forked from hswaw/hscloud
kube: standardize top.secretRefs convention
Introduce a convention of declaring a secretsRefs:: object below cfg:: for containing all secretKeyRefs. The goal is to self-document all secrets that need to be created in order to deploy a service Change-Id: I3a990d54f65a288f5e748262c576d2a120efd815 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1806 Reviewed-by: q3k <q3k@hackerspace.pl>master
parent
c995c212d2
commit
1439fde1ba
|
@ -21,7 +21,7 @@ local postgres = import '../../kube/postgres_v.libsonnet';
|
||||||
mediaPath: '/var/www/media',
|
mediaPath: '/var/www/media',
|
||||||
},
|
},
|
||||||
|
|
||||||
secrets:: {
|
secretRefs:: {
|
||||||
postgres: { secretKeyRef: { name: cfg.name, key: 'postgres_password' } },
|
postgres: { secretKeyRef: { name: cfg.name, key: 'postgres_password' } },
|
||||||
oauth: { secretKeyRef: { name: cfg.name, key: 'oauth_secret' } },
|
oauth: { secretKeyRef: { name: cfg.name, key: 'oauth_secret' } },
|
||||||
},
|
},
|
||||||
|
@ -45,12 +45,12 @@ local postgres = import '../../kube/postgres_v.libsonnet';
|
||||||
SPEJSTORE_ENV: 'prod',
|
SPEJSTORE_ENV: 'prod',
|
||||||
SPEJSTORE_DB_NAME: cfg.db.name,
|
SPEJSTORE_DB_NAME: cfg.db.name,
|
||||||
SPEJSTORE_DB_USER: cfg.db.username,
|
SPEJSTORE_DB_USER: cfg.db.username,
|
||||||
SPEJSTORE_DB_PASSWORD: top.secrets.postgres,
|
SPEJSTORE_DB_PASSWORD: top.secretRefs.postgres,
|
||||||
SPEJSTORE_DB_HOST: top.psql.svc.host,
|
SPEJSTORE_DB_HOST: top.psql.svc.host,
|
||||||
SPEJSTORE_DB_PORT: top.psql.svc.port,
|
SPEJSTORE_DB_PORT: top.psql.svc.port,
|
||||||
SPEJSTORE_ALLOWED_HOSTS: cfg.domain,
|
SPEJSTORE_ALLOWED_HOSTS: cfg.domain,
|
||||||
SPEJSTORE_CLIENT_ID: cfg.oauthClientId,
|
SPEJSTORE_CLIENT_ID: cfg.oauthClientId,
|
||||||
SPEJSTORE_SECRET: top.secrets.oauth,
|
SPEJSTORE_SECRET: top.secretRefs.oauth,
|
||||||
SPEJSTORE_MEDIA_ROOT: cfg.mediaPath,
|
SPEJSTORE_MEDIA_ROOT: cfg.mediaPath,
|
||||||
SPEJSTORE_REQUIRE_AUTH: 'true',
|
SPEJSTORE_REQUIRE_AUTH: 'true',
|
||||||
SPEJSTORE_LAN_ALLOWED_ADDRESS_SPACE: '185.236.240.5',
|
SPEJSTORE_LAN_ALLOWED_ADDRESS_SPACE: '185.236.240.5',
|
||||||
|
@ -79,7 +79,7 @@ local postgres = import '../../kube/postgres_v.libsonnet';
|
||||||
|
|
||||||
database: cfg.db.name,
|
database: cfg.db.name,
|
||||||
username: cfg.db.username,
|
username: cfg.db.username,
|
||||||
password: top.secrets.postgres,
|
password: top.secretRefs.postgres,
|
||||||
},
|
},
|
||||||
bouncer: {},
|
bouncer: {},
|
||||||
},
|
},
|
||||||
|
|
|
@ -16,6 +16,10 @@ local policies = import "../../kube/policies.libsonnet";
|
||||||
domain: error "cfg.domain must be set",
|
domain: error "cfg.domain must be set",
