gitea_admin/k8s-and-chill
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
k8s-and-chill/rendered/envs/production/ocis/deployment-web.yaml
Felix Wolf 2ea94241af fix(ocis): Move secret generation to PreSync init Job 
Removes all 13 Helm-generated secrets from rendered output and instead
generates them at deploy time via an init Job. The Job creates secrets
with random credentials only if they don't already exist, ensuring
idempotent deploys. Runs as ArgoCD PreSync hook so secrets are ready
before oCIS pods start.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 13:27:17 +02:00

137 lines
4 KiB
YAML
Raw Blame History

apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/instance: ocis
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ocis
app.kubernetes.io/version: 7.1.4
helm.sh/chart: ocis-0.7.0
name: web
namespace: ocis
spec:
replicas: 1
selector:
matchLabels:
app: web
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
checksum/config: cec3e646a6e624081e4fe2c886cae482477f21ba2edc86cee2e89c17d92f2034
labels:
app: web
app.kubernetes.io/instance: ocis
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ocis
app.kubernetes.io/version: 7.1.4
helm.sh/chart: ocis-0.7.0
spec:
containers:
- args:
- web
- server
command:
- ocis
env:
- name: MICRO_REGISTRY
value: nats-js-kv
- name: MICRO_REGISTRY_ADDRESS
value: nats:9233
- name: OCIS_CORS_ALLOW_ORIGINS
value: https://drive.tr1ceracop.de
- name: WEB_LOG_COLOR
value: "false"
- name: WEB_LOG_LEVEL
value: info
- name: WEB_LOG_PRETTY
value: "false"
- name: WEB_TRACING_ENABLED
value: "false"
- name: WEB_TRACING_TYPE
value: jaeger
- name: WEB_TRACING_ENDPOINT
value: null
- name: WEB_TRACING_COLLECTOR
value: null
- name: WEB_DEBUG_PPROF
value: "false"
- name: WEB_HTTP_ADDR
value: 0.0.0.0:9100
- name: WEB_DEBUG_ADDR
value: 0.0.0.0:9104
- name: WEB_OIDC_AUTHORITY
value: https://drive.tr1ceracop.de
- name: WEB_OIDC_CLIENT_ID
value: web
- name: WEB_OIDC_SCOPE
value: openid profile email
- name: WEB_UI_THEME_SERVER
value: https://drive.tr1ceracop.de
- name: WEB_UI_THEME_PATH
value: /themes/owncloud/theme.json
- name: WEB_UI_CONFIG_SERVER
value: https://drive.tr1ceracop.de
- name: WEB_OPTION_CONTEXTHELPERS_READ_MORE
value: "true"
- name: WEB_OPTION_DISABLE_FEEDBACK_LINK
value: "true"
- name: WEB_OPTION_TOKEN_STORAGE_LOCAL
value: "true"
- name: WEB_JWT_SECRET
valueFrom:
secretKeyRef:
key: jwt-secret
name: ocis-jwt-secret
image: owncloud/ocis:7.1.4
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: metrics-debug
initialDelaySeconds: 60
periodSeconds: 20
timeoutSeconds: 10
name: web
ports:
- containerPort: 9100
name: http
- containerPort: 9104
name: metrics-debug
resources:
requests:
cpu: 10m
memory: 64Mi
securityContext:
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /etc/ocis
name: configs
- mountPath: /var/lib/ocis/web/assets/apps
name: apps
- mountPath: /var/lib/ocis
name: web-data
nodeSelector: {}
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
volumes:
- configMap:
name: web-config
name: configs
- emptyDir: {}
name: apps
- name: web-data
persistentVolumeClaim:
claimName: web-data
Reference in a new issue View git blame Copy permalink