software-engineering/policy-service
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

use external secrets for password generation
Some checks failed
Build and Publish / build-release (push) Failing after 6s
Details

Browse Source
This commit is contained in:
HaimKortovich
2026-04-14 15:23:02 -05:00
parent 5e4f1f33c8
commit 27801d9f2d
3 changed files with 65 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
config/runtime.exs
View File

@@ -20,6 +20,10 @@ if System.get_env("PHX_SERVER") do
config :policy_service, PolicyServiceWeb.Endpoint, server: true
end
if cookie = System.get_env("RELEASE_COOKIE") do
config :elixir, :cookie, cookie
end
config :policy_service, PolicyServiceWeb.Endpoint,
http: [port: String.to_integer(System.get_env("PORT", "4000"))]

2
flake.nix
View File

@@ -32,7 +32,7 @@
};
dockerImage = pkgs.dockerTools.buildLayeredImage {
name = "policy_service";
contents = [ package pkgs.busybox pkgs.shadow ];
contents = [ package pkgs.busybox pkgs.shadow beamPackages.mix ];
config = {
Cmd = [ "${package}/bin/policy_service" "start" ];
Entrypoint = [ "/bin/sh" ];

78
ops/chart/values.yaml
View File

@@ -3,22 +3,22 @@ controllers:
enabled: true
type: deployment
replicas: 1
initContainers:
migrate:
image:
repository: gitea.corredorconect.com/software-engineering/policy-service
tag: '{{ $.Chart.AppVersion }}'
command:
- /bin/sh
- -c
- "mix ecto.create && mix ecto.migrate && mix event_store.create && mix event_store.init"
env:
MIX_ENV: prod
DATABASE_URL:
valueFrom:
secretKeyRef:
name: policy-service-pg-app
key: uri
# initContainers:
# migrate:
# image:
# repository: gitea.corredorconect.com/software-engineering/policy-service
# tag: '{{ $.Chart.AppVersion }}'
# command:
# - /bin/sh
# - -c
# - "/opt/policy_service/bin/policy_service eval 'Mix.Tasks.Ecto.Create.run([])' --no-start && /opt/policy_service/bin/policy_service eval 'Mix.Tasks.Ecto.Migrate.run([])' --no-start && /opt/policy_service/bin/policy_service eval 'Mix.Tasks.EventStore.Create.run([])' --no-start && /opt/policy_service/bin/policy_service eval 'Mix.Tasks.EventStore.Init.run([])' --no-start"
# env:
# MIX_ENV: prod
# DATABASE_URL:
# valueFrom:
# secretKeyRef:
# name: policy-service-pg-app
# key: uri
containers:
main:
image:
@@ -28,6 +28,16 @@ controllers:
MIX_ENV: prod
PORT: "8080"
PHX_HOST: "0.0.0.0"
RELEASE_COOKIE:
valueFrom:
secretKeyRef:
name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-secrets'
key: cookie
SECRET_KEY_BASE:
valueFrom:
secretKeyRef:
name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-secrets'
key: secretKeyBase
DATABASE_URL:
valueFrom:
secretKeyRef:
@@ -74,9 +84,41 @@ service:
protocol: HTTP
# PostgreSQL Cluster - managed externally via CNPG operator
# The secret policy-service-pg-app will be created by CNPG
rawResources:
password-generator:
enabled: true
apiVersion: generators.external-secrets.io/v1alpha1
kind: Password
suffix: password-generator
spec:
length: 32
noUpper: false
noDigits: false
allowRepeat: true
secretKeys:
- cookie
- secretKeyBase
external-secret:
enabled: true
apiVersion: external-secrets.io/v1
kind: ExternalSecret
suffix: secrets
spec:
refreshInterval: 0s
secretStoreRef:
name: cluster-secrets-store
kind: ClusterSecretStore
target:
name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-secrets'
creationPolicy: Owner
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: Password
name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-password-generator'
cluster:
enabled: true
apiVersion: postgresql.cnpg.io/v1