|
||||||
},
|
},
|
||||||
|
|
||||||
|
secretRefs:: {
|
||||||
|
jwt: { secretKeyRef: { name: "documentserver-jwt", key: "jwt", } },
|
||||||
|
},
|
||||||
|
|
||||||
local ns = kube.Namespace(cfg.namespace),
|
local ns = kube.Namespace(cfg.namespace),
|
||||||
|
|
||||||
pvc: ns.Contain(kube.PersistentVolumeClaim("documentserver")) {
|
pvc: ns.Contain(kube.PersistentVolumeClaim("documentserver")) {
|
||||||
|
@ -36,7 +40,7 @@ local policies = import "../../kube/policies.libsonnet";
|
||||||
},
|
},
|
||||||
env_: {
|
env_: {
|
||||||
JWT_ENABLED: "true",
|
JWT_ENABLED: "true",
|
||||||
JWT_SECRET: { secretKeyRef: { name: "documentserver-jwt", key: "jwt", }},
|
JWT_SECRET: top.secretRefs.jwt,
|
||||||
},
|
},
|
||||||
ports_: {
|
ports_: {
|
||||||
http: { containerPort: 80 },
|
http: { containerPort: 80 },
|
||||||
|
|
|
@ -13,7 +13,7 @@ local kube = import '../../kube/hscloud.libsonnet';
|
||||||
},
|
},
|
||||||
|
|
||||||
// kubectl -n walne create secret generic walne --from-literal=ldap_password=xxx --from-literal=oauth_secret=xxx --from-literal=next_auth_secret=$(pwgen 32 1)
|
// kubectl -n walne create secret generic walne --from-literal=ldap_password=xxx --from-literal=oauth_secret=xxx --from-literal=next_auth_secret=$(pwgen 32 1)
|
||||||
secrets:: {
|
secretRefs:: {
|
||||||
ldap: { secretKeyRef: { name: cfg.name, key: 'ldap_password' },},
|
ldap: { secretKeyRef: { name: cfg.name, key: 'ldap_password' },},
|
||||||
ouath: { secretKeyRef: { name: cfg.name, key: 'oauth_secret' } },
|
ouath: { secretKeyRef: { name: cfg.name, key: 'oauth_secret' } },
|
||||||
nextAuth: { secretKeyRef: { name: cfg.name, key: 'next_auth_secret' } },
|
nextAuth: { secretKeyRef: { name: cfg.name, key: 'next_auth_secret' } },
|
||||||
|
@ -33,11 +33,11 @@ local kube = import '../../kube/hscloud.libsonnet';
|
||||||
},
|
},
|
||||||
env_: {
|
env_: {
|
||||||
LDAP_USER_DN: 'cn=walone-generator,ou=services,dc=hackerspace,dc=pl',
|
LDAP_USER_DN: 'cn=walone-generator,ou=services,dc=hackerspace,dc=pl',
|
||||||
LDAP_USER_PW: top.secrets.ldap,
|
LDAP_USER_PW: top.secretRefs.ldap,
|
||||||
ALLOWED_LDAP_GROUPS: 'zarzad,rewizja,staff,walne-users',
|
ALLOWED_LDAP_GROUPS: 'zarzad,rewizja,staff,walne-users',
|
||||||
HSWAW_AUTH_CLIENT_ID: cfg.oauthClientId,
|
HSWAW_AUTH_CLIENT_ID: cfg.oauthClientId,
|
||||||
HSWAW_AUTH_CLIENT_SECRET: top.secrets.ouath,
|
HSWAW_AUTH_CLIENT_SECRET: top.secretRefs.ouath,
|
||||||
AUTH_SECRET: top.secrets.nextAuth,
|
AUTH_SECRET: top.secretRefs.nextAuth,
|
||||||
REDIRECT_PROXY_URL: 'https://' + cfg.domain + '/auth',
|
REDIRECT_PROXY_URL: 'https://' + cfg.domain + '/auth',
