From e6139e8263179154fb275f5677c6ac8c8151cebf Mon Sep 17 00:00:00 2001 From: mamutmk5 <3045922+mamutmk5@users.noreply.github.com> Date: Wed, 19 Jun 2024 09:55:36 +0200 Subject: [PATCH] BC-7451 - move all S3 Secrets to one Secret --- .../templates/api-h5p-library-management-cronjob.yml.j2 | 2 ++ .../moin-schule-users-deletion-queueing-cronjob.yml.j2 | 2 ++ .../templates/moin-schule-users-sync-cronjob.yml.j2 | 2 ++ ansible/roles/schulcloud-server-core/tasks/main.yml | 7 +++++++ .../templates/admin-api-server-deployment.yml.j2 | 2 ++ .../templates/amqp-files-deployment.yml.j2 | 2 ++ .../templates/api-delete-s3-files-cronjob.yml.j2 | 2 ++ .../templates/api-files-deployment.yml.j2 | 2 ++ .../templates/api-files-onepassword.yml.j2 | 9 +++++++++ .../templates/api-fwu-deployment.yml.j2 | 2 ++ .../templates/board-collaboration-deployment.yml.j2 | 2 ++ .../templates/common-cartridge-deployment.yml.j2 | 2 ++ .../templates/data-deletion-trigger-cronjob.yml.j2 | 2 ++ .../schulcloud-server-core/templates/deployment.yml.j2 | 2 ++ .../templates/migration-job.yml.j2 | 2 ++ .../templates/preview-generator-deployment.yml.j2 | 2 ++ .../templates/tldraw-delete-files-cronjob.yml.j2 | 2 ++ .../templates/tldraw-deployment.yml.j2 | 2 ++ .../templates/api-h5p-deployment.yml.j2 | 2 ++ .../schulcloud-server-init/templates/job_init.yml.j2 | 2 ++ .../templates/management-deployment.yml.j2 | 2 ++ .../templates/api-ldap-sync-full-cronjob.yml.j2 | 2 ++ .../templates/api-ldap-worker-deployment.yml.j2 | 2 ++ .../templates/deployment.yml.j2 | 2 ++ .../templates/api-tsp-sync-base-cronjob.yml.j2 | 2 ++ .../templates/api-tsp-sync-deployment.yml.j2 | 2 ++ .../templates/api-tsp-sync-school-cronjob.yml.j2 | 2 ++ 27 files changed, 66 insertions(+) create mode 100644 ansible/roles/schulcloud-server-core/templates/api-files-onepassword.yml.j2 diff --git a/ansible/roles/h5p-library-management/templates/api-h5p-library-management-cronjob.yml.j2 b/ansible/roles/h5p-library-management/templates/api-h5p-library-management-cronjob.yml.j2 index cecf6c2aa78..a3290e08f3e 100644 --- a/ansible/roles/h5p-library-management/templates/api-h5p-library-management-cronjob.yml.j2 +++ b/ansible/roles/h5p-library-management/templates/api-h5p-library-management-cronjob.yml.j2 @@ -44,6 +44,8 @@ spec: name: api-secret - secretRef: name: api-h5p-library-management-secret + - secretRef: + name: api-files-secret volumeMounts: - name: libraries-list mountPath: /schulcloud-server/config/h5p-libraries.yaml diff --git a/ansible/roles/moin-schule-sync/templates/moin-schule-users-deletion-queueing-cronjob.yml.j2 b/ansible/roles/moin-schule-sync/templates/moin-schule-users-deletion-queueing-cronjob.yml.j2 index 8f9ea5eba94..12a9e718085 100644 --- a/ansible/roles/moin-schule-sync/templates/moin-schule-users-deletion-queueing-cronjob.yml.j2 +++ b/ansible/roles/moin-schule-sync/templates/moin-schule-users-deletion-queueing-cronjob.yml.j2 @@ -27,6 +27,8 @@ spec: name: moin-schule-users-deletion-queueing-cronjob-configmap - secretRef: name: moin-schule-sync-secret + - secretRef: + name: api-files-secret command: ['/bin/sh','-c'] args: ['npm run nest:start:deletion-console -- queue unsynced --systemId $SYSTEM_ID'] resources: diff --git a/ansible/roles/moin-schule-sync/templates/moin-schule-users-sync-cronjob.yml.j2 b/ansible/roles/moin-schule-sync/templates/moin-schule-users-sync-cronjob.yml.j2 index d11a061af9b..885d82831ed 100644 --- a/ansible/roles/moin-schule-sync/templates/moin-schule-users-sync-cronjob.yml.j2 +++ b/ansible/roles/moin-schule-sync/templates/moin-schule-users-sync-cronjob.yml.j2 @@ -27,6 +27,8 @@ spec: name: moin-schule-users-sync-cronjob-configmap - secretRef: name: moin-schule-sync-secret + - secretRef: + name: api-files-secret command: ['/bin/sh','-c'] args: ['npm run nest:start:idp-console -- sync users --systemType moin.schule --systemId $SYSTEM_ID'] resources: diff --git a/ansible/roles/schulcloud-server-core/tasks/main.yml b/ansible/roles/schulcloud-server-core/tasks/main.yml index 6d17727669d..5c56903043a 100644 --- a/ansible/roles/schulcloud-server-core/tasks/main.yml +++ b/ansible/roles/schulcloud-server-core/tasks/main.yml @@ -37,6 +37,13 @@ template: onepassword.yml.j2 when: ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool + - name: File Storage Secret by 1Password + kubernetes.core.k8s: + kubeconfig: ~/.kube/config + namespace: "{{ NAMESPACE }}" + template: api-files-onepassword.yml.j2 + when: ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool + - name: Admin Api ingress kubernetes.core.k8s: kubeconfig: ~/.kube/config diff --git a/ansible/roles/schulcloud-server-core/templates/admin-api-server-deployment.yml.j2 b/ansible/roles/schulcloud-server-core/templates/admin-api-server-deployment.yml.j2 index c0d911fb4ca..4a5e7751dca 100644 --- a/ansible/roles/schulcloud-server-core/templates/admin-api-server-deployment.