diff --git a/charts/ocis/ci/values_greater_equal_1.25.0.yaml b/charts/ocis/ci/values_greater_equal_1.25.0.yaml index c24ce181c..48431f375 100644 --- a/charts/ocis/ci/values_greater_equal_1.25.0.yaml +++ b/charts/ocis/ci/values_greater_equal_1.25.0.yaml @@ -1,5 +1,4 @@ --- - ingress: enabled: true ingressClassName: some-ingress @@ -137,3 +136,6 @@ services: finalizers: [] selectorLabels: selector1: foobar + +secretRefs: + notificationsSmtpSecretRef: "smtp-secret" diff --git a/charts/ocis/ci/values_pre_1.25.0.yaml b/charts/ocis/ci/values_pre_1.25.0.yaml index 6c080188b..35a293a27 100644 --- a/charts/ocis/ci/values_pre_1.25.0.yaml +++ b/charts/ocis/ci/values_pre_1.25.0.yaml @@ -1,5 +1,4 @@ --- - ingress: enabled: true ingressClassName: some-ingress @@ -133,3 +132,6 @@ services: finalizers: [] selectorLabels: selector1: foobar + +secretRefs: + notificationsSmtpSecretRef: "smtp-secret" diff --git a/charts/ocis/docs/values-desc-table.adoc b/charts/ocis/docs/values-desc-table.adoc index fa2dddbcb..8ccf9c344 100644 --- a/charts/ocis/docs/values-desc-table.adoc +++ b/charts/ocis/docs/values-desc-table.adoc @@ -46,26 +46,26 @@ a| [subs=-attributes] a| [subs=-attributes] +string+ a| [subs=-attributes] -`"graph"` +`""` | Reference to an existing graph config. | configRefs.storageusersConfigRef a| [subs=-attributes] +string+ a| [subs=-attributes] -`"storage-users"` +`""` | Reference to an existing storage-users config. | configRefs.webThemeAssetsConfigRef a| [subs=-attributes] +string+ a| [subs=-attributes] `""` -| Optional reference to an existing web theme assets config. Will be mounted to /var/lib/ocis/web/assets/themes/owncloud/assets for Web. Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI. +| Optional reference to an existing web theme assets config. Will be mounted to /var/lib/ocis/web/assets/themes/owncloud/assets for Web. Does not get autogenerated. Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI. | configRefs.webThemeConfigRef a| [subs=-attributes] +string+ a| [subs=-attributes] `""` -| Optional reference to an existing web theme config. Will be mounted to /var/lib/ocis/web/assets/themes/owncloud for Web. Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI. +| Optional reference to an existing web theme config. Will be mounted to /var/lib/ocis/web/assets/themes/owncloud for Web. Does not get autogenerated. Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI. | debug.profiling a| [subs=-attributes] +bool+ @@ -874,91 +874,91 @@ a| [subs=-attributes] a| [subs=-attributes] +string+ a| [subs=-attributes] -`"admin-user"` +`""` | Reference to an existing admin user secret (see xref:{secrets}[Secrets]). Not used if `features.externalUserManagement.enabled` equals `true`. | secretRefs.gdprExportClientSecretRef a| [subs=-attributes] +string+ a| [subs=-attributes] -`"gdpr-export-client-secret"` +`""` | Reference to an existing keycloak client secret, used for the GDPR export. Only used if features.externalUserManagement.gdprExport.enabled equals true. | secretRefs.idpSecretRef a| [subs=-attributes] +string+ a| [subs=-attributes] -`"idp-secrets"` +`""` | Reference to an existing IDP secret (see xref:{secrets}[Secrets]). Not used if `features.externalUserManagement.enabled` equals `true`. | secretRefs.jwtSecretRef a| [subs=-attributes] +string+ a| [subs=-attributes] -`"jwt-secret"` +`""` | Reference to an existing JWT secret (see xref:{secrets}[Secrets]). | secretRefs.ldapCaRef a| [subs=-attributes] +string+ a| [subs=-attributes] -`"ldap-ca"` +`""` | Reference to an existing LDAP certificate authority secret (see xref:{secrets}[Secrets]) | secretRefs.ldapCertRef a| [subs=-attributes] +string+ a| [subs=-attributes] -`"ldap-cert"` +`""` | Reference to an existing LDAP cert secret (see xref:{secrets}[Secrets]). Not used if `features.externalUserManagement.enabled` equals `true`. | secretRefs.ldapSecretRef a| [subs=-attributes] +string+ a| [subs=-attributes] -`"ldap-bind-secrets"` +`""` | Reference to an existing LDAP bind secret (see xref:{secrets}[Secrets]). | secretRefs.machineAuthApiKeySecretRef a| [subs=-attributes] +string+ a| [subs=-attributes] -`"machine-auth-api-key"` +`""` | Reference to an existing machine auth api key secret (see xref:{secrets}[Secrets]) | secretRefs.messagingSystemCaRef a| [subs=-attributes] +string+ a| [subs=-attributes] -`"messaging-system-ca"` +`""` | Reference to an existing messaging system certificate authority secret (see xref:{secrets}[Secrets]) | secretRefs.notificationsSmtpSecretRef a| [subs=-attributes] +string+ a| [subs=-attributes] -`"notifications-smtp-secret"` +`""` | Reference to an existing SMTP email server settings secret (see xref:{secrets}[Secrets]). Not used if `features.emailNotifications.enabled` equals `false`. | secretRefs.s3CredentialsSecretRef a| [subs=-attributes] +string+ a| [subs=-attributes] -`"s3-credentials-secret"` -| Reference to an existing s3 secret (see xref:{secrets}[Secrets]) +`""` +| Reference to an existing s3 secret (see xref:{secrets}[Secrets]) If not filled in, will attempt to use values in `.storageusers.storageBackend.s3.driverConfig.s3ng` instead. | secretRefs.storagesystemJwtSecretRef a| [subs=-attributes] +string+ a| [subs=-attributes] -`"storage-system-jwt-secret"` +`""` | Reference to an existing storage-system JWT secret (see xref:{secrets}[Secrets]) | secretRefs.storagesystemSecretRef a| [subs=-attributes] +string+ a| [subs=-attributes] -`"storage-system"` +`""` | Reference to an existing storage-system secret (see xref:{secrets}[Secrets]) | secretRefs.thumbnailsSecretRef a| [subs=-attributes] +string+ a| [subs=-attributes] -`"thumbnails-transfer-secret"` +`""` | Reference to an existing thumbnails transfer secret (see xref:{secrets}[Secrets]) | secretRefs.transferSecretSecretRef a| [subs=-attributes] +string+ a| [subs=-attributes] -`"transfer-secret"` +`""` | Reference to an existing transfer secret (see xref:{secrets}[Secrets]) | securityContext.fsGroup a| [subs=-attributes] diff --git a/charts/ocis/docs/values.adoc.yaml b/charts/ocis/docs/values.adoc.yaml index b5c9f2c26..1fef5169d 100644 --- a/charts/ocis/docs/values.adoc.yaml +++ b/charts/ocis/docs/values.adoc.yaml @@ -463,55 +463,67 @@ ingress: # References to ConfigMaps. # The ConfigMaps need to be manually created. +# Leave these empty to have them autogenerated by the Helm chart. +# Note that ConfigMaps generated by the helm chart will be removed once the helm chart is uninstalled. +# Furthermore, if you already had ConfigMaps at the default locations, they will be NOT be overwritten, +# but the helm chart will