From 27801d9f2d107482f3e1a61d47b4874ae77bf666 Mon Sep 17 00:00:00 2001 From: HaimKortovich Date: Tue, 14 Apr 2026 15:23:02 -0500 Subject: [PATCH] use external secrets for password generation --- config/runtime.exs | 4 +++ flake.nix | 2 +- ops/chart/values.yaml | 78 +++++++++++++++++++++++++++++++++---------- 3 files changed, 65 insertions(+), 19 deletions(-) diff --git a/config/runtime.exs b/config/runtime.exs index c9b510f..97f8eb7 100644 --- a/config/runtime.exs +++ b/config/runtime.exs @@ -20,6 +20,10 @@ if System.get_env("PHX_SERVER") do config :policy_service, PolicyServiceWeb.Endpoint, server: true end +if cookie = System.get_env("RELEASE_COOKIE") do + config :elixir, :cookie, cookie +end + config :policy_service, PolicyServiceWeb.Endpoint, http: [port: String.to_integer(System.get_env("PORT", "4000"))] diff --git a/flake.nix b/flake.nix index ea26888..65a7005 100644 --- a/flake.nix +++ b/flake.nix @@ -32,7 +32,7 @@ }; dockerImage = pkgs.dockerTools.buildLayeredImage { name = "policy_service"; - contents = [ package pkgs.busybox pkgs.shadow ]; + contents = [ package pkgs.busybox pkgs.shadow beamPackages.mix ]; config = { Cmd = [ "${package}/bin/policy_service" "start" ]; Entrypoint = [ "/bin/sh" ]; diff --git a/ops/chart/values.yaml b/ops/chart/values.yaml index 7365a26..1258a03 100644 --- a/ops/chart/values.yaml +++ b/ops/chart/values.yaml @@ -3,22 +3,22 @@ controllers: enabled: true type: deployment replicas: 1 - initContainers: - migrate: - image: - repository: gitea.corredorconect.com/software-engineering/policy-service - tag: '{{ $.Chart.AppVersion }}' - command: - - /bin/sh - - -c - - "mix ecto.create && mix ecto.migrate && mix event_store.create && mix event_store.init" - env: - MIX_ENV: prod - DATABASE_URL: - valueFrom: - secretKeyRef: - name: policy-service-pg-app - key: uri + # initContainers: + # migrate: + # image: + # repository: gitea.corredorconect.com/software-engineering/policy-service + # tag: '{{ $.Chart.AppVersion }}' + # command: + # - /bin/sh + # - -c + # - "/opt/policy_service/bin/policy_service eval 'Mix.Tasks.Ecto.Create.run([])' --no-start && /opt/policy_service/bin/policy_service eval 'Mix.Tasks.Ecto.Migrate.run([])' --no-start && /opt/policy_service/bin/policy_service eval 'Mix.Tasks.EventStore.Create.run([])' --no-start && /opt/policy_service/bin/policy_service eval 'Mix.Tasks.EventStore.Init.run([])' --no-start" + # env: + # MIX_ENV: prod + # DATABASE_URL: + # valueFrom: + # secretKeyRef: + # name: policy-service-pg-app + # key: uri containers: main: image: @@ -28,6 +28,16 @@ controllers: MIX_ENV: prod PORT: "8080" PHX_HOST: "0.0.0.0" + RELEASE_COOKIE: + valueFrom: + secretKeyRef: + name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-secrets' + key: cookie + SECRET_KEY_BASE: + valueFrom: + secretKeyRef: + name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-secrets' + key: secretKeyBase DATABASE_URL: valueFrom: secretKeyRef: @@ -74,9 +84,41 @@ service: protocol: HTTP -# PostgreSQL Cluster - managed externally via CNPG operator -# The secret policy-service-pg-app will be created by CNPG rawResources: + password-generator: + enabled: true + apiVersion: generators.external-secrets.io/v1alpha1 + kind: Password + suffix: password-generator + spec: + length: 32 + noUpper: false + noDigits: false + allowRepeat: true + secretKeys: + - cookie + - secretKeyBase + + external-secret: + enabled: true + apiVersion: external-secrets.io/v1 + kind: ExternalSecret + suffix: secrets + spec: + refreshInterval: 0s + secretStoreRef: + name: cluster-secrets-store + kind: ClusterSecretStore + target: + name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-secrets' + creationPolicy: Owner + dataFrom: + - sourceRef: + generatorRef: + apiVersion: generators.external-secrets.io/v1alpha1 + kind: Password + name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-password-generator' + cluster: enabled: true apiVersion: postgresql.cnpg.io/v1