Add oauth key secret
All checks were successful
Publish Helm Chart / publish (push) Successful in 29s
All checks were successful
Publish Helm Chart / publish (push) Successful in 29s
This commit is contained in:
olof.pettersson
@ -2,7 +2,7 @@ apiVersion: v2
|
|||||||
name: solidtime
|
name: solidtime
|
||||||
description: A Helm chart for Solidtime Time Tracker
|
description: A Helm chart for Solidtime Time Tracker
|
||||||
type: application
|
type: application
|
||||||
version: 0.1.1
|
version: 0.1.2
|
||||||
appVersion: "1.0.0"
|
appVersion: "1.0.0"
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: postgresql
|
- name: postgresql
|
||||||
|
|||||||
@ -44,13 +44,25 @@ spec:
|
|||||||
- name: {{ $key }}
|
- name: {{ $key }}
|
||||||
value: {{ $value | quote }}
|
value: {{ $value | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
- name: APP_KEY
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: solidtime-app-secrets
|
||||||
|
key: APP_KEY
|
||||||
|
- name: PASSPORT_PRIVATE_KEY
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: solidtime-app-secrets
|
||||||
|
key: PASSPORT_PRIVATE_KEY
|
||||||
|
- name: PASSPORT_PUBLIC_KEY
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: solidtime-app-secrets
|
||||||
|
key: PASSPORT_PUBLIC_KEY
|
||||||
- name: DB_PASSWORD
|
- name: DB_PASSWORD
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: {{ .Values.secret.existingSecret | default (printf "%s-secret" (include "solidtime.fullname" .)) }}
|
name: {{ .Values.secret.existingSecret | default (printf "%s-secret" (include "solidtime.fullname" .)) }}
|
||||||
key: DB_PASSWORD
|
key: DB_PASSWORD
|
||||||
- name: APP_KEY
|
- name: LOG_LEVEL
|
||||||
valueFrom:
|
value: {{ .Values.config.logLevel | default "error" | quote }}
|
||||||
secretKeyRef:
|
|
||||||
name: {{ .Values.secret.existingSecret | default (printf "%s-secret" (include "solidtime.fullname" .)) }}
|
|
||||||
key: APP_KEY
|
|
||||||
42
templates/job-generate-keys.yaml
Normal file
42
templates/job-generate-keys.yaml
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: {{ include "solidtime.fullname" . }}-keygen
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-install,pre-upgrade
|
||||||
|
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
serviceAccountName: {{ include "solidtime.fullname" . }}-keygen
|
||||||
|
restartPolicy: OnFailure
|
||||||
|
containers:
|
||||||
|
- name: keygen
|
||||||
|
image: bitnami/kubectl:latest
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
SECRET_NAME="solidtime-app-secrets"
|
||||||
|
|
||||||
|
# 1. Check if secret exists
|
||||||
|
if kubectl get secret $SECRET_NAME; then
|
||||||
|
echo "Keys already exist. Skipping generation."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Generating keys..."
|
||||||
|
|
||||||
|
# Generate Passport Keys
|
||||||
|
openssl genrsa -out private.key 4096
|
||||||
|
openssl rsa -in private.key -pubout -out public.key
|
||||||
|
|
||||||
|
# Generate App Key (base64 encoded random 32 chars)
|
||||||
|
APP_KEY="base64:$(openssl rand -base64 32)"
|
||||||
|
|
||||||
|
# 2. Create Secret with ALL keys
|
||||||
|
# We use --from-file for RSA keys to preserve newlines correctly
|
||||||
|
kubectl create secret generic $SECRET_NAME \
|
||||||
|
--from-literal=APP_KEY="$APP_KEY" \
|
||||||
|
--from-file=PASSPORT_PRIVATE_KEY=private.key \
|
||||||
|
--from-file=PASSPORT_PUBLIC_KEY=public.key
|
||||||
34
templates/job-rbac.yaml
Normal file
34
templates/job-rbac.yaml
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: {{ include "solidtime.fullname" . }}-keygen
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-install,pre-upgrade
|
||||||
|
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ include "solidtime.fullname" . }}-keygen
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-install,pre-upgrade
|
||||||
|
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["create", "get", "patch"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ include "solidtime.fullname" . }}-keygen
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": pre-install,pre-upgrade
|
||||||
|
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ include "solidtime.fullname" . }}-keygen
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: {{ include "solidtime.fullname" . }}-keygen
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
@ -23,6 +23,10 @@ env:
|
|||||||
DB_USERNAME: "solidtime"
|
DB_USERNAME: "solidtime"
|
||||||
# DB_PASSWORD is provided via the Secret
|
# DB_PASSWORD is provided via the Secret
|
||||||
|
|
||||||
|
config:
|
||||||
|
# Valid Laravel log levels: debug, info, notice, warning, error, critical, alert, emergency
|
||||||
|
logLevel: "error"
|
||||||
|
|
||||||
# Secret Management
|
# Secret Management
|
||||||
secret:
|
secret:
|
||||||
# If defined, the chart will NOT create a secret but use this one instead.
|
# If defined, the chart will NOT create a secret but use this one instead.
|
||||||
|
|||||||
Reference in New Issue
Block a user