From e4946b4fa01ae2df4c2651c39761c8c7fddcd6e2 Mon Sep 17 00:00:00 2001 From: erik Date: Wed, 13 Jul 2022 15:59:08 +0200 Subject: [PATCH] Started updating mailer-config Configured secret env vars for mailer credentials to be loaded at pod runtime. We may want to write our credentials to an encrypted file so we can use the __FILE feature described here: https://github.com/go-gitea/gitea/issues/19856. Or we may want to encrypt our secrets as described here: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ --- src/main/cljc/dda/c4k_gitea/gitea.cljc | 11 +++++++++++ src/main/resources/gitea/appini-configmap.yaml | 10 ++++++++-- src/main/resources/gitea/deployment.yaml | 8 ++++++++ src/main/resources/gitea/secrets.yaml | 8 ++++++++ 4 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 src/main/resources/gitea/secrets.yaml diff --git a/src/main/cljc/dda/c4k_gitea/gitea.cljc b/src/main/cljc/dda/c4k_gitea/gitea.cljc index b37849f..55039c6 100644 --- a/src/main/cljc/dda/c4k_gitea/gitea.cljc +++ b/src/main/cljc/dda/c4k_gitea/gitea.cljc @@ -6,6 +6,7 @@ :cljs [orchestra.core :refer-macros [defn-spec]]) [dda.c4k-common.yaml :as yaml] [dda.c4k-common.common :as cm] + [dda.c4k-common.base64 :as b64] [dda.c4k-common.predicate :as pred] [dda.c4k-common.postgres :as postgres])) @@ -27,6 +28,7 @@ "gitea/deployment.yaml" (rc/inline "gitea/deployment.yaml") "gitea/certificate.yaml" (rc/inline "gitea/certificate.yaml") "gitea/ingress.yaml" (rc/inline "gitea/ingress.yaml") + "gitea/secrets.yaml" (rc/inline "gitea/secrets.yaml") "gitea/services.yaml" (rc/inline "gitea/services.yaml") "gitea/traefik-middleware.yaml" (rc/inline "gitea/traefik-middleware.yaml") "gitea/volumes.yaml" (rc/inline "gitea/volumes.yaml") @@ -47,6 +49,15 @@ (cm/replace-all-matching-values-by-new-value "DBUSER" postgres-db-user) (cm/replace-all-matching-values-by-new-value "DBPW" postgres-db-password)))) +(defn-spec generate-secrets pred/map-or-seq? + [config config?] + (let [{:keys [mailer-user mailer-pw]} config] + (-> + (yaml/load-as-edn "gitea/secrets.yaml") + (cm/replace-all-matching-values-by-new-value "MAILERUSER" (b64/encode mailer-user)) + (cm/replace-all-matching-values-by-new-value "MAILERPW" (b64/encode mailer-pw)) + ))) + (defn-spec generate-ingress pred/map-or-seq? [config config?] (let [{:keys [fqdn issuer]} config] diff --git a/src/main/resources/gitea/appini-configmap.yaml b/src/main/resources/gitea/appini-configmap.yaml index 89e9541..b5ecc4d 100644 --- a/src/main/resources/gitea/appini-configmap.yaml +++ b/src/main/resources/gitea/appini-configmap.yaml @@ -55,7 +55,7 @@ data: [picture] AVATAR_UPLOAD_PATH = /data/gitea/avatars REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars - DISABLE_GRAVATAR = false + DISABLE_GRAVATAR = true # do we want our gitea talking to gravatar? ENABLE_FEDERATED_AVATAR = true [attachment] @@ -91,7 +91,13 @@ data: ;JWT_SECRET = [mailer] - ENABLED = false + ENABLED = false + FROM = gitea@meissa-gmbh.de + MAILER_TYPE = smtp + HOST = mail.routing.net:587 + IS_TLS_ENABLED = true + USER = + PASSWD = [openid] ENABLE_OPENID_SIGNIN = true diff --git a/src/main/resources/gitea/deployment.yaml b/src/main/resources/gitea/deployment.yaml index 8d9387c..b54a337 100644 --- a/src/main/resources/gitea/deployment.yaml +++ b/src/main/resources/gitea/deployment.yaml @@ -24,6 +24,8 @@ spec: envFrom: - configMapRef: name: gitea-env + - secretRef: + name: gitea-secrets volumeMounts: - name: app-ini-config-volume mountPath: "/tmp/app.ini" @@ -32,6 +34,8 @@ spec: mountPath: "/var/lib/gitea" - name: gitea-data-volume mountPath: "/data" + - name: gitea-secret-volume + mountPath: "/run/secrets" ports: - containerPort: 22 name: git-ssh @@ -47,3 +51,7 @@ spec: - name: gitea-data-volume persistentVolumeClaim: claimName: gitea-data-pvc + - name: gitea-secret-volume + secret: + secretName: gitea-secrets + diff --git a/src/main/resources/gitea/secrets.yaml b/src/main/resources/gitea/secrets.yaml new file mode 100644 index 0000000..0ec9d9c --- /dev/null +++ b/src/main/resources/gitea/secrets.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: gitea-secrets +data: + GITEA__mailer__USER: MAILERUSER + GITEA__mailer__PASSWD: MAILERPW + \ No newline at end of file