-init namespace: ocis spec: template: spec: containers: - command: - sh - -c - | set -e apk add --no-cache openssl >/dev/null 2>&1 gen_random() { head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1" } gen_uuid() { cat /proc/sys/kernel/random/uuid } create_secret_if_missing() { local name="$1" shift if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then echo "Secret $name already exists, skipping" return fi kubectl create secret generic "$name" -n "${NAMESPACE}" "$@" echo "Created secret $name" } # Validate external secrets exist if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then echo "ERROR: External secret ocis-s3-credentials must be created manually" exit 1 fi # Admin user create_secret_if_missing ocis-admin-user \ --from-literal=password="$(gen_random 32)" \ --from-literal=user-id="$(gen_uuid)" # JWT secret create_secret_if_missing ocis-jwt-secret \ --from-literal=jwt-secret="$(gen_random 32)" # Machine auth API key create_secret_if_missing ocis-machine-auth-api-key \ --from-literal=machine-auth-api-key="$(gen_random 32)" # Storage system JWT secret create_secret_if_missing ocis-storage-system-jwt-secret \ --from-literal=storage-system-jwt-secret="$(gen_random 32)" # Storage system secret create_secret_if_missing ocis-storage-system \ --from-literal=api-key="$(gen_random 32)" \ --from-literal=user-id="$(gen_uuid)" # Transfer secret create_secret_if_missing ocis-transfer-secret \ --from-literal=transfer-secret="$(gen_random 32)" # Thumbnails transfer secret create_secret_if_missing ocis-thumbnails-transfer-secret \ --from-literal=thumbnails-transfer-secret="$(gen_random 32)" # Service account secret create_secret_if_missing ocis-service-account-secret \ --from-literal=service-account-secret="$(gen_random 32)" # Collaboration WOPI secret create_secret_if_missing ocis-collaboration-wopi-secret \ --from-literal=wopi-secret="$(gen_random 32)" # LDAP bind secrets (three passwords for different bind users) create_secret_if_missing ocis-ldap-bind-secrets \ --from-literal=reva-ldap-bind-password="$(gen_random 32)" \ --from-literal=idp-ldap-bind-password="$(gen_random 32)" \ --from-literal=graph-ldap-bind-password="$(gen_random 32)" # IDP secret (encryption key + RSA private key) create_secret_if_missing ocis-idp-secrets \ --from-literal=encryption.key="$(gen_random 32)" \ --from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)" # LDAP CA cert + key (self-signed) if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \ -days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \ --from-file=ldap-ca.crt=/tmp/ldap-ca.crt echo "Created secret ocis-ldap-ca" # LDAP server cert signed by the CA printf "subjectAltName=DNS:idm" > /tmp/ldap-ext.cnf openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \ -nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \ -CAcreateserial -out /tmp/ldap.crt -days 3650 \ -extfile /tmp/ldap-ext.cnf 2>/dev/null kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \ --from-file=ldap.crt=/tmp/ldap.crt \ --from-file=ldap.key=/tmp/ldap.key echo "Created secret ocis-ldap-cert" rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl /tmp/ldap-ext.cnf else echo "Secret ocis-ldap-ca already exists, skipping LDAP certs" fi echo "All secrets initialized successfully" env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: alpine/k8s:1.32.3 name: init restartPolicy: OnFailure serviceAccountName: ocis-secret-init ttlSecondsAfterFinished: 300