106271ffa3
Removes all 13 Helm-generated secrets from rendered output and instead generates them at deploy time via an init Job. The Job creates secrets with random credentials only if they don't already exist, ensuring idempotent deploys. Runs as ArgoCD PreSync hook so secrets are ready before oCIS pods start. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
157 lines
4.5 KiB
YAML
157 lines
4.5 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
labels:
|
|
app.kubernetes.io/instance: ocis
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/name: ocis
|
|
app.kubernetes.io/version: 7.1.4
|
|
helm.sh/chart: ocis-0.7.0
|
|
name: idm
|
|
namespace: ocis
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: idm
|
|
strategy:
|
|
type: Recreate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: idm
|
|
app.kubernetes.io/instance: ocis
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/name: ocis
|
|
app.kubernetes.io/version: 7.1.4
|
|
helm.sh/chart: ocis-0.7.0
|
|
spec:
|
|
containers:
|
|
- args:
|
|
- idm
|
|
- server
|
|
command:
|
|
- ocis
|
|
env:
|
|
- name: MICRO_REGISTRY
|
|
value: nats-js-kv
|
|
- name: MICRO_REGISTRY_ADDRESS
|
|
value: nats:9233
|
|
- name: IDM_LOG_COLOR
|
|
value: "false"
|
|
- name: IDM_LOG_LEVEL
|
|
value: info
|
|
- name: IDM_LOG_PRETTY
|
|
value: "false"
|
|
- name: IDM_TRACING_ENABLED
|
|
value: "false"
|
|
- name: IDM_TRACING_TYPE
|
|
value: jaeger
|
|
- name: IDM_TRACING_ENDPOINT
|
|
value: null
|
|
- name: IDM_TRACING_COLLECTOR
|
|
value: null
|
|
- name: IDM_DEBUG_PPROF
|
|
value: "false"
|
|
- name: IDM_LDAPS_ADDR
|
|
value: 0.0.0.0:9235
|
|
- name: IDM_DEBUG_ADDR
|
|
value: 0.0.0.0:9239
|
|
- name: IDM_CREATE_DEMO_USERS
|
|
value: "false"
|
|
- name: OCIS_OIDC_ISSUER
|
|
value: https://drive.tr1ceracop.de
|
|
- name: IDM_ADMIN_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: password
|
|
name: ocis-admin-user
|
|
- name: IDM_ADMIN_USER_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: user-id
|
|
name: ocis-admin-user
|
|
- name: IDM_SVC_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: graph-ldap-bind-password
|
|
name: ocis-ldap-bind-secrets
|
|
- name: IDM_REVASVC_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: reva-ldap-bind-password
|
|
name: ocis-ldap-bind-secrets
|
|
- name: IDM_IDPSVC_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: idp-ldap-bind-password
|
|
name: ocis-ldap-bind-secrets
|
|
- name: IDM_LDAPS_CERT
|
|
value: /etc/ocis/ldap-cert/ldap.crt
|
|
- name: IDM_LDAPS_KEY
|
|
value: /etc/ocis/ldap-cert/ldap.key
|
|
image: owncloud/ocis:7.1.4
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
failureThreshold: 3
|
|
httpGet:
|
|
path: /healthz
|
|
port: metrics-debug
|
|
initialDelaySeconds: 60
|
|
periodSeconds: 20
|
|
timeoutSeconds: 10
|
|
name: idm
|
|
ports:
|
|
- containerPort: 9235
|
|
name: ldaps
|
|
- containerPort: 9239
|
|
name: metrics-debug
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 64Mi
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
runAsGroup: 1000
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
volumeMounts:
|
|
- mountPath: /etc/ocis/ldap-cert
|
|
name: ldap-cert
|
|
readOnly: true
|
|
- mountPath: /var/lib/ocis
|
|
name: idm-data
|
|
initContainers:
|
|
- command:
|
|
- mkdir
|
|
- -p
|
|
- /var/lib/ocis/idm
|
|
image: busybox:stable
|
|
imagePullPolicy: IfNotPresent
|
|
name: init-dir
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 64Mi
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
runAsGroup: 1000
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
volumeMounts:
|
|
- mountPath: /var/lib/ocis
|
|
name: idm-data
|
|
nodeSelector: {}
|
|
securityContext:
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
volumes:
|
|
- name: ldap-cert
|
|
secret:
|
|
secretName: ocis-ldap-cert
|
|
- name: idm-data
|
|
persistentVolumeClaim:
|
|
claimName: idm-data
|