claim ownership of them. If this is a problem, fill in the configRefs below +# with the names of your existing secrets. # See https://doc.owncloud.com/ocis/next/deployment/container/orchestration/orchestration.html#customize-the-generic-setup[doc.owncloud.com] for how to generate them. configRefs: # -- Reference to an existing storage-users config. - storageusersConfigRef: "storage-users" + storageusersConfigRef: "" # -- Reference to an existing graph config. - graphConfigRef: "graph" + graphConfigRef: "" # -- Optional reference to an existing web theme config. # Will be mounted to /var/lib/ocis/web/assets/themes/owncloud for Web. + # Does not get autogenerated. # Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI. webThemeConfigRef: "" # -- Optional reference to an existing web theme assets config. # Will be mounted to /var/lib/ocis/web/assets/themes/owncloud/assets for Web. + # Does not get autogenerated. # Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI. webThemeAssetsConfigRef: "" # References to secrets. -# The secrets need to be manually created. -# See https://doc.owncloud.com/ocis/next/deployment/container/orchestration/orchestration.html#customize-the-generic-setup[doc.owncloud.com] for how to generate them. +# Leave these empty to have them autogenerated by the Helm chart. +# Note that secrets generated by the helm chart will be removed once the helm chart is uninstalled. +# Furthermore, if you already had secrets at the default locations, they will be NOT be overwritten, +# but the helm chart will claim ownership of them. If this is a problem, fill in the secretRefs below +# with the names of your existing secrets. +# TODO: Update https://doc.owncloud.com/ocis/next/deployment/container/orchestration/orchestration.html#customize-the-generic-setup[doc.owncloud.com] for how to generate them. secretRefs: # -- Reference to an existing admin user secret (see xref:{secrets}[Secrets]). Not used if `features.externalUserManagement.enabled` equals `true`. - adminUserSecretRef: "admin-user" + adminUserSecretRef: "" # -- Reference to an existing IDP secret (see xref:{secrets}[Secrets]). Not used if `features.externalUserManagement.enabled` equals `true`. - idpSecretRef: "idp-secrets" + idpSecretRef: "" # -- Reference to an existing JWT secret (see xref:{secrets}[Secrets]). - jwtSecretRef: "jwt-secret" + jwtSecretRef: "" # -- Reference to an existing keycloak client secret, used for the GDPR export. Only used if features.externalUserManagement.gdprExport.enabled equals true. - gdprExportClientSecretRef: "gdpr-export-client-secret" + gdprExportClientSecretRef: "" # -- Reference to an existing LDAP certificate authority secret (see xref:{secrets}[Secrets]) - ldapCaRef: "ldap-ca" + ldapCaRef: "" # -- Reference to an existing LDAP cert secret (see xref:{secrets}[Secrets]). Not used if `features.externalUserManagement.enabled` equals `true`. - ldapCertRef: "ldap-cert" + ldapCertRef: "" # -- Reference to an existing LDAP bind secret (see xref:{secrets}[Secrets]). - ldapSecretRef: "ldap-bind-secrets" + ldapSecretRef: "" # -- Reference to an existing machine auth api key secret (see xref:{secrets}[Secrets]) - machineAuthApiKeySecretRef: "machine-auth-api-key" + machineAuthApiKeySecretRef: "" # -- Reference to an existing messaging system certificate authority secret (see xref:{secrets}[Secrets]) - messagingSystemCaRef: "messaging-system-ca" + messagingSystemCaRef: "" # -- Reference to an existing SMTP email server settings secret (see xref:{secrets}[Secrets]). Not used if `features.emailNotifications.enabled` equals `false`. - notificationsSmtpSecretRef: "notifications-smtp-secret" + notificationsSmtpSecretRef: "" # -- Reference to an existing storage-system JWT secret (see xref:{secrets}[Secrets]) - storagesystemJwtSecretRef: "storage-system-jwt-secret" + storagesystemJwtSecretRef: "" # -- Reference to an existing storage-system secret (see xref:{secrets}[Secrets]) - storagesystemSecretRef: "storage-system" + storagesystemSecretRef: "" # -- Reference to an existing thumbnails transfer secret (see xref:{secrets}[Secrets]) - thumbnailsSecretRef: "thumbnails-transfer-secret" + thumbnailsSecretRef: "" # -- Reference to an existing transfer secret (see xref:{secrets}[Secrets]) - transferSecretSecretRef: "transfer-secret" + transferSecretSecretRef: "" # -- Reference to an existing s3 secret (see xref:{secrets}[Secrets]) - s3CredentialsSecretRef: "s3-credentials-secret" + # If not filled in, will attempt to use values in `.storageusers.storageBackend.s3.driverConfig.s3ng` instead. + s3CredentialsSecretRef: "" # Security context options. securityContext: diff --git a/charts/ocis/templates/_common/_configvalues.tpl b/charts/ocis/templates/_common/_configvalues.tpl new file mode 100644 index 000000000..4eb402590 --- /dev/null +++ b/charts/ocis/templates/_common/_configvalues.tpl @@ -0,0 +1,73 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Simple secret and configmap name definitions. + +All take the scope as the first and only parameter. +*/}} +{{- define "secrets.adminUser" -}} +{{ .Values.secretRefs.adminUserSecretRef | default "admin-user" | quote }} +{{- end -}} + +{{- define "secrets.idpSecret" -}} +{{ .Values.secretRefs.idpSecretRef | default "idp-secrets" | quote }} +{{- end -}} + +{{- define "secrets.jwtSecret" -}} +{{ .Values.secretRefs.jwtSecretRef | default "jwt-secret" | quote }} +{{- end -}} + +{{- define "secrets.gdprExportClientSecret" -}} +{{ required "gdprExportClientSecretRef can't be autogenerated" .Values.secretRefs.gdprExportClientSecretRef | quote }} +{{- end -}} + +{{- define "secrets.ldapCASecret" -}} +{{ .Values.secretRefs.ldapCaRef | default "ldap-ca" | quote }} +{{- end -}} + +{{- define "secrets.ldapCertSecret" -}} +{{ .Values.secretRefs.ldapCertRef | default "ldap-cert" | quote }} +{{- end -}} + +{{- define "secrets.ldapBindSecret" -}} +{{ .Values.secretRefs.ldapSecretRef | default "ldap-bind-secrets" | quote }} +{{- end -}} + +{{- define "secrets.machineAuthAPIKeySecret" -}} +{{ .Values.secretRefs.machineAuthApiKeySecretRef | default "machine-auth-api-key" | quote }} +{{- end -}} + +{{- define "secrets.messagingSystemCASecret" -}} +{{ required "messagingSystemCASecret can't be autogenerated" .Values.secretRefs.messagingSystemCaRef | quote }} +{{- end -}} + +{{- define "secrets.notificationsSMTPSecret" -}} +{{ required "notificationsSMTPSecret can't be autogenerated" .Values.secretRefs.notificationsSmtpSecretRef | quote }} +{{- end -}} + +{{- define "secrets.storageSystemJWTSecret" -}} +{{ .Values.secretRefs.storagesystemJwtSecretRef | default "storage-system-jwt-secret" | quote }} +{{- end -}} + +{{- define "secrets.storageSystemSecret" -}} +{{ .Values.secretRefs.storagesystemSecretRef | default "storage-system" | quote }} +{{- end -}} + +{{- define "secrets.thumbnailsSecret" -}} +{{ .Values.secretRefs.thumbnailsSecretRef | default "thumbnails-transfer-secret" | quote }} +{{- end -}} + +{{- define "secrets.transferSecret" -}} +{{ .Values.secretRefs.transferSecretSecretRef | default "transfer-secret" | quote }} +{{- end -}} + +{{- define "secrets.s3CredentialsSecret" -}} +{{ .Values.secretRefs.s3CredentialsSecretRef | default "s3-credentials-secret" | quote }} +{{- end -}} + +{{- define "config.storageUsers" -}} +{{ .Values.configRefs.storageusersConfigRef | default "storage-users" | quote }} +{{- end -}} + +{{- define "config.graph" -}} +{{ .Values.configRefs.graphConfigRef | default "graph" | quote }} +{{- end -}} diff --git a/charts/ocis/templates/_common/_tplvalues.tpl b/charts/ocis/templates/_common/_tplvalues.tpl index 10dc4b24b..5022c89e1 100644 --- a/charts/ocis/templates/_common/_tplvalues.tpl +++ b/charts/ocis/templates/_common/_tplvalues.tpl @@ -287,3 +287,45 @@ oCIS persistence dataVolume emptyDir: {} {{- end }} {{- end -}} + +{{/* +oCIS secret wrapper + +@param .name The name of the secret. +@param .params Dict containing data keys/values (plaintext). +@param .scope The current scope +*/}} +{{- define "ocis.secret" -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .name }} +data: + {{- $secretObj := (lookup "v1" "Secret" .scope.Release.Namespace .name) | default dict }} + {{- $secretData := (get $secretObj "data") | default dict }} + {{- range $key, $value := .params }} + {{- $secretValue := (get $secretData $key) | default ($value | b64enc)}} + {{ $key }}: {{ $secretValue | quote }} + {{- end }} +{{- end -}} + +{{/* +oCIS ConfigMap wrapper + +@param .name The name of the ConfigMap. +@param .params Dict containing data keys/values (plaintext). +@param .scope The current scope +*/}} +{{- define "ocis.configMap" -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .name }} +data: + {{- $configObj := (lookup "v1" "ConfigMap" .scope.Release.Namespace .name) | default dict }} + {{- $configData := (get $configObj "data") | default dict }} + {{- range $key, $value := .params }} + {{- $configValue := (get $configData $key) | default ($value)}} + {{ $key }}: {{ $configValue | quote }} + {{- end }} +{{- end -}} diff --git a/charts/ocis/templates/antivirus/deployment.yaml b/charts/ocis/templates/antivirus/deployment.yaml index cbb9705d1..26b899a83 100644 --- a/charts/ocis/templates/antivirus/deployment.yaml +++ b/charts/ocis/templates/antivirus/deployment.yaml @@ -100,7 +100,7 @@ spec: - name: messaging-system-ca {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }} secret: - secretName: {{ .Values.secretRefs.messagingSystemCaRef }} + secretName: {{ include "secrets.messagingSystemCASecret" . }} {{ else }} emptyDir: {} {{ end }} diff --git a/charts/ocis/templates/appprovider/deployment.yaml b/charts/ocis/templates/appprovider/deployment.yaml index bc576e274..fd95727dc 100644 --- a/charts/ocis/templates/appprovider/deployment.yaml +++ b/charts/ocis/templates/appprovider/deployment.yaml @@ -75,7 +75,7 @@ spec: - name: APP_PROVIDER_JWT_SECRET valueFrom: secretKeyRef: - name: {{ $.Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" $ }} key: jwt-secret livenessProbe: diff --git a/charts/ocis/templates/appregistry/deployment.yaml b/charts/ocis/templates/appregistry/deployment.yaml index e50be201c..ec8952063 100644 --- a/charts/ocis/templates/appregistry/deployment.yaml +++ b/charts/ocis/templates/appregistry/deployment.yaml @@ -53,7 +53,7 @@ spec: - name: APP_REGISTRY_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret {{- include "ocis.livenessProbe" . | nindent 10 }} diff --git a/charts/ocis/templates/audit/deployment.yaml b/charts/ocis/templates/audit/deployment.yaml index 38d8b0993..684b57521 100644 --- a/charts/ocis/templates/audit/deployment.yaml +++ b/charts/ocis/templates/audit/deployment.yaml @@ -91,7 +91,7 @@ spec: - name: messaging-system-ca {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }} secret: - secretName: {{ .Values.secretRefs.messagingSystemCaRef }} + secretName: {{ include "secrets.messagingSystemCASecret" . }} {{ else }} emptyDir: {} {{ end }} diff --git a/charts/ocis/templates/authbasic/deployment.yaml b/charts/ocis/templates/authbasic/deployment.yaml index eeb82824c..1d8c62c47 100644 --- a/charts/ocis/templates/authbasic/deployment.yaml +++ b/charts/ocis/templates/authbasic/deployment.yaml @@ -131,7 +131,7 @@ spec: - name: AUTH_BASIC_LDAP_BIND_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.ldapSecretRef }} + name: {{ include "secrets.ldapBindSecret" . }} key: reva-ldap-bind-password - name: AUTH_BASIC_IDP_URL @@ -144,7 +144,7 @@ spec: - name: AUTH_BASIC_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret - name: AUTH_BASIC_LDAP_USER_ENABLED_ATTRIBUTE @@ -182,7 +182,7 @@ spec: - name: ldap-ca {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} secret: - secretName: {{ .Values.secretRefs.ldapCaRef }} + secretName: {{ include "secrets.ldapCASecret" . }} {{ else }} emptyDir: {} {{ end }} diff --git a/charts/ocis/templates/authmachine/deployment.yaml b/charts/ocis/templates/authmachine/deployment.yaml index 5f6ec9e60..a1fce0259 100644 --- a/charts/ocis/templates/authmachine/deployment.yaml +++ b/charts/ocis/templates/authmachine/deployment.yaml @@ -55,13 +55,13 @@ spec: - name: AUTH_MACHINE_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret - name: AUTH_MACHINE_API_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }} + name: {{ include "secrets.machineAuthAPIKeySecret" . }} key: machine-auth-api-key {{- include "ocis.livenessProbe" . | nindent 10 }} diff --git a/charts/ocis/templates/authmachine/secret.yaml b/charts/ocis/templates/authmachine/secret.yaml new file mode 100644 index 000000000..5ec355e58 --- /dev/null +++ b/charts/ocis/templates/authmachine/secret.yaml @@ -0,0 +1,5 @@ +{{- if or (not .Values.secretRefs.machineAuthApiKeySecretRef) }} +{{- $params := (dict)}} +{{- $_ := set $params "machine-auth-api-key" (randAlphaNum 30) }} +{{- include "ocis.secret" (dict "scope" . "name" "machine-auth-api-key" "params" $params)}} +{{- end }} diff --git a/charts/ocis/templates/eventhistory/deployment.yaml b/charts/ocis/templates/eventhistory/deployment.yaml index 0c55e1e1c..d0b3173c6 100644 --- a/charts/ocis/templates/eventhistory/deployment.yaml +++ b/charts/ocis/templates/eventhistory/deployment.yaml @@ -100,7 +100,7 @@ spec: - name: messaging-system-ca {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }} secret: - secretName: {{ .Values.secretRefs.messagingSystemCaRef }} + secretName: {{ include "secrets.messagingSystemCASecret" . }} {{ else }} emptyDir: {} {{ end }} diff --git a/charts/ocis/templates/frontend/deployment.yaml b/charts/ocis/templates/frontend/deployment.yaml index 2a3b96509..9ac389b0c 100644 --- a/charts/ocis/templates/frontend/deployment.yaml +++ b/charts/ocis/templates/frontend/deployment.yaml @@ -65,7 +65,7 @@ spec: - name: FRONTEND_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret - name: FRONTEND_APP_HANDLER_INSECURE @@ -94,13 +94,13 @@ spec: - name: FRONTEND_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }} + name: {{ include "secrets.machineAuthAPIKeySecret" . }} key: machine-auth-api-key - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.transferSecretSecretRef }} + name: {{ include "secrets.transferSecret" . }} key: transfer-secret {{- if .Values.features.quotas.max }} diff --git a/charts/ocis/templates/gateway/deployment.yaml b/charts/ocis/templates/gateway/deployment.yaml index 72e2fdb9c..5c2a43c9d 100644 --- a/charts/ocis/templates/gateway/deployment.yaml +++ b/charts/ocis/templates/gateway/deployment.yaml @@ -97,19 +97,19 @@ spec: - name: GATEWAY_STORAGE_USERS_MOUNT_ID valueFrom: configMapKeyRef: - name: {{ .Values.configRefs.storageusersConfigRef }} + name: {{ include "config.storageUsers" . }} key: storage-uuid - name: GATEWAY_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.transferSecretSecretRef }} + name: {{ include "secrets.transferSecret" . }} key: transfer-secret {{- include "ocis.livenessProbe" . | nindent 10 }} diff --git a/charts/ocis/templates/graph/configmap.yaml b/charts/ocis/templates/graph/configmap.yaml new file mode 100644 index 000000000..9d23c924c --- /dev/null +++ b/charts/ocis/templates/graph/configmap.yaml @@ -0,0 +1,5 @@ +{{- if not .Values.configRefs.graphConfigRef }} +{{- $params := (dict)}} +{{- $_ := set $params "application-id" (uuidv4) }} +{{- include "ocis.configMap" (dict "scope" . "name" "graph" "params" $params)}} +{{- end }} diff --git a/charts/ocis/templates/graph/deployment.yaml b/charts/ocis/templates/graph/deployment.yaml index 12191795b..f9832cd32 100644 --- a/charts/ocis/templates/graph/deployment.yaml +++ b/charts/ocis/templates/graph/deployment.yaml @@ -60,7 +60,7 @@ spec: - name: GRAPH_LDAP_BIND_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.ldapSecretRef }} + name: {{ include "secrets.ldapBindSecret" . }} key: graph-ldap-bind-password {{ else }} - name: GRAPH_LDAP_URI @@ -70,7 +70,7 @@ spec: - name: GRAPH_LDAP_BIND_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.ldapSecretRef }} + name: {{ include "secrets.ldapBindSecret" . }} key: reva-ldap-bind-password - name: GRAPH_LDAP_SERVER_WRITE_ENABLED value: {{ .Values.features.externalUserManagement.ldap.writeable | quote }} @@ -179,13 +179,13 @@ spec: - name: GRAPH_APPLICATION_ID valueFrom: configMapKeyRef: - name: {{ .Values.configRefs.graphConfigRef }} + name: {{ include "config.graph" . }} key: application-id - name: GRAPH_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret {{- if .Values.features.quotas.default }} @@ -196,7 +196,7 @@ spec: - name: USERLOG_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }} + name: {{ include "secrets.machineAuthAPIKeySecret" . }} key: machine-auth-api-key {{- if .Values.features.gdprReport.integrations.keycloak.enabled }} @@ -207,7 +207,7 @@ spec: - name: GRAPH_KEYCLOAK_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.gdprExportClientSecretRef }} + name: {{ include "secrets.gdprExportClientSecret" . }} key: oidc-secret - name: GRAPH_KEYCLOAK_CLIENT_REALM value: {{ .Values.features.gdprReport.integrations.keycloak.clientRealm | quote }} @@ -247,14 +247,14 @@ spec: - name: messaging-system-ca {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }} secret: - secretName: {{ .Values.secretRefs.messagingSystemCaRef }} + secretName: {{ include "secrets.messagingSystemCASecret" . }} {{ else }} emptyDir: {} {{ end }} - name: ldap-ca {{ if not .Values.features.externalUserManagement.enabled }} secret: - secretName: {{ .Values.secretRefs.ldapCaRef }} + secretName: {{ include "secrets.ldapCASecret" . }} {{ else }} emptyDir: {} {{ end }} diff --git a/charts/ocis/templates/groups/deployment.yaml b/charts/ocis/templates/groups/deployment.yaml index 779ac8271..4501c02ce 100644 --- a/charts/ocis/templates/groups/deployment.yaml +++ b/charts/ocis/templates/groups/deployment.yaml @@ -126,7 +126,7 @@ spec: - name: GROUPS_LDAP_BIND_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.ldapSecretRef }} + name: {{ include "secrets.ldapBindSecret" . }} key: reva-ldap-bind-password - name: GROUPS_IDP_URL @@ -142,7 +142,7 @@ spec: - name: GROUPS_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret {{- include "ocis.livenessProbe" . | nindent 10 }} @@ -173,7 +173,7 @@ spec: - name: ldap-ca {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} secret: - secretName: {{ .Values.secretRefs.ldapCaRef }} + secretName: {{ include "secrets.ldapCASecret" . }} {{ else }} emptyDir: {} {{ end }} diff --git a/charts/ocis/templates/idm/deployment.yaml b/charts/ocis/templates/idm/deployment.yaml index 36cb48b44..032248f8f 100644 --- a/charts/ocis/templates/idm/deployment.yaml +++ b/charts/ocis/templates/idm/deployment.yaml @@ -75,30 +75,30 @@ spec: - name: IDM_ADMIN_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.adminUserSecretRef }} + name: {{ include "secrets.adminUser" . }} key: password - name: IDM_ADMIN_USER_ID valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.adminUserSecretRef }} + name: {{ include "secrets.adminUser" . }} key: user-id - name: IDM_SVC_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.ldapSecretRef }} + name: {{ include "secrets.ldapBindSecret" . }} key: graph-ldap-bind-password - name: IDM_REVASVC_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.ldapSecretRef }} + name: {{ include "secrets.ldapBindSecret" . }} key: reva-ldap-bind-password - name: IDM_IDPSVC_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.ldapSecretRef }} + name: {{ include "secrets.ldapBindSecret" . }} key: idp-ldap-bind-password - name: IDM_LDAPS_CERT @@ -132,6 +132,6 @@ spec: emptyDir: {} - name: ldap-cert secret: - secretName: {{ .Values.secretRefs.ldapCertRef }} + secretName: {{ include "secrets.ldapCertSecret" . }} {{- include "ocis.persistence.dataVolume" . | nindent 8 }} {{- end }} diff --git a/charts/ocis/templates/idm/secret.yaml b/charts/ocis/templates/idm/secret.yaml