Started updating mailer-config

Configured secret env vars for mailer credentials to be loaded at pod runtime.
We may want to write our credentials to an encrypted file so we can use
the __FILE feature described here: https://github.com/go-gitea/gitea/issues/19856.
Or we may want to encrypt our secrets as described here:
https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
This commit is contained in:
erik 2022-07-13 15:59:08 +02:00
parent 09a471d5e5
commit e4946b4fa0
4 changed files with 35 additions and 2 deletions

View file

@ -6,6 +6,7 @@
:cljs [orchestra.core :refer-macros [defn-spec]]) :cljs [orchestra.core :refer-macros [defn-spec]])
[dda.c4k-common.yaml :as yaml] [dda.c4k-common.yaml :as yaml]
[dda.c4k-common.common :as cm] [dda.c4k-common.common :as cm]
[dda.c4k-common.base64 :as b64]
[dda.c4k-common.predicate :as pred] [dda.c4k-common.predicate :as pred]
[dda.c4k-common.postgres :as postgres])) [dda.c4k-common.postgres :as postgres]))
@ -27,6 +28,7 @@
"gitea/deployment.yaml" (rc/inline "gitea/deployment.yaml") "gitea/deployment.yaml" (rc/inline "gitea/deployment.yaml")
"gitea/certificate.yaml" (rc/inline "gitea/certificate.yaml") "gitea/certificate.yaml" (rc/inline "gitea/certificate.yaml")
"gitea/ingress.yaml" (rc/inline "gitea/ingress.yaml") "gitea/ingress.yaml" (rc/inline "gitea/ingress.yaml")
"gitea/secrets.yaml" (rc/inline "gitea/secrets.yaml")
"gitea/services.yaml" (rc/inline "gitea/services.yaml") "gitea/services.yaml" (rc/inline "gitea/services.yaml")
"gitea/traefik-middleware.yaml" (rc/inline "gitea/traefik-middleware.yaml") "gitea/traefik-middleware.yaml" (rc/inline "gitea/traefik-middleware.yaml")
"gitea/volumes.yaml" (rc/inline "gitea/volumes.yaml") "gitea/volumes.yaml" (rc/inline "gitea/volumes.yaml")
@ -47,6 +49,15 @@
(cm/replace-all-matching-values-by-new-value "DBUSER" postgres-db-user) (cm/replace-all-matching-values-by-new-value "DBUSER" postgres-db-user)
(cm/replace-all-matching-values-by-new-value "DBPW" postgres-db-password)))) (cm/replace-all-matching-values-by-new-value "DBPW" postgres-db-password))))
(defn-spec generate-secrets pred/map-or-seq?
[config config?]
(let [{:keys [mailer-user mailer-pw]} config]
(->
(yaml/load-as-edn "gitea/secrets.yaml")
(cm/replace-all-matching-values-by-new-value "MAILERUSER" (b64/encode mailer-user))
(cm/replace-all-matching-values-by-new-value "MAILERPW" (b64/encode mailer-pw))
)))
(defn-spec generate-ingress pred/map-or-seq? (defn-spec generate-ingress pred/map-or-seq?
[config config?] [config config?]
(let [{:keys [fqdn issuer]} config] (let [{:keys [fqdn issuer]} config]

View file

@ -55,7 +55,7 @@ data:
[picture] [picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
DISABLE_GRAVATAR = false DISABLE_GRAVATAR = true # do we want our gitea talking to gravatar?
ENABLE_FEDERATED_AVATAR = true ENABLE_FEDERATED_AVATAR = true
[attachment] [attachment]
@ -91,7 +91,13 @@ data:
;JWT_SECRET = ;JWT_SECRET =
[mailer] [mailer]
ENABLED = false ENABLED = false
FROM = gitea@meissa-gmbh.de
MAILER_TYPE = smtp
HOST = mail.routing.net:587
IS_TLS_ENABLED = true
USER =
PASSWD =
[openid] [openid]
ENABLE_OPENID_SIGNIN = true ENABLE_OPENID_SIGNIN = true

View file

@ -24,6 +24,8 @@ spec:
envFrom: envFrom:
- configMapRef: - configMapRef:
name: gitea-env name: gitea-env
- secretRef:
name: gitea-secrets
volumeMounts: volumeMounts:
- name: app-ini-config-volume - name: app-ini-config-volume
mountPath: "/tmp/app.ini" mountPath: "/tmp/app.ini"
@ -32,6 +34,8 @@ spec:
mountPath: "/var/lib/gitea" mountPath: "/var/lib/gitea"
- name: gitea-data-volume - name: gitea-data-volume
mountPath: "/data" mountPath: "/data"
- name: gitea-secret-volume
mountPath: "/run/secrets"
ports: ports:
- containerPort: 22 - containerPort: 22
name: git-ssh name: git-ssh
@ -47,3 +51,7 @@ spec:
- name: gitea-data-volume - name: gitea-data-volume
persistentVolumeClaim: persistentVolumeClaim:
claimName: gitea-data-pvc claimName: gitea-data-pvc
- name: gitea-secret-volume
secret:
secretName: gitea-secrets

View file

@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: gitea-secrets
data:
GITEA__mailer__USER: MAILERUSER
GITEA__mailer__PASSWD: MAILERPW