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -52,6 +52,10 @@ local kube = import "../../../kube/hscloud.libsonnet";
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
|
secretRefs:: {
|
||||||
|
FORGEJO_TOKEN: { secretKeyRef: { name: top.keys.metadata.name, key: "FORGEJO_TOKEN" } },
|
||||||
|
},
|
||||||
|
|
||||||
name(suffix):: cfg.prefix + suffix,
|
name(suffix):: cfg.prefix + suffix,
|
||||||
|
|
||||||
metadata(component):: {
|
metadata(component):: {
|
||||||
|
@ -186,7 +190,7 @@ local kube = import "../../../kube/hscloud.libsonnet";
|
||||||
ssh: { containerPort: 29418 },
|
ssh: { containerPort: 29418 },
|
||||||
},
|
},
|
||||||
env_: {
|
env_: {
|
||||||
FORGEJO_TOKEN: { secretKeyRef: { name: top.keys.metadata.name, key: "FORGEJO_TOKEN" }},
|
FORGEJO_TOKEN: top.secretRefs.FORGEJO_TOKEN,
|
||||||
},
|
},
|
||||||
resources: cfg.resources,
|
resources: cfg.resources,
|
||||||
volumeMounts_: volumeMounts,
|
volumeMounts_: volumeMounts,
|
||||||
|
|
|
@ -11,6 +11,10 @@ local kube = import "../../kube/hscloud.libsonnet";
|
||||||
image: 'registry.k0.hswaw.net/q3k/capacifier@sha256:fd94b29bf711267235c96e5102ac4024e83e5851869a5e8814b83e76490c00af',
|
image: 'registry.k0.hswaw.net/q3k/capacifier@sha256:fd94b29bf711267235c96e5102ac4024e83e5851869a5e8814b83e76490c00af',
|
||||||
},
|
},
|
||||||
|
|
||||||
|
secretRefs:: {
|
||||||
|
ldap_pw: { secretKeyRef: { name: cfg.name, key: 'ldap_pw' } },
|
||||||
|
},
|
||||||
|
|
||||||
local ns = kube.Namespace(cfg.namespace),
|
local ns = kube.Namespace(cfg.namespace),
|
||||||
|
|
||||||
deployment: ns.Contain(kube.Deployment(cfg.name)) {
|
deployment: ns.Contain(kube.Deployment(cfg.name)) {
|
||||||
|
@ -23,7 +27,7 @@ local kube = import "../../kube/hscloud.libsonnet";
|
||||||
image: cfg.image,
|
image: cfg.image,
|
||||||
env_: {
|
env_: {
|
||||||
LDAP_DN: "cn=capacifier,ou=Services,dc=hackerspace,dc=pl",
|
LDAP_DN: "cn=capacifier,ou=Services,dc=hackerspace,dc=pl",
|
||||||
LDAP_PW: { secretKeyRef: { name: cfg.name, key: 'ldap_pw' } },
|
LDAP_PW: top.secretRefs.ldap_pw,
|
||||||
},
|
},
|
||||||
command: [
|
command: [
|
||||||
"/hswaw/capacifier/capacifier",
|
"/hswaw/capacifier/capacifier",
|
||||||
|
|
|
@ -11,7 +11,7 @@ local kube = import "../../kube/hscloud.libsonnet";
|
||||||
image: 'registry.k0.hswaw.net/radex/ldapweb:20231123203042',
|
image: 'registry.k0.hswaw.net/radex/ldapweb:20231123203042',
|
||||||
},
|
},
|
||||||
|
|
||||||
secrets:: {
|
secretRefs:: {
|
||||||
admin_password: { secretKeyRef: { name: cfg.name, key: 'admin_password' } },
|
admin_password: { secretKeyRef: { name: cfg.name, key: 'admin_password' } },
|
||||||
