gitea_admin/k8s-and-chill
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
k8s-and-chill/rendered/envs/production/ocis/job-ocis-admin-user-id-init.yaml
Felix Wolf fe51c8c1bc feat(minikube): add minikube environment with garage S3 backend 
Adds a self-contained minikube environment for local development and
testing alongside the existing production env.

env: minikube
  - cluster.domain: minikube (browser DNS routes *.minikube → minikube ip)
  - tls issuer: mkcert (CA-signed via cert-manager mkcert ClusterIssuer)
  - storageClass: standard (minikube hostpath provisioner)
  - backups disabled; storagebox disabled
  - excludes argocd, forgejo, hcloud-csi (manual kubectl apply for testing)

prototypes/garage:
  - hand-rolled S3-compatible object store (single Deployment + PVC)
  - mittwald-generated rpc_secret + admin_token (hex)
  - PostSync init Job: assigns cluster layout, ensures bucket and access
    key, writes ocis-s3-credentials cross-namespace into ocis ns
  - idempotent: skips if k8s secret already populated; otherwise rotates
    the garage key (admin API only returns secretAccessKey on create)
  - cross-ns RBAC re-pinned via zz-cross-ns-rbac-fix overlay (ns.ytt.yaml
    clobbers explicit namespace fields)

ocis:
  - new admin-user-id init Job ensures secret.user-id is a valid UUID v4
    (mittwald can't generate UUIDs; ocis-settings rejects non-UUID ids)
  - mittwald no longer manages user-id; existing prod UUIDs preserved
  - insecure flag (oidcIdpInsecure / ocisHttpApiInsecure / ocmInsecure)
    parameterized; defaults to false; minikube sets true for self-signed
    OIDC issuer URL trust

other prototypes:
  - victoria-metrics-single helm values ytt-ified (storageClassName)
  - grafana admin secret now generated by mittwald (was hand-created in
    prod; manifest is no-op there since mittwald only fills empty fields)

flake.nix: minikube + docker + postgresql added to dev shell.
2026-05-03 17:23:57 +02:00

70 lines
2.6 KiB
YAML
Raw Blame History

apiVersion: batch/v1
kind: Job
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
argocd.argoproj.io/hook: PreSync
argocd.argoproj.io/sync-options: Replace=true
argocd.argoproj.io/sync-wave: "-1"
name: ocis-admin-user-id-init
namespace: ocis
spec:
backoffLimit: 10
template:
spec:
containers:
- command:
- sh
- -c
- |
set -eu
UUID_RE='^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$'
for i in $(seq 1 30); do
if kubectl -n "${NAMESPACE}" get secret ocis-admin-user >/dev/null 2>&1; then break; fi
echo "[admin-user-id-init] waiting for ocis-admin-user secret..."
sleep 2
done
CUR_B64=$(kubectl -n "${NAMESPACE}" get secret ocis-admin-user -o jsonpath='{.data.user-id}' 2>/dev/null || echo "")
if [ -n "${CUR_B64}" ]; then
CUR=$(echo "${CUR_B64}" | base64 -d)
if echo "${CUR}" | grep -Eq "${UUID_RE}"; then
echo "[admin-user-id-init] user-id is a valid UUID, leaving alone"
exit 0
fi
echo "[admin-user-id-init] user-id present but not a valid UUID; replacing"
else
echo "[admin-user-id-init] user-id missing; generating"
fi
NEW_UUID=$(cat /proc/sys/kernel/random/uuid)
NEW_B64=$(printf '%s' "${NEW_UUID}" | base64 -w0)
kubectl -n "${NAMESPACE}" patch secret ocis-admin-user --type=json \
-p "[{\"op\":\"replace\",\"path\":\"/data/user-id\",\"value\":\"${NEW_B64}\"}]" \
|| kubectl -n "${NAMESPACE}" patch secret ocis-admin-user --type=json \
-p "[{\"op\":\"add\",\"path\":\"/data/user-id\",\"value\":\"${NEW_B64}\"}]"
echo "[admin-user-id-init] set user-id to ${NEW_UUID}"
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: alpine/k8s:1.32.3
name: ensure-uuid
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
restartPolicy: OnFailure
securityContext:
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
serviceAccountName: ocis-admin-user-id-init
ttlSecondsAfterFinished: 300
Reference in a new issue View git blame Copy permalink