new file mode 100644 index 000000000..81ca524fa --- /dev/null +++ b/charts/ocis/templates/idm/secret.yaml @@ -0,0 +1,22 @@ +{{- $_ := set . "ldapCA" (genCA "ldap-ca" 365) }} +{{ if and (not .Values.secretRefs.ldapCaRef) (not .Values.features.externalUserManagement.enabled) }} +{{- $params := (dict)}} +{{- $_ := set $params "ldap-ca.crt" .ldapCA.Cert }} +{{- include "ocis.secret" (dict "scope" . "name" "ldap-ca" "params" $params)}} +{{- end }} +--- +{{ if and (not .Values.secretRefs.ldapCertRef) (not .Values.features.externalUserManagement.enabled) }} +{{- $params := (dict)}} +{{- $ldapCert := genSignedCert "idm" nil (list "idm") 365 .ldapCA }} +{{- $_ := set $params "ldap.key" $ldapCert.Key }} +{{- $_ := set $params "ldap.crt" $ldapCert.Cert }} +{{- include "ocis.secret" (dict "scope" . "name" "ldap-cert" "params" $params)}} +{{- end }} +--- +{{ if not .Values.secretRefs.ldapSecretRef }} +{{- $params := (dict)}} +{{- $_ := set $params "reva-ldap-bind-password" (randAlphaNum 30) }} +{{- $_ := set $params "idp-ldap-bind-password" (randAlphaNum 30) }} +{{- $_ := set $params "graph-ldap-bind-password" (randAlphaNum 30) }} +{{- include "ocis.secret" (dict "scope" . "name" "ldap-bind-secrets" "params" $params)}} +{{- end }} diff --git a/charts/ocis/templates/idp/deployment.yaml b/charts/ocis/templates/idp/deployment.yaml index 035d2ea69..fb7fc9134 100644 --- a/charts/ocis/templates/idp/deployment.yaml +++ b/charts/ocis/templates/idp/deployment.yaml @@ -63,7 +63,7 @@ spec: - name: IDP_LDAP_BIND_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.ldapSecretRef }} + name: {{ include "secrets.ldapBindSecret" . }} key: idp-ldap-bind-password - name: IDP_SIGNING_PRIVATE_KEY_FILES @@ -102,8 +102,8 @@ spec: emptyDir: {} - name: ldap-ca secret: - secretName: {{ .Values.secretRefs.ldapCaRef }} + secretName: {{ include "secrets.ldapCASecret" . }} - name: idp-secrets secret: - secretName: {{ .Values.secretRefs.idpSecretRef }} + secretName: {{ include "secrets.idpSecret" . }} {{- end }} diff --git a/charts/ocis/templates/idp/secret.yaml b/charts/ocis/templates/idp/secret.yaml new file mode 100644 index 000000000..b4a984d52 --- /dev/null +++ b/charts/ocis/templates/idp/secret.yaml @@ -0,0 +1,19 @@ +{{ if and (not .Values.features.externalUserManagement.enabled) (not .Values.secretRefs.idpSecretRef) }} +{{- $params := (dict)}} +{{- $_ := set $params "encryption.key" (randAscii 32) }} +{{- $_ := set $params "private-key.pem" (genPrivateKey "rsa") }} +{{- include "ocis.secret" (dict "scope" . "name" "idp-secrets" "params" $params)}} +{{- end }} +--- +{{ if not .Values.secretRefs.jwtSecretRef }} +{{- $params := (dict)}} +{{- $_ := set $params "jwt-secret" (randAlphaNum 30) }} +{{- include "ocis.secret" (dict "scope" . "name" "jwt-secret" "params" $params)}} +{{- end }} +--- +{{ if and (not .Values.features.externalUserManagement.enabled) (not .Values.secretRefs.adminUserSecretRef) }} +{{- $params := (dict)}} +{{- $_ := set $params "user-id" uuidv4 }} +{{- $_ := set $params "password" (randAlphaNum 10) }} +{{- include "ocis.secret" (dict "scope" . "name" "admin-user" "params" $params)}} +{{- end }} diff --git a/charts/ocis/templates/notifications/deployment.yaml b/charts/ocis/templates/notifications/deployment.yaml index 76465b9bf..3d2e88d6e 100644 --- a/charts/ocis/templates/notifications/deployment.yaml +++ b/charts/ocis/templates/notifications/deployment.yaml @@ -60,13 +60,13 @@ spec: - name: NOTIFICATIONS_SMTP_USERNAME valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.notificationsSmtpSecretRef }} + name: {{ include "secrets.notificationsSMTPSecret" . }} key: smtp-username - name: NOTIFICATIONS_SMTP_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.notificationsSmtpSecretRef }} + name: {{ include "secrets.notificationsSMTPSecret" . }} key: smtp-password #TODO: remove OCIS_URL in favor of NOTIFICATIONS_WEB_UI_URL @@ -100,7 +100,7 @@ spec: - name: NOTIFICATIONS_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }} + name: {{ include "secrets.machineAuthAPIKeySecret" . }} key: machine-auth-api-key {{- include "ocis.livenessProbe" . | nindent 10 }} @@ -124,7 +124,7 @@ spec: - name: messaging-system-ca {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }} secret: - secretName: {{ .Values.secretRefs.messagingSystemCaRef }} + secretName: {{ include "secrets.messagingSystemCASecret" . }} {{ else }} emptyDir: {} {{ end }} diff --git a/charts/ocis/templates/ocdav/deployment.yaml b/charts/ocis/templates/ocdav/deployment.yaml index af64c9740..567413844 100644 --- a/charts/ocis/templates/ocdav/deployment.yaml +++ b/charts/ocis/templates/ocdav/deployment.yaml @@ -64,13 +64,13 @@ spec: - name: OCDAV_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret - name: OCDAV_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }} + name: {{ include "secrets.machineAuthAPIKeySecret" . }} key: machine-auth-api-key {{- include "ocis.cors" . |nindent 12 }} diff --git a/charts/ocis/templates/ocs/deployment.yaml b/charts/ocis/templates/ocs/deployment.yaml index 0e3b7e31b..478c5c739 100644 --- a/charts/ocis/templates/ocs/deployment.yaml +++ b/charts/ocis/templates/ocs/deployment.yaml @@ -62,13 +62,13 @@ spec: - name: OCS_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret - name: OCS_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }} + name: {{ include "secrets.machineAuthAPIKeySecret" . }} key: machine-auth-api-key {{- include "ocis.cors" . |nindent 12 }} diff --git a/charts/ocis/templates/policies/deployment.yaml b/charts/ocis/templates/policies/deployment.yaml index 358fc058b..66b7feb94 100644 --- a/charts/ocis/templates/policies/deployment.yaml +++ b/charts/ocis/templates/policies/deployment.yaml @@ -74,12 +74,12 @@ spec: - name: POLICIES_JWT_SECRET valueFrom: secretKeyRef: - name: {{ $.Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" $ }} key: jwt-secret - name: POLICIES_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }} + name: {{ include "secrets.machineAuthAPIKeySecret" . }} key: machine-auth-api-key - name: POLICIES_DEBUG_PPROF @@ -111,7 +111,7 @@ spec: - name: messaging-system-ca {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }} secret: - secretName: {{ .Values.secretRefs.messagingSystemCaRef }} + secretName: {{ include "secrets.messagingSystemCASecret" . }} {{ else }} emptyDir: {} {{ end }} diff --git a/charts/ocis/templates/postprocessing/deployment.yaml b/charts/ocis/templates/postprocessing/deployment.yaml index 699598354..20fc9298a 100644 --- a/charts/ocis/templates/postprocessing/deployment.yaml +++ b/charts/ocis/templates/postprocessing/deployment.yaml @@ -109,7 +109,7 @@ spec: - name: messaging-system-ca {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }} secret: - secretName: {{ .Values.secretRefs.messagingSystemCaRef }} + secretName: {{ include "secrets.messagingSystemCASecret" . }} {{ else }} emptyDir: {} {{ end }} diff --git a/charts/ocis/templates/proxy/deployment.yaml b/charts/ocis/templates/proxy/deployment.yaml index 24cf92023..36b690e15 100644 --- a/charts/ocis/templates/proxy/deployment.yaml +++ b/charts/ocis/templates/proxy/deployment.yaml @@ -95,13 +95,13 @@ spec: - name: PROXY_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret - name: PROXY_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }} + name: {{ include "secrets.machineAuthAPIKeySecret" . }} key: machine-auth-api-key {{- if .Values.features.policies.enabled }} diff --git a/charts/ocis/templates/search/deployment.yaml b/charts/ocis/templates/search/deployment.yaml index 798483a70..d453db903 100644 --- a/charts/ocis/templates/search/deployment.yaml +++ b/charts/ocis/templates/search/deployment.yaml @@ -91,7 +91,7 @@ spec: - name: SEARCH_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }} + name: {{ include "secrets.machineAuthAPIKeySecret" . }} key: machine-auth-api-key - name: OCIS_ASYNC_UPLOADS @@ -123,7 +123,7 @@ spec: - name: messaging-system-ca {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }} secret: - secretName: {{ .Values.secretRefs.messagingSystemCaRef }} + secretName: {{ include "secrets.messagingSystemCASecret" . }} {{ else }} emptyDir: {} {{ end }} diff --git a/charts/ocis/templates/settings/deployment.yaml b/charts/ocis/templates/settings/deployment.yaml index fa7ea9106..1ed58219e 100644 --- a/charts/ocis/templates/settings/deployment.yaml +++ b/charts/ocis/templates/settings/deployment.yaml @@ -63,7 +63,7 @@ spec: {{- else }} valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.adminUserSecretRef }} + name: {{ include "secrets.adminUser" . }} key: user-id {{- end }} {{- end }} @@ -75,18 +75,18 @@ spec: - name: SETTINGS_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret - name: OCIS_SYSTEM_USER_API_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.storagesystemSecretRef }} + name: {{ include "secrets.storageSystemSecret" . }} key: api-key - name: OCIS_SYSTEM_USER_ID valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.storagesystemSecretRef }} + name: {{ include "secrets.storageSystemSecret" . }} key: user-id {{- include "ocis.cors" . |nindent 12 }} diff --git a/charts/ocis/templates/sharing/deployment.yaml b/charts/ocis/templates/sharing/deployment.yaml index 2fa7ffbd9..99da39700 100644 --- a/charts/ocis/templates/sharing/deployment.yaml +++ b/charts/ocis/templates/sharing/deployment.yaml @@ -73,7 +73,7 @@ spec: - name: SHARING_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret - name: SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD @@ -87,12 +87,12 @@ spec: - name: SHARING_USER_JSONCS3_SYSTEM_USER_API_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.storagesystemSecretRef }} + name: {{ include "secrets.storageSystemSecret" . }} key: api-key - name: SHARING_USER_JSONCS3_SYSTEM_USER_ID valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.storagesystemSecretRef }} + name: {{ include "secrets.storageSystemSecret" . }} key: user-id # public sharing @@ -103,12 +103,12 @@ spec: - name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.storagesystemSecretRef }} + name: {{ include "secrets.storageSystemSecret" . }} key: api-key - name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.storagesystemSecretRef }} + name: {{ include "secrets.storageSystemSecret" . }} key: user-id {{- include "ocis.livenessProbe" . | nindent 10 }} @@ -139,7 +139,7 @@ spec: - name: messaging-system-ca {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }} secret: - secretName: {{ .Values.secretRefs.messagingSystemCaRef }} + secretName: {{ include "secrets.messagingSystemCASecret" . }} {{ else }} emptyDir: {} {{ end }} diff --git a/charts/ocis/templates/storagepubliclink/deployment.yaml b/charts/ocis/templates/storagepubliclink/deployment.yaml index b6e701540..07ed0da0c 100644 --- a/charts/ocis/templates/storagepubliclink/deployment.yaml +++ b/charts/ocis/templates/storagepubliclink/deployment.yaml @@ -55,7 +55,7 @@ spec: - name: STORAGE_PUBLICLINK_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret {{- include "ocis.livenessProbe" . | nindent 10 }} diff --git a/charts/ocis/templates/storageshares/deployment.yaml b/charts/ocis/templates/storageshares/deployment.yaml index b7e09eebf..724648d9c 100644 --- a/charts/ocis/templates/storageshares/deployment.yaml +++ b/charts/ocis/templates/storageshares/deployment.yaml @@ -58,7 +58,7 @@ spec: - name: STORAGE_SHARES_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret {{- include "ocis.livenessProbe" . | nindent 10 }} diff --git a/charts/ocis/templates/storagesystem/deployment.yaml b/charts/ocis/templates/storagesystem/deployment.yaml index ed9ff1e2b..d29802865 100644 --- a/charts/ocis/templates/storagesystem/deployment.yaml +++ b/charts/ocis/templates/storagesystem/deployment.yaml @@ -88,19 +88,19 @@ spec: - name: STORAGE_SYSTEM_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.storagesystemJwtSecretRef }} + name: {{ include "secrets.storageSystemJWTSecret" . }} key: storage-system-jwt-secret - name: OCIS_SYSTEM_USER_API_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.storagesystemSecretRef }} + name: {{ include "secrets.storageSystemSecret" . }} key: api-key - name: OCIS_SYSTEM_USER_ID valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.storagesystemSecretRef }} + name: {{ include "secrets.storageSystemSecret" . }} key: user-id {{- include "ocis.livenessProbe" . | nindent 10 }} diff --git a/charts/ocis/templates/storagesystem/secret.yaml b/charts/ocis/templates/storagesystem/secret.yaml new file mode 100644 index 000000000..1ac6ab048 --- /dev/null +++ b/charts/ocis/templates/storagesystem/secret.yaml @@ -0,0 +1,18 @@ +{{ if not .Values.secretRefs.storagesystemJwtSecretRef }} +{{- $params := (dict)}} +{{- $_ := set $params "storage-system-jwt-secret" (randAlphaNum 30) }} +{{- include "ocis.secret" (dict "scope" . "name" "storage-system-jwt-secret" "params" $params)}} +{{- end }} +--- +{{ if not .Values.secretRefs.storagesystemSecretRef }} +{{- $params := (dict)}} +{{- $_ := set $params "api-key" (randAlphaNum 30) }} +{{- $_ := set $params "user-id" uuidv4 }} +{{- include "ocis.secret" (dict "scope" . "name" "storage-system" "params" $params)}} +{{- end }} +--- +{{ if not .Values.secretRefs.transferSecretSecretRef }} +{{- $params := (dict)}} +{{- $_ := set $params "transfer-secret" (randAlphaNum 30) }} +{{- include "ocis.secret" (dict "scope" . "name" "transfer-secret" "params" $params)}} +{{- end }} diff --git a/charts/ocis/templates/storageusers/configmap.yaml b/charts/ocis/templates/storageusers/configmap.yaml new file mode 100644 index 000000000..2420ca9b2 --- /dev/null +++ b/charts/ocis/templates/storageusers/configmap.yaml @@ -0,0 +1,5 @@ +{{- if not .Values.configRefs.storageusersConfigRef }} +{{- $params := (dict)}} +{{- $_ := set $params "storage-uuid" (uuidv4) }} +{{- include "ocis.configMap" (dict "scope" . "name" "storage-users" "params" $params)}} +{{- end }} diff --git a/charts/ocis/templates/storageusers/deployment.yaml b/charts/ocis/templates/storageusers/deployment.yaml index fd8d9fd41..081cd80a7 100644 --- a/charts/ocis/templates/storageusers/deployment.yaml +++ b/charts/ocis/templates/storageusers/deployment.yaml @@ -93,12 +93,12 @@ spec: - name: STORAGE_USERS_S3NG_ACCESS_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.s3CredentialsSecretRef }} + name: {{ include "secrets.s3CredentialsSecret" . }} key: accessKey - name: STORAGE_USERS_S3NG_SECRET_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.s3CredentialsSecretRef }} + name: {{ include "secrets.s3CredentialsSecret" . }} key: secretKey - name: STORAGE_USERS_S3NG_BUCKET value: {{ .Values.services.storageusers.storageBackend.driverConfig.s3ng.bucket | quote }} @@ -141,7 +141,7 @@ spec: - name: OCIS_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }} + name: {{ include "secrets.machineAuthAPIKeySecret" . }} key: machine-auth-api-key - name: OCIS_REVA_GATEWAY @@ -162,19 +162,19 @@ spec: - name: STORAGE_USERS_MOUNT_ID valueFrom: configMapKeyRef: - name: {{ .Values.configRefs.storageusersConfigRef }} + name: {{ include "config.storageUsers" . }} key: storage-uuid - name: STORAGE_USERS_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.transferSecretSecretRef }} + name: {{ include "secrets.transferSecret" . }} key: transfer-secret {{- if .Values.features.quotas.max }} @@ -220,7 +220,7 @@ spec: - name: messaging-system-ca {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }} secret: - secretName: {{ .Values.secretRefs.messagingSystemCaRef }} + secretName: {{ include "secrets.messagingSystemCASecret" . }} {{ else }} emptyDir: {} {{ end }} diff --git a/charts/ocis/templates/storageusers/jobs.yaml b/charts/ocis/templates/storageusers/jobs.yaml index 07e0167eb..cf321d65c 100644 --- a/charts/ocis/templates/storageusers/jobs.yaml +++ b/charts/ocis/templates/storageusers/jobs.yaml @@ -65,12 +65,12 @@ spec: - name: STORAGE_USERS_S3NG_ACCESS_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.s3CredentialsSecretRef }} + name: {{ include "secrets.s3CredentialsSecret" . }} key: accessKey - name: STORAGE_USERS_S3NG_SECRET_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.s3CredentialsSecretRef }} + name: {{ include "secrets.s3CredentialsSecret" . }} key: secretKey - name: STORAGE_USERS_S3NG_BUCKET value: {{ .Values.services.storageusers.storageBackend.driverConfig.s3ng.bucket | quote }} @@ -79,19 +79,19 @@ spec: - name: STORAGE_USERS_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.transferSecretSecretRef }} + name: {{ include "secrets.transferSecret" . }} key: transfer-secret - name: STORAGE_USERS_MOUNT_ID valueFrom: configMapKeyRef: - name: {{ .Values.configRefs.storageusersConfigRef }} + name: {{ include "config.storageUsers" . }} key: storage-uuid resources: {{ toYaml .Values.resources | nindent 16 }} @@ -160,19 +160,19 @@ spec: - name: STORAGE_USERS_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret - name: OCIS_TRANSFER_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.transferSecretSecretRef }} + name: {{ include "secrets.transferSecret" . }} key: transfer-secret - name: STORAGE_USERS_MOUNT_ID valueFrom: configMapKeyRef: - name: {{ .Values.configRefs.storageusersConfigRef }} + name: {{ include "config.storageUsers" . }} key: storage-uuid # events diff --git a/charts/ocis/templates/storageusers/secret.yaml b/charts/ocis/templates/storageusers/secret.yaml index d8e369198..dd6f65b8d 100644 --- a/charts/ocis/templates/storageusers/secret.yaml +++ b/charts/ocis/templates/storageusers/secret.yaml @@ -1,4 +1,4 @@ -{{ if eq .Values.services.storageusers.storageBackend.driver "s3ng" -}} +{{ if and (eq .Values.services.storageusers.storageBackend.driver "s3ng") (not .Values.secretRefs.s3CredentialsSecretRef) -}} {{ if and (.Values.services.storageusers.storageBackend.driverConfig.s3ng.accessKey) (.Values.services.storageusers.storageBackend.driverConfig.s3ng.secretKey) -}} apiVersion: v1 kind: Secret diff --git a/charts/ocis/templates/thumbnails/deployment.yaml b/charts/ocis/templates/thumbnails/deployment.yaml index 29edef7c4..b25615bf7 100644 --- a/charts/ocis/templates/thumbnails/deployment.yaml +++ b/charts/ocis/templates/thumbnails/deployment.yaml @@ -78,7 +78,7 @@ spec: - name: THUMBNAILS_TRANSFER_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.thumbnailsSecretRef }} + name: {{ include "secrets.thumbnailsSecret" . }} key: thumbnails-transfer-secret {{- include "ocis.livenessProbe" . | nindent 10 }} diff --git a/charts/ocis/templates/thumbnails/secret.yaml b/charts/ocis/templates/thumbnails/secret.yaml new file mode 100644 index 000000000..7c05a07e9 --- /dev/null +++ b/charts/ocis/templates/thumbnails/secret.yaml @@ -0,0 +1,5 @@ +{{- if not .Values.secretRefs.thumbnailsSecretRef }} +{{- $params := (dict)}} +{{- $_ := set $params "thumbnails-transfer-secret" (randAlphaNum 30) }} +{{- include "ocis.secret" (dict "scope" . "name" "thumbnails-transfer-secret" "params" $params)}} +{{- end }} diff --git a/charts/ocis/templates/userlog/deployment.yaml b/charts/ocis/templates/userlog/deployment.yaml index ce9167b3b..48e04977d 100644 --- a/charts/ocis/templates/userlog/deployment.yaml +++ b/charts/ocis/templates/userlog/deployment.yaml @@ -82,13 +82,13 @@ spec: - name: USERLOG_MACHINE_AUTH_API_KEY valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }} + name: {{ include "secrets.machineAuthAPIKeySecret" . }} key: machine-auth-api-key - name: USERLOG_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret {{- include "ocis.cors" . |nindent 12 }} @@ -116,7 +116,7 @@ spec: - name: messaging-system-ca {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }} secret: - secretName: {{ .Values.secretRefs.messagingSystemCaRef }} + secretName: {{ include "secrets.messagingSystemCASecret" . }} {{ else }} emptyDir: {} {{ end }} diff --git