gitea_admin/k8s-and-chill
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
k8s-and-chill/rendered/envs/production/ocis/deployment-sharing.yaml
Felix Wolf 2ea94241af fix(ocis): Move secret generation to PreSync init Job 
Removes all 13 Helm-generated secrets from rendered output and instead
generates them at deploy time via an init Job. The Job creates secrets
with random credentials only if they don't already exist, ensuring
idempotent deploys. Runs as ArgoCD PreSync hook so secrets are ready
before oCIS pods start.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 13:27:17 +02:00

159 lines
5 KiB
YAML
Raw Blame History

apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/instance: ocis
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ocis
app.kubernetes.io/version: 7.1.4
helm.sh/chart: ocis-0.7.0
name: sharing
namespace: ocis
spec:
replicas: 1
selector:
matchLabels:
app: sharing
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: sharing
app.kubernetes.io/instance: ocis
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ocis
app.kubernetes.io/version: 7.1.4
helm.sh/chart: ocis-0.7.0
spec:
containers:
- args:
- sharing
- server
command:
- ocis
env:
- name: MICRO_REGISTRY
value: nats-js-kv
- name: MICRO_REGISTRY_ADDRESS
value: nats:9233
- name: OCIS_EVENTS_ENDPOINT
value: nats:9233
- name: SHARING_LOG_COLOR
value: "false"
- name: SHARING_LOG_LEVEL
value: info
- name: SHARING_LOG_PRETTY
value: "false"
- name: SHARING_TRACING_ENABLED
value: "false"
- name: SHARING_TRACING_TYPE
value: jaeger
- name: SHARING_TRACING_ENDPOINT
value: null
- name: SHARING_TRACING_COLLECTOR
value: null
- name: SHARING_DEBUG_PPROF
value: "false"
- name: SHARING_GRPC_ADDR
value: 0.0.0.0:9150
- name: SHARING_DEBUG_ADDR
value: 0.0.0.0:9151
- name: SHARING_JWT_SECRET
valueFrom:
secretKeyRef:
key: jwt-secret
name: ocis-jwt-secret
- name: SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD
value: "false"
- name: SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD
value: "false"
- name: SHARING_PASSWORD_POLICY_MIN_CHARACTERS
value: "0"
- name: SHARING_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS
value: "0"
- name: SHARING_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS
value: "0"
- name: SHARING_PASSWORD_POLICY_MIN_DIGITS
value: "0"
- name: SHARING_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS
value: "0"
- name: SHARING_PASSWORD_POLICY_BANNED_PASSWORDS_LIST
value: /etc/ocis/sharing-banned-passwords.txt
- name: SHARING_USER_DRIVER
value: jsoncs3
- name: SHARING_USER_JSONCS3_SYSTEM_USER_API_KEY
valueFrom:
secretKeyRef:
key: api-key
name: ocis-storage-system
- name: SHARING_USER_JSONCS3_SYSTEM_USER_ID
valueFrom:
secretKeyRef:
key: user-id
name: ocis-storage-system
- name: SHARING_PUBLIC_DRIVER
value: jsoncs3
- name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY
valueFrom:
secretKeyRef:
key: api-key
name: ocis-storage-system
- name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID
valueFrom:
secretKeyRef:
key: user-id
name: ocis-storage-system
- name: SHARING_USER_JSONCS3_MAX_CONCURRENCY
value: "20"
image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: metrics-debug
initialDelaySeconds: 60
periodSeconds: 20
timeoutSeconds: 10
name: sharing
ports:
- containerPort: 9150
name: grpc
- containerPort: 9151
name: metrics-debug
resources:
requests:
cpu: 10m
memory: 64Mi
securityContext:
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /tmp
name: tmp-volume
- mountPath: /etc/ocis/messaging-system-ca
name: messaging-system-ca
readOnly: true
- mountPath: /etc/ocis
name: configs
nodeSelector: {}
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
volumes:
- emptyDir: {}
name: tmp-volume
- emptyDir: {}
name: messaging-system-ca
- configMap:
name: sharing-banned-passwords-sharing
name: configs
Reference in a new issue View git blame Copy permalink