smtp_password: { secretKeyRef: { name: cfg.name, key: 'smtp_password' } },
|
smtp_password: { secretKeyRef: { name: cfg.name, key: 'smtp_password' } },
|
||||||
},
|
},
|
||||||
|
@ -37,10 +37,10 @@ local kube = import "../../kube/hscloud.libsonnet";
|
||||||
LDAPWEB_ADMIN_GROUPS: 'ldap-admin,staff,zarzad',
|
LDAPWEB_ADMIN_GROUPS: 'ldap-admin,staff,zarzad',
|
||||||
LDAPWEB_ACTIVE_GROUPS: 'fatty,starving,potato',
|
LDAPWEB_ACTIVE_GROUPS: 'fatty,starving,potato',
|
||||||
LDAPWEB_ADMIN_DN: 'cn=ldapweb,ou=services,dc=hackerspace,dc=pl',
|
LDAPWEB_ADMIN_DN: 'cn=ldapweb,ou=services,dc=hackerspace,dc=pl',
|
||||||
LDAPWEB_ADMIN_PASSWORD: top.secrets.admin_password,
|
LDAPWEB_ADMIN_PASSWORD: top.secretRefs.admin_password,
|
||||||
LDAPWEB_PROTECTED_GROUPS: 'ldap-admin,staff,zarzad',
|
LDAPWEB_PROTECTED_GROUPS: 'ldap-admin,staff,zarzad',
|
||||||
LDAPWEB_SMTP_USER: 'ldapweb',
|
LDAPWEB_SMTP_USER: 'ldapweb',
|
||||||
LDAPWEB_SMTP_PASSWORD: top.secrets.smtp_password,
|
LDAPWEB_SMTP_PASSWORD: top.secretRefs.smtp_password,
|
||||||
LDAPWEB_PAPERTRAIL_RECIPIENTS: 'zarzad@hackerspace.pl',
|
LDAPWEB_PAPERTRAIL_RECIPIENTS: 'zarzad@hackerspace.pl',
|
||||||
LDAPWEB_AVATAR_CACHE_TIMEOUT: '1800',
|
LDAPWEB_AVATAR_CACHE_TIMEOUT: '1800',
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,6 +26,16 @@ local redis = import "../../kube/redis.libsonnet";
|
||||||
storageClassName: "waw-hdd-redundant-3",
|
storageClassName: "waw-hdd-redundant-3",
|
||||||
},
|
},
|
||||||
|
|
||||||
|
secretRefs:: {
|
||||||
|
redis_password: { secretKeyRef: { name: "paperless", key: "redis_password" } },
|
||||||
|
postgres_password: { secretKeyRef: { name: "paperless", key: "postgres_password" } },
|
||||||
|
secret_key: { secretKeyRef: { name: "paperless", key: "secret_key" } },
|
||||||
|
proxy: {
|
||||||
|
cookie_secret: { secretKeyRef: { name: "paperless-proxy", key: "cookie_secret" } },
|
||||||
|
oidc_secret: { secretKeyRef: { name: "paperless-proxy", key: "oidc_secret" } },
|
||||||
|
},
|
||||||
|
},
|
||||||
|
|
||||||
local ns = kube.Namespace(cfg.namespace),
|
local ns = kube.Namespace(cfg.namespace),
|
||||||
|
|
||||||
redis: redis {
|
redis: redis {
|
||||||
|
@ -34,7 +44,7 @@ local redis = import "../../kube/redis.libsonnet";
|
||||||
storageClassName: cfg.storageClassName,
|
storageClassName: cfg.storageClassName,
|
||||||
appName: "paperless",
|
appName: "paperless",
|
||||||
image: "redis:6.0",
|
image: "redis:6.0",
|
||||||
password: { secretKeyRef: { name: "paperless", key: "redis_password" } },
|
password: top.secretRefs.redis_password,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
|
@ -45,7 +55,7 @@ local redis = import "../../kube/redis.libsonnet";
