commit 1439fde1ba2412f7350d5b6ba7a132be573647dd
author radex <radex@hackerspace.pl> Fri Nov 24 12:22:22 2023 +0100
committer radex <radex@hackerspace.pl> Fri Nov 24 20:39:11 2023 +0000
tree 7a188233946d57ec13b53e8c5837ec3967272531
parent c995c212d2cbbb0fca4c612932a20712289696d8

kube: standardize top.secretRefs convention

Introduce a convention of declaring a secretsRefs:: object below cfg:: for containing all secretKeyRefs. The goal is to self-document all secrets that need to be created in order to deploy a service

Change-Id: I3a990d54f65a288f5e748262c576d2a120efd815
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1806
Reviewed-by: q3k <q3k@hackerspace.pl>

hswaw/paperless/paperless.libsonnet

diff --git a/hswaw/paperless/paperless.libsonnet b/hswaw/paperless/paperless.libsonnet
index c58ecae..dc9d5d9 100644
--- a/hswaw/paperless/paperless.libsonnet
+++ b/hswaw/paperless/paperless.libsonnet
@@ -26,6 +26,16 @@
         storageClassName: "waw-hdd-redundant-3",
     },
 
+    secretRefs:: {
+        redis_password: { secretKeyRef: { name: "paperless", key: "redis_password" } },
+        postgres_password: { secretKeyRef: { name: "paperless", key: "postgres_password" } },
+        secret_key: { secretKeyRef: { name: "paperless", key: "secret_key" } },
+        proxy: {
+            cookie_secret: { secretKeyRef: { name: "paperless-proxy", key: "cookie_secret" } },
+            oidc_secret: { secretKeyRef: { name: "paperless-proxy", key: "oidc_secret" } },
+        },
+    },
+
     local ns = kube.Namespace(cfg.namespace),
 
     redis: redis {
@@ -34,7 +44,7 @@
             storageClassName: cfg.storageClassName,
             appName: "paperless",
             image: "redis:6.0",
-            password: { secretKeyRef: { name: "paperless", key: "redis_password" } },
+            password: top.secretRefs.redis_password,
         },
     },
 
@@ -45,7 +55,7 @@
             database: "paperless",
             username: "paperless",
 
-            password: { secretKeyRef: { name: "paperless", key: "postgres_password" } },
+            password: top.secretRefs.postgres_password,
             storageClassName: cfg.storageClassName,
             storageSize: "20Gi",
 
@@ -90,14 +100,14 @@
                                 OAUTH2_PROXY_UPSTREAMS: "http://127.0.0.1:8000",
                                 OAUTH2_PROXY_HTTP_ADDRESS: "0.0.0.0:8001",
 
-                                OAUTH2_PROXY_COOKIE_SECRET: { secretKeyRef: { name: "paperless-proxy", key: "cookie_secret" } },
+                                OAUTH2_PROXY_COOKIE_SECRET: top.secretRefs.proxy.cookie_secret,
 
                                 OAUTH2_PROXY_PROVIDER: "oidc",
                                 OAUTH2_PROXY_OIDC_ISSUER_URL: "https://sso.hackerspace.pl",
                                 OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true",
 
                                 OAUTH2_PROXY_CLIENT_ID: "b4859334-140b-432a-81f6-8f3e135e021a",
-                                OAUTH2_PROXY_CLIENT_SECRET: { secretKeyRef: { name: "paperless-proxy", key: "oidc_secret" } },
+                                OAUTH2_PROXY_CLIENT_SECRET: top.secretRefs.proxy.oidc_secret,
 
                                 OAUTH2_PROXY_EMAIL_DOMAINS: "*",
                                 OAUTH2_PROXY_ALLOWED_GROUPS: "zarzad,paperless-admin",
@@ -129,7 +139,7 @@
                                 PAPERLESS_PORT: "8000",
                                 PAPERLESS_URL: "https://%s" % [cfg.domain],
 
-                                PAPERLESS_SECRET_KEY: { secretKeyRef: { name: "paperless", key: "secret_key" } },
+                                PAPERLESS_SECRET_KEY: top.secretRefs.secret_key,
 
                                 A_REDIS_PASSWORD: top.redis.cfg.password,
                                 PAPERLESS_REDIS: "redis://:$(A_REDIS_PASSWORD)@redis:6379",