software-engineering/policy-service
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

use external secrets for password generation
Some checks failed
Build and Publish / build-release (push) Failing after 6s
Details

Browse Source
This commit is contained in:
HaimKortovich
2026-04-14 15:23:02 -05:00
parent 5e4f1f33c8
commit 27801d9f2d
3 changed files with 65 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
config/runtime.exs
View File

@@ -20,6 +20,10 @@ if System.get_env("PHX_SERVER") do
config :policy_service, PolicyServiceWeb.Endpoint, server: true config :policy_service, PolicyServiceWeb.Endpoint, server: true
end end
if cookie = System.get_env("RELEASE_COOKIE") do
config :elixir, :cookie, cookie
end
config :policy_service, PolicyServiceWeb.Endpoint, config :policy_service, PolicyServiceWeb.Endpoint,
http: [port: String.to_integer(System.get_env("PORT", "4000"))] http: [port: String.to_integer(System.get_env("PORT", "4000"))]

2
flake.nix
View File

@@ -32,7 +32,7 @@
}; };
dockerImage = pkgs.dockerTools.buildLayeredImage { dockerImage = pkgs.dockerTools.buildLayeredImage {
name = "policy_service"; name = "policy_service";
contents = [ package pkgs.busybox pkgs.shadow ]; contents = [ package pkgs.busybox pkgs.shadow beamPackages.mix ];
config = { config = {
Cmd = [ "${package}/bin/policy_service" "start" ]; Cmd = [ "${package}/bin/policy_service" "start" ];
Entrypoint = [ "/bin/sh" ]; Entrypoint = [ "/bin/sh" ];

78
ops/chart/values.yaml
View File

@@ -3,22 +3,22 @@ controllers:
enabled: true enabled: true
type: deployment type: deployment
replicas: 1 replicas: 1
initContainers: # initContainers:
migrate: # migrate:
image: # image:
repository: gitea.corredorconect.com/software-engineering/policy-service # repository: gitea.corredorconect.com/software-engineering/policy-service
tag: '{{ $.Chart.AppVersion }}' # tag: '{{ $.Chart.AppVersion }}'
command: # command:
- /bin/sh # - /bin/sh
- -c # - -c
- "mix ecto.create && mix ecto.migrate && mix event_store.create && mix event_store.init" # - "/opt/policy_service/bin/policy_service eval 'Mix.Tasks.Ecto.Create.run([])' --no-start && /opt/policy_service/bin/policy_service eval 'Mix.Tasks.Ecto.Migrate.run([])' --no-start && /opt/policy_service/bin/policy_service eval 'Mix.Tasks.EventStore.Create.run([])' --no-start && /opt/policy_service/bin/policy_service eval 'Mix.Tasks.EventStore.Init.run([])' --no-start"
env: # env:
MIX_ENV: prod # MIX_ENV: prod
DATABASE_URL: # DATABASE_URL:
valueFrom: # valueFrom:
secretKeyRef: # secretKeyRef:
name: policy-service-pg-app # name: policy-service-pg-app
key: uri # key: uri
containers: containers:
main: main:
image: image:
@@ -28,6 +28,16 @@ controllers:
MIX_ENV: prod MIX_ENV: prod
PORT: "8080" PORT: "8080"
PHX_HOST: "0.0.0.0" PHX_HOST: "0.0.0.0"
RELEASE_COOKIE:
valueFrom:
secretKeyRef:
name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-secrets'
key: cookie
SECRET_KEY_BASE:
valueFrom:
secretKeyRef:
name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-secrets'
key: secretKeyBase
DATABASE_URL: DATABASE_URL:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
@@ -74,9 +84,41 @@ service:
protocol: HTTP protocol: HTTP
# PostgreSQL Cluster - managed externally via CNPG operator
# The secret policy-service-pg-app will be created by CNPG
rawResources: rawResources:
password-generator:
enabled: true
apiVersion: generators.external-secrets.io/v1alpha1
kind: Password
suffix: password-generator
spec:
length: 32
noUpper: false
noDigits: false
allowRepeat: true
secretKeys:
- cookie
- secretKeyBase
external-secret:
enabled: true
apiVersion: external-secrets.io/v1
kind: ExternalSecret
suffix: secrets
spec:
refreshInterval: 0s
secretStoreRef:
name: cluster-secrets-store
kind: ClusterSecretStore
target:
name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-secrets'
creationPolicy: Owner
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: Password
name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-password-generator'
cluster: cluster:
enabled: true enabled: true
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1