northern-lighthouse/solidtime-chart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add oauth key secret
All checks were successful
Publish Helm Chart / publish (push) Successful in 29s
Details

Browse Source
This commit is contained in:
olof.pettersson
2025-12-12 11:08:55 +01:00
parent 6c2a70e1af
commit 4052d71c56
5 changed files with 98 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: solidtime
description: A Helm chart for Solidtime Time Tracker
type: application
version: 0.1.1
version: 0.1.2
appVersion: "1.0.0"
dependencies:
- name: postgresql

22
templates/deployment-app.yaml
View File

@ -44,13 +44,25 @@ spec:
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
- name: APP_KEY
valueFrom:
secretKeyRef:
name: solidtime-app-secrets
key: APP_KEY
- name: PASSPORT_PRIVATE_KEY
valueFrom:
secretKeyRef:
name: solidtime-app-secrets
key: PASSPORT_PRIVATE_KEY
- name: PASSPORT_PUBLIC_KEY
valueFrom:
secretKeyRef:
name: solidtime-app-secrets
key: PASSPORT_PUBLIC_KEY
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.secret.existingSecret | default (printf "%s-secret" (include "solidtime.fullname" .)) }}
key: DB_PASSWORD
- name: APP_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.secret.existingSecret | default (printf "%s-secret" (include "solidtime.fullname" .)) }}
key: APP_KEY
- name: LOG_LEVEL
value: {{ .Values.config.logLevel | default "error" | quote }}

42
templates/job-generate-keys.yaml Normal file
View File

@ -0,0 +1,42 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "solidtime.fullname" . }}-keygen
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
template:
spec:
serviceAccountName: {{ include "solidtime.fullname" . }}-keygen
restartPolicy: OnFailure
containers:
- name: keygen
image: bitnami/kubectl:latest
command:
- /bin/sh
- -c
- |
SECRET_NAME="solidtime-app-secrets"
# 1. Check if secret exists
if kubectl get secret $SECRET_NAME; then
echo "Keys already exist. Skipping generation."
exit 0
fi
echo "Generating keys..."
# Generate Passport Keys
openssl genrsa -out private.key 4096
openssl rsa -in private.key -pubout -out public.key
# Generate App Key (base64 encoded random 32 chars)
APP_KEY="base64:$(openssl rand -base64 32)"
# 2. Create Secret with ALL keys
# We use --from-file for RSA keys to preserve newlines correctly
kubectl create secret generic $SECRET_NAME \
--from-literal=APP_KEY="$APP_KEY" \
--from-file=PASSPORT_PRIVATE_KEY=private.key \
--from-file=PASSPORT_PUBLIC_KEY=public.key

34
templates/job-rbac.yaml Normal file
View File

@ -0,0 +1,34 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "solidtime.fullname" . }}-keygen
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "solidtime.fullname" . }}-keygen
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "solidtime.fullname" . }}-keygen
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
subjects:
- kind: ServiceAccount
name: {{ include "solidtime.fullname" . }}-keygen
roleRef:
kind: Role
name: {{ include "solidtime.fullname" . }}-keygen
apiGroup: rbac.authorization.k8s.io

4
values.yaml
View File

@ -23,6 +23,10 @@ env:
DB_USERNAME: "solidtime"
# DB_PASSWORD is provided via the Secret
config:
# Valid Laravel log levels: debug, info, notice, warning, error, critical, alert, emergency
logLevel: "error"
# Secret Management
secret:
# If defined, the chart will NOT create a secret but use this one instead.