9d89231de4
Removes all 13 Helm-generated secrets from rendered output and instead generates them at deploy time via an init Job. The Job creates secrets with random credentials only if they don't already exist, ensuring idempotent deploys. Runs as ArgoCD PreSync hook so secrets are ready before oCIS pods start. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
125 lines
3.7 KiB
YAML
125 lines
3.7 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
ignore-check.kube-linter.io/env-var-secret: IDP_ENCRYPTION_SECRET_FILE is no secret, it's the file path to the secret
|
|
labels:
|
|
app.kubernetes.io/instance: ocis
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/name: ocis
|
|
app.kubernetes.io/version: 7.1.4
|
|
helm.sh/chart: ocis-0.7.0
|
|
name: idp
|
|
namespace: ocis
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: idp
|
|
strategy:
|
|
type: Recreate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: idp
|
|
app.kubernetes.io/instance: ocis
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/name: ocis
|
|
app.kubernetes.io/version: 7.1.4
|
|
helm.sh/chart: ocis-0.7.0
|
|
spec:
|
|
containers:
|
|
- args:
|
|
- idp
|
|
- server
|
|
command:
|
|
- ocis
|
|
env:
|
|
- name: MICRO_REGISTRY
|
|
value: nats-js-kv
|
|
- name: MICRO_REGISTRY_ADDRESS
|
|
value: nats:9233
|
|
- name: IDP_LOG_COLOR
|
|
value: "false"
|
|
- name: IDP_LOG_LEVEL
|
|
value: info
|
|
- name: IDP_LOG_PRETTY
|
|
value: "false"
|
|
- name: IDP_TRACING_ENABLED
|
|
value: "false"
|
|
- name: IDP_TRACING_TYPE
|
|
value: jaeger
|
|
- name: IDP_TRACING_ENDPOINT
|
|
value: null
|
|
- name: IDP_TRACING_COLLECTOR
|
|
value: null
|
|
- name: IDP_DEBUG_PPROF
|
|
value: "false"
|
|
- name: IDP_HTTP_ADDR
|
|
value: 0.0.0.0:9130
|
|
- name: IDP_DEBUG_ADDR
|
|
value: 0.0.0.0:9134
|
|
- name: OCIS_URL
|
|
value: https://drive.tr1ceracop.de
|
|
- name: IDP_LDAP_URI
|
|
value: ldaps://idm:9235
|
|
- name: IDP_LDAP_TLS_CACERT
|
|
value: /etc/ocis/ldap-ca/ldap-ca.crt
|
|
- name: IDP_LDAP_BIND_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: idp-ldap-bind-password
|
|
name: ocis-ldap-bind-secrets
|
|
- name: IDP_SIGNING_PRIVATE_KEY_FILES
|
|
value: /etc/ocis/idp/private-key.pem
|
|
- name: IDP_ENCRYPTION_SECRET_FILE
|
|
value: /etc/ocis/idp/encryption.key
|
|
image: owncloud/ocis:7.1.4
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
failureThreshold: 3
|
|
httpGet:
|
|
path: /healthz
|
|
port: metrics-debug
|
|
initialDelaySeconds: 60
|
|
periodSeconds: 20
|
|
timeoutSeconds: 10
|
|
name: idp
|
|
ports:
|
|
- containerPort: 9130
|
|
name: http
|
|
- containerPort: 9134
|
|
name: metrics-debug
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 64Mi
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
runAsGroup: 1000
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
volumeMounts:
|
|
- mountPath: /var/lib/ocis
|
|
name: ocis-data-tmp
|
|
- mountPath: /etc/ocis/ldap-ca
|
|
name: ldap-ca
|
|
readOnly: true
|
|
- mountPath: /etc/ocis/idp
|
|
name: idp-secrets
|
|
readOnly: true
|
|
nodeSelector: {}
|
|
securityContext:
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
volumes:
|
|
- emptyDir: {}
|
|
name: ocis-data-tmp
|
|
- name: ldap-ca
|
|
secret:
|
|
secretName: ocis-ldap-ca
|
|
- name: idp-secrets
|
|
secret:
|
|
secretName: ocis-idp-secrets
|