gitea_admin/k8s-and-chill
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
k8s-and-chill/rendered/envs/production/ocis
History
Felix Wolf 85b8fec6b3 feat: replace secret-init Jobs with mittwald operator + cert-manager 
Migrate ~180 LOC of openssl/kubectl init Jobs to declarative Secret
manifests reconciled by mittwald/kubernetes-secret-generator (random
strings, SSH keypair) and cert-manager Certificates (RSA private key +
self-signed CA chain). mittwald only fills empty fields, so existing
populated Secrets keep their current values across the migration.

Changes:

- New prototype kubernetes-secret-generator (chart 3.4.1, mittwald helm
  repo). Cluster-wide informer reconciler, no webhook -> cold-bootstrap
  safe via ArgoCD retries.
- New cert-manager selfsigned ClusterIssuer (in-cluster trust root).
  letsencrypt remains for public-DNS endpoints.
- forgejo: admin-secret Job replaced with a mittwald-annotated Secret
  (hex-encoded 24-char password). Deploy-key Job split: mittwald
  ssh-keypair Secret + slim Job that uploads pubkey to Forgejo and
  copies privkey into the argocd repo Secret.
- ocis: 13 Secrets / 16 random fields now mittwald-managed (UUIDs
  replaced with opaque random hex; ocis treats user-id as opaque). IDP
  RSA signing key, LDAP self-signed CA, and LDAP server cert produced
  by cert-manager. Per-Deployment ytt overlay remaps volume key paths
  (tls.crt -> ldap-ca.crt, tls.key -> private-key.pem, etc.) since the
  ocis chart mounts Secrets raw without items support. Old multi-secret
  s3-secret-job replaced with a slim external-secret precheck Job that
  only validates pre-created Hetzner S3/Storage Box credentials.
- Application sync-wave -10 on cert-manager and kubernetes-secret-
  generator so they install before consumers. ArgoCD selfHeal handles
  any residual races.

CLAUDE.md: remove the "all namespaces use privileged PodSecurity"
convention. Existing namespaces still carry the label and will be
audited separately.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 00:00:07 +02:00
..
certificate-ocis-idp-rsa.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
certificate-ocis-ldap-ca.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
certificate-ocis-ldap-cert.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
configmap-appregistry-config.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
configmap-auth-service.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
configmap-graph.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
configmap-proxy-config.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
configmap-sharing-banned-passwords-frontend.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
configmap-sharing-banned-passwords-sharing.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
configmap-storage-users.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
configmap-thumbnails-cleanup-script-configmap.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
configmap-web-config.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
cronjob-ocis-s3-backup.yaml feat: Implement S3 to Storage Box backup 2026-04-06 15:24:14 +02:00
cronjob-storage-users-clean-expired-uploads.yaml fix(ocis): resolve large file upload timeouts and enable stale upload cleanup 2026-04-24 20:12:24 +02:00
cronjob-storage-users-purge-expired-trash-bin-items.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
cronjob-storage-users-restart-postprocessing.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
cronjob-thumbnails-cleanup.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
deployment-activitylog.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-appregistry.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-audit.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-authmachine.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-authservice.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-clientlog.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-eventhistory.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-frontend.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-gateway.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-graph.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
deployment-groups.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
deployment-idm.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
deployment-idp.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
deployment-nats.yaml chore: update service resource requests and identifiers 2026-04-12 18:26:47 +02:00
deployment-ocdav.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-ocs.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-postprocessing.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-proxy.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-search.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-settings.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-sharing.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-sse.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-storagepubliclink.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-storageshares.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-storagesystem.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-storageusers.yaml feat: configure storageusers resources and anti-affinity 2026-04-06 16:39:24 +02:00
deployment-thumbnails.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-userlog.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-users.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
deployment-web.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-webdav.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
deployment-webfinger.yaml feat(ocis): Transition to oCIS and enhance deployment 2026-04-06 14:01:55 +02:00
ingress-proxy.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
issuer-ocis-ldap-ca.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
job-ocis-external-secret-precheck.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
namespace-ocis.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
persistentvolumeclaim-idm-data.yaml feat: Configure Ocis for Hetzner Cloud storage 2026-04-06 14:25:35 +02:00
persistentvolumeclaim-nats-data.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
persistentvolumeclaim-search-data.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
persistentvolumeclaim-storagesystem-data.yaml feat: Configure Ocis for Hetzner Cloud storage 2026-04-06 14:25:35 +02:00
persistentvolumeclaim-storageusers-data.yaml feat: Configure Ocis for Hetzner Cloud storage 2026-04-06 14:25:35 +02:00
persistentvolumeclaim-thumbnails-data.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
persistentvolumeclaim-web-data.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
role-ocis-external-secret-precheck.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
rolebinding-ocis-external-secret-precheck.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
secret-ocis-admin-user.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
secret-ocis-collaboration-wopi-secret.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
secret-ocis-idp-encryption.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
secret-ocis-jwt-secret.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
secret-ocis-ldap-bind-secrets.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
secret-ocis-machine-auth-api-key.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
secret-ocis-service-account-secret.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
secret-ocis-storage-system-jwt-secret.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
secret-ocis-storage-system.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
secret-ocis-thumbnails-transfer-secret.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
secret-ocis-transfer-secret.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
service-activitylog.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-appregistry.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-audit.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-authmachine.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-authservice.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-clientlog.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-eventhistory.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-frontend.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-gateway.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-graph.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-groups.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-idm.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-idp.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-nats.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-ocdav.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-ocs.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-postprocessing.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-proxy.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-search.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-settings.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-sharing.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-sse.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-storagepubliclink.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-storageshares.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-storagesystem.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-storageusers.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-thumbnails.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-userlog.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-users.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-web.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-webdav.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
service-webfinger.yaml feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale) 2026-04-04 20:19:54 +02:00
serviceaccount-ocis-external-secret-precheck.yaml feat: replace secret-init Jobs with mittwald operator + cert-manager 2026-05-03 00:00:07 +02:00
serviceaccount-ocis-s3-backup.yaml feat: Implement S3 to Storage Box backup 2026-04-06 15:24:14 +02:00