2ea94241af
Removes all 13 Helm-generated secrets from rendered output and instead generates them at deploy time via an init Job. The Job creates secrets with random credentials only if they don't already exist, ensuring idempotent deploys. Runs as ArgoCD PreSync hook so secrets are ready before oCIS pods start. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
156 lines
4.7 KiB
YAML
156 lines
4.7 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
labels:
|
|
app.kubernetes.io/instance: ocis
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/name: ocis
|
|
app.kubernetes.io/version: 7.1.4
|
|
helm.sh/chart: ocis-0.7.0
|
|
name: graph
|
|
namespace: ocis
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: graph
|
|
strategy:
|
|
rollingUpdate:
|
|
maxSurge: 25%
|
|
maxUnavailable: 25%
|
|
type: RollingUpdate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: graph
|
|
app.kubernetes.io/instance: ocis
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/name: ocis
|
|
app.kubernetes.io/version: 7.1.4
|
|
helm.sh/chart: ocis-0.7.0
|
|
spec:
|
|
containers:
|
|
- args:
|
|
- graph
|
|
- server
|
|
command:
|
|
- ocis
|
|
env:
|
|
- name: MICRO_REGISTRY
|
|
value: nats-js-kv
|
|
- name: MICRO_REGISTRY_ADDRESS
|
|
value: nats:9233
|
|
- name: OCIS_CORS_ALLOW_ORIGINS
|
|
value: https://drive.tr1ceracop.de
|
|
- name: OCIS_EVENTS_ENDPOINT
|
|
value: nats:9233
|
|
- name: OCIS_CACHE_STORE
|
|
value: nats-js-kv
|
|
- name: OCIS_CACHE_STORE_NODES
|
|
value: nats:9233
|
|
- name: OCIS_CACHE_DISABLE_PERSISTENCE
|
|
value: "true"
|
|
- name: GRAPH_LOG_COLOR
|
|
value: "false"
|
|
- name: GRAPH_LOG_LEVEL
|
|
value: info
|
|
- name: GRAPH_LOG_PRETTY
|
|
value: "false"
|
|
- name: GRAPH_TRACING_ENABLED
|
|
value: "false"
|
|
- name: GRAPH_TRACING_TYPE
|
|
value: jaeger
|
|
- name: GRAPH_TRACING_ENDPOINT
|
|
value: null
|
|
- name: GRAPH_TRACING_COLLECTOR
|
|
value: null
|
|
- name: GRAPH_DEBUG_PPROF
|
|
value: "false"
|
|
- name: GRAPH_HTTP_ADDR
|
|
value: 0.0.0.0:9120
|
|
- name: GRAPH_DEBUG_ADDR
|
|
value: 0.0.0.0:9124
|
|
- name: GRAPH_SPACES_WEBDAV_BASE
|
|
value: https://drive.tr1ceracop.de
|
|
- name: GRAPH_IDENTITY_SEARCH_MIN_LENGTH
|
|
value: "3"
|
|
- name: GRAPH_LDAP_URI
|
|
value: ldaps://idm:9235
|
|
- name: GRAPH_LDAP_CACERT
|
|
value: /etc/ocis/ldap-ca/ldap-ca.crt
|
|
- name: GRAPH_LDAP_BIND_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: graph-ldap-bind-password
|
|
name: ocis-ldap-bind-secrets
|
|
- name: OCIS_SHOW_USER_EMAIL_IN_RESULTS
|
|
value: "false"
|
|
- name: GRAPH_APPLICATION_ID
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: application-id
|
|
name: graph
|
|
- name: GRAPH_JWT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: jwt-secret
|
|
name: ocis-jwt-secret
|
|
- name: OCIS_DEFAULT_LANGUAGE
|
|
value: en
|
|
- name: GRAPH_SERVICE_ACCOUNT_ID
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: service-account-id
|
|
name: auth-service
|
|
- name: GRAPH_SERVICE_ACCOUNT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: service-account-secret
|
|
name: ocis-service-account-secret
|
|
- name: OCIS_ENABLE_OCM
|
|
value: "false"
|
|
image: owncloud/ocis:7.1.4
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
failureThreshold: 3
|
|
httpGet:
|
|
path: /healthz
|
|
port: metrics-debug
|
|
initialDelaySeconds: 60
|
|
periodSeconds: 20
|
|
timeoutSeconds: 10
|
|
name: graph
|
|
ports:
|
|
- containerPort: 9120
|
|
name: http
|
|
- containerPort: 9124
|
|
name: metrics-debug
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 64Mi
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
runAsGroup: 1000
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
volumeMounts:
|
|
- mountPath: /etc/ocis/messaging-system-ca
|
|
name: messaging-system-ca
|
|
readOnly: true
|
|
- mountPath: /etc/ocis/ldap-ca
|
|
name: ldap-ca
|
|
readOnly: true
|
|
nodeSelector: {}
|
|
securityContext:
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
volumes:
|
|
- emptyDir: {}
|
|
name: messaging-system-ca
|
|
- name: ldap-ca
|
|
secret:
|
|
secretName: ocis-ldap-ca
|