diff --git a/Chart.yaml b/Chart.yaml index 3753f64..3fe89af 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: solidtime description: A Helm chart for Solidtime Time Tracker type: application -version: 0.1.1 +version: 0.1.2 appVersion: "1.0.0" dependencies: - name: postgresql diff --git a/templates/deployment-app.yaml b/templates/deployment-app.yaml index 3eeb191..c1ed5e2 100644 --- a/templates/deployment-app.yaml +++ b/templates/deployment-app.yaml @@ -44,13 +44,25 @@ spec: - name: {{ $key }} value: {{ $value | quote }} {{- end }} + - name: APP_KEY + valueFrom: + secretKeyRef: + name: solidtime-app-secrets + key: APP_KEY + - name: PASSPORT_PRIVATE_KEY + valueFrom: + secretKeyRef: + name: solidtime-app-secrets + key: PASSPORT_PRIVATE_KEY + - name: PASSPORT_PUBLIC_KEY + valueFrom: + secretKeyRef: + name: solidtime-app-secrets + key: PASSPORT_PUBLIC_KEY - name: DB_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.secret.existingSecret | default (printf "%s-secret" (include "solidtime.fullname" .)) }} key: DB_PASSWORD - - name: APP_KEY - valueFrom: - secretKeyRef: - name: {{ .Values.secret.existingSecret | default (printf "%s-secret" (include "solidtime.fullname" .)) }} - key: APP_KEY \ No newline at end of file + - name: LOG_LEVEL + value: {{ .Values.config.logLevel | default "error" | quote }} \ No newline at end of file diff --git a/templates/job-generate-keys.yaml b/templates/job-generate-keys.yaml new file mode 100644 index 0000000..2a8ef77 --- /dev/null +++ b/templates/job-generate-keys.yaml @@ -0,0 +1,42 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "solidtime.fullname" . }}-keygen + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + spec: + serviceAccountName: {{ include "solidtime.fullname" . }}-keygen + restartPolicy: OnFailure + containers: + - name: keygen + image: bitnami/kubectl:latest + command: + - /bin/sh + - -c + - | + SECRET_NAME="solidtime-app-secrets" + + # 1. Check if secret exists + if kubectl get secret $SECRET_NAME; then + echo "Keys already exist. Skipping generation." + exit 0 + fi + + echo "Generating keys..." + + # Generate Passport Keys + openssl genrsa -out private.key 4096 + openssl rsa -in private.key -pubout -out public.key + + # Generate App Key (base64 encoded random 32 chars) + APP_KEY="base64:$(openssl rand -base64 32)" + + # 2. Create Secret with ALL keys + # We use --from-file for RSA keys to preserve newlines correctly + kubectl create secret generic $SECRET_NAME \ + --from-literal=APP_KEY="$APP_KEY" \ + --from-file=PASSPORT_PRIVATE_KEY=private.key \ + --from-file=PASSPORT_PUBLIC_KEY=public.key \ No newline at end of file diff --git a/templates/job-rbac.yaml b/templates/job-rbac.yaml new file mode 100644 index 0000000..cc1ae8d --- /dev/null +++ b/templates/job-rbac.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "solidtime.fullname" . }}-keygen + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "solidtime.fullname" . }}-keygen + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "solidtime.fullname" . }}-keygen + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +subjects: + - kind: ServiceAccount + name: {{ include "solidtime.fullname" . }}-keygen +roleRef: + kind: Role + name: {{ include "solidtime.fullname" . }}-keygen + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/values.yaml b/values.yaml index acbdc0f..be738de 100644 --- a/values.yaml +++ b/values.yaml @@ -23,6 +23,10 @@ env: DB_USERNAME: "solidtime" # DB_PASSWORD is provided via the Secret +config: + # Valid Laravel log levels: debug, info, notice, warning, error, critical, alert, emergency + logLevel: "error" + # Secret Management secret: # If defined, the chart will NOT create a secret but use this one instead.