gitea_admin/k8s-and-chill
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
k8s-and-chill/rendered/envs/production/ocis/job-ocis-secret-init.yaml
Felix Wolf 106271ffa3 fix(ocis): Move secret generation to PreSync init Job 
Removes all 13 Helm-generated secrets from rendered output and instead
generates them at deploy time via an init Job. The Job creates secrets
with random credentials only if they don't already exist, ensuring
idempotent deploys. Runs as ArgoCD PreSync hook so secrets are ready
before oCIS pods start.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 13:10:50 +02:00

129 lines
5.3 KiB
YAML
Raw Blame History

apiVersion: batch/v1
kind: Job
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
argocd.argoproj.io/hook: PreSync
argocd.argoproj.io/sync-options: Replace=true
argocd.argoproj.io/sync-wave: "-1"
name: ocis-secret-init
namespace: ocis
spec:
template:
spec:
containers:
- command:
- sh
- -c
- |
set -e
gen_random() {
head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1"
}
gen_uuid() {
cat /proc/sys/kernel/random/uuid
}
create_secret_if_missing() {
local name="$1"
shift
if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then
echo "Secret $name already exists, skipping"
return
fi
kubectl create secret generic "$name" -n "${NAMESPACE}" "$@"
echo "Created secret $name"
}
# Validate external secrets exist
if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then
echo "ERROR: External secret ocis-s3-credentials must be created manually"
exit 1
fi
# Admin user
create_secret_if_missing ocis-admin-user \
--from-literal=password="$(gen_random 32)" \
--from-literal=user-id="$(gen_uuid)"
# JWT secret
create_secret_if_missing ocis-jwt-secret \
--from-literal=jwt-secret="$(gen_random 32)"
# Machine auth API key
create_secret_if_missing ocis-machine-auth-api-key \
--from-literal=machine-auth-api-key="$(gen_random 32)"
# Storage system JWT secret
create_secret_if_missing ocis-storage-system-jwt-secret \
--from-literal=storage-system-jwt-secret="$(gen_random 32)"
# Storage system secret
create_secret_if_missing ocis-storage-system \
--from-literal=api-key="$(gen_random 32)" \
--from-literal=user-id="$(gen_uuid)"
# Transfer secret
create_secret_if_missing ocis-transfer-secret \
--from-literal=transfer-secret="$(gen_random 32)"
# Thumbnails transfer secret
create_secret_if_missing ocis-thumbnails-transfer-secret \
--from-literal=thumbnails-transfer-secret="$(gen_random 32)"
# Service account secret
create_secret_if_missing ocis-service-account-secret \
--from-literal=service-account-secret="$(gen_random 32)"
# Collaboration WOPI secret
create_secret_if_missing ocis-collaboration-wopi-secret \
--from-literal=wopi-secret="$(gen_random 32)"
# LDAP bind secrets (three passwords for different bind users)
create_secret_if_missing ocis-ldap-bind-secrets \
--from-literal=reva-ldap-bind-password="$(gen_random 32)" \
--from-literal=idp-ldap-bind-password="$(gen_random 32)" \
--from-literal=graph-ldap-bind-password="$(gen_random 32)"
# IDP secret (encryption key + RSA private key)
create_secret_if_missing ocis-idp-secrets \
--from-literal=encryption.key="$(gen_random 32)" \
--from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)"
# LDAP CA cert + key (self-signed)
if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then
openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \
-days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null
kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \
--from-file=ldap-ca.crt=/tmp/ldap-ca.crt
echo "Created secret ocis-ldap-ca"
# LDAP server cert signed by the CA
openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \
-nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null
openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \
-CAcreateserial -out /tmp/ldap.crt -days 3650 \
-extfile <(printf "subjectAltName=DNS:idm") 2>/dev/null
kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \
--from-file=ldap.crt=/tmp/ldap.crt \
--from-file=ldap.key=/tmp/ldap.key
echo "Created secret ocis-ldap-cert"
rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl
else
echo "Secret ocis-ldap-ca already exists, skipping LDAP certs"
fi
echo "All secrets initialized successfully"
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: alpine/k8s:1.32.3
name: init
restartPolicy: OnFailure
serviceAccountName: ocis-secret-init
ttlSecondsAfterFinished: 300
Reference in a new issue View git blame Copy permalink