Skip to content

Commit

Permalink
add userlog_global_notifications_secret (#400)
Browse files Browse the repository at this point in the history
* add userlog_global_notifications_secret

* add secrets for userlog

* add secrets for userlog

* add secret options

* fix notifications secrets

* fix notifications secrets

* fix notifications secrets

* add docs
  • Loading branch information
case0sh authored Oct 17, 2023
1 parent 5c854bc commit ebb8584
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 5 deletions.
6 changes: 6 additions & 0 deletions charts/ocis/docs/values-desc-table.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -984,6 +984,12 @@ a| [subs=-attributes]
a| [subs=-attributes]
`""`
| Reference to an existing keycloak client secret, used for the GDPR export. Only used if features.externalUserManagement.gdprExport.enabled equals true.
| secretRefs.globalNotificationsSecretRef
a| [subs=-attributes]
+string+
a| [subs=-attributes]
`""`
| The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.
| secretRefs.idpSecretRef
a| [subs=-attributes]
+string+
Expand Down
8 changes: 6 additions & 2 deletions charts/ocis/docs/values.adoc.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -568,6 +568,8 @@ secretRefs:
# -- Reference to an existing s3 secret (see xref:{secrets}[Secrets])
# If not filled in, will attempt to use values in `.storageusers.storageBackend.s3.driverConfig.s3ng` instead.
s3CredentialsSecretRef: ""
# -- The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.
globalNotificationsSecretRef: ""

# Security context options.
securityContext:
Expand Down Expand Up @@ -670,13 +672,15 @@ jobNodeSelector:
# kubernetes.io/arch: "amd64"

# -- Default priorityClassName to apply to all services, except per-service jobPriorityClassName configuration in `services.<service-name>.jobPriorityClassName` is set.
jobPriorityClassName: ""
jobPriorityClassName:
""
# ocis-low-priority
# ocis-medium-priority
# ocis-high-priority

# -- Default priorityClassName to apply to all services, except per-service priorityClassName configuration in `services.<service-name>.priorityClassName` is set.
priorityClassName: ""
priorityClassName:
""
# ocis-low-priority
# ocis-medium-priority
# ocis-high-priority
Expand Down
4 changes: 4 additions & 0 deletions charts/ocis/templates/_common/_configvalues.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@ All take the scope as the first and only parameter.
{{ .Values.secretRefs.machineAuthApiKeySecretRef | default "machine-auth-api-key" | quote }}
{{- end -}}

{{- define "secrets.globalNotificationsSecret" -}}
{{ required "messagingSystemCASecret can't be autogenerated" .Values.secretRefs.globalNotificationsSecretRef | quote }}

This comment has been minimized.

Copy link
@DaDummy

DaDummy Oct 29, 2023

I believe the error message should read "globalNotificationsSecret can't be autogenerated"

This comment has been minimized.

Copy link
@d7oc

d7oc Nov 6, 2023

Contributor

I would agree to this. @case0sh Could you double check? We might need a new issue here as the change was merged already.

{{- end -}}

{{- define "secrets.messagingSystemCASecret" -}}
{{ required "messagingSystemCASecret can't be autogenerated" .Values.secretRefs.messagingSystemCaRef | quote }}
{{- end -}}
Expand Down
9 changes: 8 additions & 1 deletion charts/ocis/templates/userlog/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ spec:
{{- include "ocis.containerSecurityContext" . | nindent 10 }}
env:
{{- include "ocis.serviceRegistry" . | nindent 12 }}

- name: USERLOG_LOG_COLOR
value: {{ .Values.logging.color | quote }}
- name: USERLOG_LOG_LEVEL
Expand Down Expand Up @@ -83,6 +82,14 @@ spec:
name: {{ include "secrets.machineAuthAPIKeySecret" . }}
key: machine-auth-api-key

{{- if .Values.secretRefs.globalNotificationsSecretRef }}
- name: USERLOG_GLOBAL_NOTIFICATIONS_SECRET
valueFrom:
secretKeyRef:
name: {{ include "secrets.globalNotificationsSecret" . }}
key: notifications-secret
{{- end }}

- name: USERLOG_JWT_SECRET
valueFrom:
secretKeyRef:
Expand Down
8 changes: 6 additions & 2 deletions charts/ocis/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -567,6 +567,8 @@ secretRefs:
# -- Reference to an existing s3 secret (see ref:Secrets#secrets)
# If not filled in, will attempt to use values in `.storageusers.storageBackend.s3.driverConfig.s3ng` instead.
s3CredentialsSecretRef: ""
# -- The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.
globalNotificationsSecretRef: ""

# Security context options.
securityContext:
Expand Down Expand Up @@ -669,13 +671,15 @@ jobNodeSelector:
# kubernetes.io/arch: "amd64"

# -- Default priorityClassName to apply to all services, except per-service jobPriorityClassName configuration in `services.<service-name>.jobPriorityClassName` is set.
jobPriorityClassName: ""
jobPriorityClassName:
""
# ocis-low-priority
# ocis-medium-priority
# ocis-high-priority

# -- Default priorityClassName to apply to all services, except per-service priorityClassName configuration in `services.<service-name>.priorityClassName` is set.
priorityClassName: ""
priorityClassName:
""
# ocis-low-priority
# ocis-medium-priority
# ocis-high-priority
Expand Down

0 comments on commit ebb8584

Please sign in to comment.