a/charts/ocis/templates/users/deployment.yaml b/charts/ocis/templates/users/deployment.yaml index de066e37c..9e2ba70d8 100644 --- a/charts/ocis/templates/users/deployment.yaml +++ b/charts/ocis/templates/users/deployment.yaml @@ -136,7 +136,7 @@ spec: - name: USERS_LDAP_BIND_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.ldapSecretRef }} + name: {{ include "secrets.ldapBindSecret" . }} key: reva-ldap-bind-password - name: USERS_IDP_URL {{ if not .Values.features.externalUserManagement.enabled }} @@ -151,7 +151,7 @@ spec: - name: USERS_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret {{- include "ocis.livenessProbe" . | nindent 10 }} @@ -182,7 +182,7 @@ spec: - name: ldap-ca {{ if or (not .Values.features.externalUserManagement.enabled) (not .Values.features.externalUserManagement.ldap.certTrusted) }} secret: - secretName: {{ .Values.secretRefs.ldapCaRef }} + secretName: {{ include "secrets.ldapCASecret" . }} {{ else }} emptyDir: {} {{ end }} diff --git a/charts/ocis/templates/web/deployment.yaml b/charts/ocis/templates/web/deployment.yaml index 8085ac562..a9c9cbf64 100644 --- a/charts/ocis/templates/web/deployment.yaml +++ b/charts/ocis/templates/web/deployment.yaml @@ -92,7 +92,7 @@ spec: - name: WEB_JWT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.secretRefs.jwtSecretRef }} + name: {{ include "secrets.jwtSecret" . }} key: jwt-secret {{- include "ocis.livenessProbe" . | nindent 10 }} diff --git a/charts/ocis/values.yaml b/charts/ocis/values.yaml index e706cfa6a..c65bc8bce 100644 --- a/charts/ocis/values.yaml +++ b/charts/ocis/values.yaml @@ -462,55 +462,67 @@ ingress: # References to ConfigMaps. # The ConfigMaps need to be manually created. +# Leave these empty to have them autogenerated by the Helm chart. +# Note that ConfigMaps generated by the helm chart will be removed once the helm chart is uninstalled. +# Furthermore, if you already had ConfigMaps at the default locations, they will be NOT be overwritten, +# but the helm chart will claim ownership of them. If this is a problem, fill in the configRefs below +# with the names of your existing secrets. # See https://doc.owncloud.com/ocis/next/deployment/container/orchestration/orchestration.html#customize-the-generic-setup[doc.owncloud.com] for how to generate them. configRefs: # -- Reference to an existing storage-users config. - storageusersConfigRef: "storage-users" + storageusersConfigRef: "" # -- Reference to an existing graph config. - graphConfigRef: "graph" + graphConfigRef: "" # -- Optional reference to an existing web theme config. # Will be mounted to /var/lib/ocis/web/assets/themes/owncloud for Web. + # Does not get autogenerated. # Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI. webThemeConfigRef: "" # -- Optional reference to an existing web theme assets config. # Will be mounted to /var/lib/ocis/web/assets/themes/owncloud/assets for Web. + # Does not get autogenerated. # Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI. webThemeAssetsConfigRef: "" # References to secrets. -# The secrets need to be manually created. -# See https://doc.owncloud.com/ocis/next/deployment/container/orchestration/orchestration.html#customize-the-generic-setup[doc.owncloud.com] for how to generate them. +# Leave these empty to have them autogenerated by the Helm chart. +# Note that secrets generated by the helm chart will be removed once the helm chart is uninstalled. +# Furthermore, if you already had secrets at the default locations, they will be NOT be overwritten, +# but the helm chart will claim ownership of them. If this is a problem, fill in the secretRefs below +# with the names of your existing secrets. +# TODO: Update https://doc.owncloud.com/ocis/next/deployment/container/orchestration/orchestration.html#customize-the-generic-setup[doc.owncloud.com] for how to generate them. secretRefs: # -- Reference to an existing admin user secret (see ref:Secrets#secrets). Not used if `features.externalUserManagement.enabled` equals `true`. - adminUserSecretRef: "admin-user" + adminUserSecretRef: "" # -- Reference to an existing IDP secret (see ref:Secrets#secrets). Not used if `features.externalUserManagement.enabled` equals `true`. - idpSecretRef: "idp-secrets" + idpSecretRef: "" # -- Reference to an existing JWT secret (see ref:Secrets#secrets). - jwtSecretRef: "jwt-secret" + jwtSecretRef: "" # -- Reference to an existing keycloak client secret, used for the GDPR export. Only used if features.externalUserManagement.gdprExport.enabled equals true. - gdprExportClientSecretRef: "gdpr-export-client-secret" + gdprExportClientSecretRef: "" # -- Reference to an existing LDAP certificate authority secret (see ref:Secrets#secrets) - ldapCaRef: "ldap-ca" + ldapCaRef: "" # -- Reference to an existing LDAP cert secret (see ref:Secrets#secrets). Not used if `features.externalUserManagement.enabled` equals `true`. - ldapCertRef: "ldap-cert" + ldapCertRef: "" # -- Reference to an existing LDAP bind secret (see ref:Secrets#secrets). - ldapSecretRef: "ldap-bind-secrets" + ldapSecretRef: "" # -- Reference to an existing machine auth api key secret (see ref:Secrets#secrets) - machineAuthApiKeySecretRef: "machine-auth-api-key" + machineAuthApiKeySecretRef: "" # -- Reference to an existing messaging system certificate authority secret (see ref:Secrets#secrets) - messagingSystemCaRef: "messaging-system-ca" + messagingSystemCaRef: "" # -- Reference to an existing SMTP email server settings secret (see ref:Secrets#secrets). Not used if `features.emailNotifications.enabled` equals `false`. - notificationsSmtpSecretRef: "notifications-smtp-secret" + notificationsSmtpSecretRef: "" # -- Reference to an existing storage-system JWT secret (see ref:Secrets#secrets) - storagesystemJwtSecretRef: "storage-system-jwt-secret" + storagesystemJwtSecretRef: "" # -- Reference to an existing storage-system secret (see ref:Secrets#secrets) - storagesystemSecretRef: "storage-system" + storagesystemSecretRef: "" # -- Reference to an existing thumbnails transfer secret (see ref:Secrets#secrets) - thumbnailsSecretRef: "thumbnails-transfer-secret" + thumbnailsSecretRef: "" # -- Reference to an existing transfer secret (see ref:Secrets#secrets) - transferSecretSecretRef: "transfer-secret" + transferSecretSecretRef: "" # -- Reference to an existing s3 secret (see ref:Secrets#secrets) - s3CredentialsSecretRef: "s3-credentials-secret" + # If not filled in, will attempt to use values in `.storageusers.storageBackend.s3.driverConfig.s3ng` instead. + s3CredentialsSecretRef: "" # Security context options. securityContext: