2ea94241af
Removes all 13 Helm-generated secrets from rendered output and instead generates them at deploy time via an init Job. The Job creates secrets with random credentials only if they don't already exist, ensuring idempotent deploys. Runs as ArgoCD PreSync hook so secrets are ready before oCIS pods start. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
132 lines
5.5 KiB
YAML
132 lines
5.5 KiB
YAML
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
annotations:
|
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
argocd.argoproj.io/hook: PreSync
|
|
argocd.argoproj.io/sync-options: Replace=true
|
|
argocd.argoproj.io/sync-wave: "-1"
|
|
name: ocis-secret-init
|
|
namespace: ocis
|
|
spec:
|
|
template:
|
|
spec:
|
|
containers:
|
|
- command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
set -e
|
|
|
|
apk add --no-cache openssl >/dev/null 2>&1
|
|
|
|
gen_random() {
|
|
head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1"
|
|
}
|
|
|
|
gen_uuid() {
|
|
cat /proc/sys/kernel/random/uuid
|
|
}
|
|
|
|
create_secret_if_missing() {
|
|
local name="$1"
|
|
shift
|
|
if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then
|
|
echo "Secret $name already exists, skipping"
|
|
return
|
|
fi
|
|
kubectl create secret generic "$name" -n "${NAMESPACE}" "$@"
|
|
echo "Created secret $name"
|
|
}
|
|
|
|
# Validate external secrets exist
|
|
if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then
|
|
echo "ERROR: External secret ocis-s3-credentials must be created manually"
|
|
exit 1
|
|
fi
|
|
|
|
# Admin user
|
|
create_secret_if_missing ocis-admin-user \
|
|
--from-literal=password="$(gen_random 32)" \
|
|
--from-literal=user-id="$(gen_uuid)"
|
|
|
|
# JWT secret
|
|
create_secret_if_missing ocis-jwt-secret \
|
|
--from-literal=jwt-secret="$(gen_random 32)"
|
|
|
|
# Machine auth API key
|
|
create_secret_if_missing ocis-machine-auth-api-key \
|
|
--from-literal=machine-auth-api-key="$(gen_random 32)"
|
|
|
|
# Storage system JWT secret
|
|
create_secret_if_missing ocis-storage-system-jwt-secret \
|
|
--from-literal=storage-system-jwt-secret="$(gen_random 32)"
|
|
|
|
# Storage system secret
|
|
create_secret_if_missing ocis-storage-system \
|
|
--from-literal=api-key="$(gen_random 32)" \
|
|
--from-literal=user-id="$(gen_uuid)"
|
|
|
|
# Transfer secret
|
|
create_secret_if_missing ocis-transfer-secret \
|
|
--from-literal=transfer-secret="$(gen_random 32)"
|
|
|
|
# Thumbnails transfer secret
|
|
create_secret_if_missing ocis-thumbnails-transfer-secret \
|
|
--from-literal=thumbnails-transfer-secret="$(gen_random 32)"
|
|
|
|
# Service account secret
|
|
create_secret_if_missing ocis-service-account-secret \
|
|
--from-literal=service-account-secret="$(gen_random 32)"
|
|
|
|
# Collaboration WOPI secret
|
|
create_secret_if_missing ocis-collaboration-wopi-secret \
|
|
--from-literal=wopi-secret="$(gen_random 32)"
|
|
|
|
# LDAP bind secrets (three passwords for different bind users)
|
|
create_secret_if_missing ocis-ldap-bind-secrets \
|
|
--from-literal=reva-ldap-bind-password="$(gen_random 32)" \
|
|
--from-literal=idp-ldap-bind-password="$(gen_random 32)" \
|
|
--from-literal=graph-ldap-bind-password="$(gen_random 32)"
|
|
|
|
# IDP secret (encryption key + RSA private key)
|
|
create_secret_if_missing ocis-idp-secrets \
|
|
--from-literal=encryption.key="$(gen_random 32)" \
|
|
--from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)"
|
|
|
|
# LDAP CA cert + key (self-signed)
|
|
if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then
|
|
openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \
|
|
-days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null
|
|
kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \
|
|
--from-file=ldap-ca.crt=/tmp/ldap-ca.crt
|
|
echo "Created secret ocis-ldap-ca"
|
|
|
|
# LDAP server cert signed by the CA
|
|
printf "subjectAltName=DNS:idm" > /tmp/ldap-ext.cnf
|
|
openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \
|
|
-nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null
|
|
openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \
|
|
-CAcreateserial -out /tmp/ldap.crt -days 3650 \
|
|
-extfile /tmp/ldap-ext.cnf 2>/dev/null
|
|
kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \
|
|
--from-file=ldap.crt=/tmp/ldap.crt \
|
|
--from-file=ldap.key=/tmp/ldap.key
|
|
echo "Created secret ocis-ldap-cert"
|
|
rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl /tmp/ldap-ext.cnf
|
|
else
|
|
echo "Secret ocis-ldap-ca already exists, skipping LDAP certs"
|
|
fi
|
|
|
|
echo "All secrets initialized successfully"
|
|
env:
|
|
- name: NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
image: alpine/k8s:1.32.3
|
|
name: init
|
|
restartPolicy: OnFailure
|
|
serviceAccountName: ocis-secret-init
|
|
ttlSecondsAfterFinished: 300
|