|
||||||
database: "paperless",
|
database: "paperless",
|
||||||
username: "paperless",
|
username: "paperless",
|
||||||
|
|
||||||
password: { secretKeyRef: { name: "paperless", key: "postgres_password" } },
|
password: top.secretRefs.postgres_password,
|
||||||
storageClassName: cfg.storageClassName,
|
storageClassName: cfg.storageClassName,
|
||||||
storageSize: "20Gi",
|
storageSize: "20Gi",
|
||||||
|
|
||||||
|
@ -90,14 +100,14 @@ local redis = import "../../kube/redis.libsonnet";
|
||||||
OAUTH2_PROXY_UPSTREAMS: "http://127.0.0.1:8000",
|
OAUTH2_PROXY_UPSTREAMS: "http://127.0.0.1:8000",
|
||||||
OAUTH2_PROXY_HTTP_ADDRESS: "0.0.0.0:8001",
|
OAUTH2_PROXY_HTTP_ADDRESS: "0.0.0.0:8001",
|
||||||
|
|
||||||
OAUTH2_PROXY_COOKIE_SECRET: { secretKeyRef: { name: "paperless-proxy", key: "cookie_secret" } },
|
OAUTH2_PROXY_COOKIE_SECRET: top.secretRefs.proxy.cookie_secret,
|
||||||
|
|
||||||
OAUTH2_PROXY_PROVIDER: "oidc",
|
OAUTH2_PROXY_PROVIDER: "oidc",
|
||||||
OAUTH2_PROXY_OIDC_ISSUER_URL: "https://sso.hackerspace.pl",
|
OAUTH2_PROXY_OIDC_ISSUER_URL: "https://sso.hackerspace.pl",
|
||||||
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true",
|
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true",
|
||||||
|
|
||||||
OAUTH2_PROXY_CLIENT_ID: "b4859334-140b-432a-81f6-8f3e135e021a",
|
OAUTH2_PROXY_CLIENT_ID: "b4859334-140b-432a-81f6-8f3e135e021a",
|
||||||
OAUTH2_PROXY_CLIENT_SECRET: { secretKeyRef: { name: "paperless-proxy", key: "oidc_secret" } },
|
OAUTH2_PROXY_CLIENT_SECRET: top.secretRefs.proxy.oidc_secret,
|
||||||
|
|
||||||
OAUTH2_PROXY_EMAIL_DOMAINS: "*",
|
OAUTH2_PROXY_EMAIL_DOMAINS: "*",
|
||||||
OAUTH2_PROXY_ALLOWED_GROUPS: "zarzad,paperless-admin",
|
OAUTH2_PROXY_ALLOWED_GROUPS: "zarzad,paperless-admin",
|
||||||
|
@ -129,7 +139,7 @@ local redis = import "../../kube/redis.libsonnet";
|
||||||
PAPERLESS_PORT: "8000",
|
PAPERLESS_PORT: "8000",
|
||||||
PAPERLESS_URL: "https://%s" % [cfg.domain],
|
PAPERLESS_URL: "https://%s" % [cfg.domain],
|
||||||
|
|
||||||
PAPERLESS_SECRET_KEY: { secretKeyRef: { name: "paperless", key: "secret_key" } },
|
PAPERLESS_SECRET_KEY: top.secretRefs.secret_key,
|
||||||
|
|
||||||
A_REDIS_PASSWORD: top.redis.cfg.password,
|
A_REDIS_PASSWORD: top.redis.cfg.password,
|
||||||
PAPERLESS_REDIS: "redis://:$(A_REDIS_PASSWORD)@redis:6379",
|
PAPERLESS_REDIS: "redis://:$(A_REDIS_PASSWORD)@redis:6379",
|
||||||
|
|
|
@ -19,6 +19,11 @@ local kube = import "../../../kube/hscloud.libsonnet";
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
|
secretRefs:: {
|
||||||
|
ldap_bind_password: { secretKeyRef: { name: "sso", key: "ldap_bind_password" } },
