k8s-and-chill/rendered/envs/production/ocis/job-ocis-secret-init.yaml

apiVersion: batch/v1
kind: Job
metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
    argocd.argoproj.io/hook: PreSync
    argocd.argoproj.io/sync-options: Replace=true
    argocd.argoproj.io/sync-wave: "-1"
  name: ocis-secret-init
  namespace: ocis
spec:
  template:
    spec:
      containers:
        - command:
            - sh
            - -c
            - |
              set -e

              apk add --no-cache openssl >/dev/null 2>&1

              gen_random() {
                head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1"
              }

              gen_uuid() {
                cat /proc/sys/kernel/random/uuid
              }

              create_secret_if_missing() {
                local name="$1"
                shift
                if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then
                  echo "Secret $name already exists, skipping"
                  return
                fi
                kubectl create secret generic "$name" -n "${NAMESPACE}" "$@"
                echo "Created secret $name"
              }

              # Validate external secrets exist
              if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then
                echo "ERROR: External secret ocis-s3-credentials must be created manually"
                exit 1
              fi

              # Admin user
              create_secret_if_missing ocis-admin-user \
                --from-literal=password="$(gen_random 32)" \
                --from-literal=user-id="$(gen_uuid)"

              # JWT secret
              create_secret_if_missing ocis-jwt-secret \
                --from-literal=jwt-secret="$(gen_random 32)"

              # Machine auth API key
              create_secret_if_missing ocis-machine-auth-api-key \
                --from-literal=machine-auth-api-key="$(gen_random 32)"

              # Storage system JWT secret
              create_secret_if_missing ocis-storage-system-jwt-secret \
                --from-literal=storage-system-jwt-secret="$(gen_random 32)"

              # Storage system secret
              create_secret_if_missing ocis-storage-system \
                --from-literal=api-key="$(gen_random 32)" \
                --from-literal=user-id="$(gen_uuid)"

              # Transfer secret
              create_secret_if_missing ocis-transfer-secret \
                --from-literal=transfer-secret="$(gen_random 32)"

              # Thumbnails transfer secret
              create_secret_if_missing ocis-thumbnails-transfer-secret \
                --from-literal=thumbnails-transfer-secret="$(gen_random 32)"

              # Service account secret
              create_secret_if_missing ocis-service-account-secret \
                --from-literal=service-account-secret="$(gen_random 32)"

              # Collaboration WOPI secret
              create_secret_if_missing ocis-collaboration-wopi-secret \
                --from-literal=wopi-secret="$(gen_random 32)"

              # LDAP bind secrets (three passwords for different bind users)
              create_secret_if_missing ocis-ldap-bind-secrets \
                --from-literal=reva-ldap-bind-password="$(gen_random 32)" \
                --from-literal=idp-ldap-bind-password="$(gen_random 32)" \
                --from-literal=graph-ldap-bind-password="$(gen_random 32)"

              # IDP secret (encryption key + RSA private key)
              create_secret_if_missing ocis-idp-secrets \
                --from-literal=encryption.key="$(gen_random 32)" \
                --from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)"

              # LDAP CA cert + key (self-signed)
              if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then
                openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \
                  -days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null
                kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \
                  --from-file=ldap-ca.crt=/tmp/ldap-ca.crt
                echo "Created secret ocis-ldap-ca"

                # LDAP server cert signed by the CA
                printf "subjectAltName=DNS:idm" > /tmp/ldap-ext.cnf
                openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \
                  -nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null
                openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \
                  -CAcreateserial -out /tmp/ldap.crt -days 3650 \
                  -extfile /tmp/ldap-ext.cnf 2>/dev/null
                kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \
                  --from-file=ldap.crt=/tmp/ldap.crt \
                  --from-file=ldap.key=/tmp/ldap.key
                echo "Created secret ocis-ldap-cert"
                rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl /tmp/ldap-ext.cnf
              else
                echo "Secret ocis-ldap-ca already exists, skipping LDAP certs"
              fi

              echo "All secrets initialized successfully"              
          env:
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          image: alpine/k8s:1.32.3
          name: init
      restartPolicy: OnFailure
      serviceAccountName: ocis-secret-init
  ttlSecondsAfterFinished: 300