|
||||||
|
secret_key: { secretKeyRef: { name: "sso", key: "secret_key" } },
|
||||||
|
},
|
||||||
|
|
||||||
local ns = kube.Namespace(top.cfg.namespace),
|
local ns = kube.Namespace(top.cfg.namespace),
|
||||||
|
|
||||||
deployment: ns.Contain(kube.Deployment("sso")) {
|
deployment: ns.Contain(kube.Deployment("sso")) {
|
||||||
|
@ -73,8 +78,8 @@ local kube = import "../../../kube/hscloud.libsonnet";
|
||||||
"/tls/tls.key",
|
"/tls/tls.key",
|
||||||
],
|
],
|
||||||
|
|
||||||
LDAP_BIND_PASSWORD: { secretKeyRef: { name: "sso", key: "ldap_bind_password" } },
|
LDAP_BIND_PASSWORD: top.secretRefs.ldap_bind_password,
|
||||||
SECRET_KEY: { secretKeyRef: { name: "sso", key: "secret_key" } },
|
SECRET_KEY: top.secretRefs.secret_key,
|
||||||
LOGGING_LEVEL: "INFO",
|
LOGGING_LEVEL: "INFO",
|
||||||
|
|
||||||
JWT_ALG: "RS256",
|
JWT_ALG: "RS256",
|
||||||
|
|
|
@ -13,7 +13,7 @@ local kube = import "../../../kube/hscloud.libsonnet";
|
||||||
storageSize: "5Gi",
|
storageSize: "5Gi",
|
||||||
},
|
},
|
||||||
|
|
||||||
secrets:: {
|
secretRefs:: {
|
||||||
mysql: { secretKeyRef: { name: cfg.name, key: 'mysql_password' } },
|
mysql: { secretKeyRef: { name: cfg.name, key: 'mysql_password' } },
|
||||||
wordpress: { secretKeyRef: { name: cfg.name, key: 'wordpress_password' } },
|
wordpress: { secretKeyRef: { name: cfg.name, key: 'wordpress_password' } },
|
||||||
},
|
},
|
||||||
|
@ -39,9 +39,9 @@ local kube = import "../../../kube/hscloud.libsonnet";
|
||||||
WORDPRESS_DATABASE_HOST: 'wordpress-mysql',
|
WORDPRESS_DATABASE_HOST: 'wordpress-mysql',
|
||||||
WORDPRESS_DATABASE_NAME: 'wordpress',
|
WORDPRESS_DATABASE_NAME: 'wordpress',
|
||||||
WORDPRESS_DATABASE_USER: 'wordpress',
|
WORDPRESS_DATABASE_USER: 'wordpress',
|
||||||
WORDPRESS_DATABASE_PASSWORD: top.secrets.mysql,
|
WORDPRESS_DATABASE_PASSWORD: top.secretRefs.mysql,
|
||||||
WORDPRESS_USERNAME: 'admin',
|
WORDPRESS_USERNAME: 'admin',
|
||||||
WORDPRESS_PASSWORD: top.secrets.wordpress,
|
WORDPRESS_PASSWORD: top.secretRefs.wordpress,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -85,7 +85,7 @@ local kube = import "../../../kube/hscloud.libsonnet";
|
||||||
MYSQL_RANDOM_ROOT_PASSWORD: "yes",
|
MYSQL_RANDOM_ROOT_PASSWORD: "yes",
|
||||||
MYSQL_DATABASE: "wordpress",
|
MYSQL_DATABASE: "wordpress",
|
||||||
MYSQL_USER: "wordpress",
|
MYSQL_USER: "wordpress",
|
||||||
MYSQL_PASSWORD: top.secrets.mysql,
|
MYSQL_PASSWORD: top.secretRefs.mysql,
|
||||||
},
|
},
|
||||||
volumeMounts_: {
|
volumeMounts_: {
|
||||||
data: { mountPath: '/var/lib/mysql' },
|
data: { mountPath: '/var/lib/mysql' },
|
||||||
|
|
Loading…
Reference in New Issue