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/admin-api-server-deployment.yml.j2 @@ -54,6 +54,8 @@ spec: name: admin-api-server-configmap - secretRef: name: admin-api-server-secret + - secretRef: + name: api-files-secret command: ['npm', 'run', 'nest:start:admin-api-server:prod'] resources: limits: diff --git a/ansible/roles/schulcloud-server-core/templates/amqp-files-deployment.yml.j2 b/ansible/roles/schulcloud-server-core/templates/amqp-files-deployment.yml.j2 index e5d99c0b49f..8902d144c40 100644 --- a/ansible/roles/schulcloud-server-core/templates/amqp-files-deployment.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/amqp-files-deployment.yml.j2 @@ -52,6 +52,8 @@ spec: name: amqp-files-configmap - secretRef: name: amqp-files-secret + - secretRef: + name: api-files-secret command: ['npm', 'run', 'nest:start:files-storage-amqp:prod'] resources: limits: diff --git a/ansible/roles/schulcloud-server-core/templates/api-delete-s3-files-cronjob.yml.j2 b/ansible/roles/schulcloud-server-core/templates/api-delete-s3-files-cronjob.yml.j2 index e376e15ddbd..84d6f11e4fb 100644 --- a/ansible/roles/schulcloud-server-core/templates/api-delete-s3-files-cronjob.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/api-delete-s3-files-cronjob.yml.j2 @@ -28,6 +28,8 @@ spec: name: api-configmap - secretRef: name: api-secret + - secretRef: + name: api-files-secret command: ['/bin/sh', '-c'] args: ['npm run nest:start:console -- files cleanup-job 7'] resources: diff --git a/ansible/roles/schulcloud-server-core/templates/api-files-deployment.yml.j2 b/ansible/roles/schulcloud-server-core/templates/api-files-deployment.yml.j2 index 3c0401150a5..f7c263afc85 100644 --- a/ansible/roles/schulcloud-server-core/templates/api-files-deployment.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/api-files-deployment.yml.j2 @@ -54,6 +54,8 @@ spec: name: api-configmap - secretRef: name: api-secret + - secretRef: + name: api-files-secret command: ['npm', 'run', 'nest:start:files-storage:prod'] readinessProbe: httpGet: diff --git a/ansible/roles/schulcloud-server-core/templates/api-files-onepassword.yml.j2 b/ansible/roles/schulcloud-server-core/templates/api-files-onepassword.yml.j2 new file mode 100644 index 00000000000..1013deb251c --- /dev/null +++ b/ansible/roles/schulcloud-server-core/templates/api-files-onepassword.yml.j2 @@ -0,0 +1,9 @@ +apiVersion: onepassword.com/v1 +kind: OnePasswordItem +metadata: + name: api-files-secret + namespace: {{ NAMESPACE }} + labels: + app: api-files +spec: + itemPath: "vaults/{{ ONEPASSWORD_OPERATOR_VAULT }}/items/api-files" \ No newline at end of file diff --git a/ansible/roles/schulcloud-server-core/templates/api-fwu-deployment.yml.j2 b/ansible/roles/schulcloud-server-core/templates/api-fwu-deployment.yml.j2 index f0fd9fe5c24..0c4d5d6f394 100644 --- a/ansible/roles/schulcloud-server-core/templates/api-fwu-deployment.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/api-fwu-deployment.yml.j2 @@ -54,6 +54,8 @@ spec: name: api-configmap - secretRef: name: api-secret + - secretRef: + name: api-files-secret command: ['npm', 'run', 'nest:start:fwu-learning-contents:prod'] readinessProbe: httpGet: diff --git a/ansible/roles/schulcloud-server-core/templates/board-collaboration-deployment.yml.j2 b/ansible/roles/schulcloud-server-core/templates/board-collaboration-deployment.yml.j2 index 4f94b759975..f5073e0914f 100644 --- a/ansible/roles/schulcloud-server-core/templates/board-collaboration-deployment.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/board-collaboration-deployment.yml.j2 @@ -59,6 +59,8 @@ spec: name: board-collaboration-configmap - secretRef: name: api-secret + - secretRef: + name: api-files-secret command: ['npm', 'run', 'nest:start:board-collaboration:prod'] resources: limits: diff --git a/ansible/roles/schulcloud-server-core/templates/common-cartridge-deployment.yml.j2 b/ansible/roles/schulcloud-server-core/templates/common-cartridge-deployment.yml.j2 index ff46f6b05fe..b09366736cb 100644 --- a/ansible/roles/schulcloud-server-core/templates/common-cartridge-deployment.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/common-cartridge-deployment.yml.j2 @@ -54,6 +54,8 @@ spec: name: common-cartridge-configmap - secretRef: name: common-cartridge-secret + - secretRef: + name: api-files-secret command: ['npm', 'run', 'nest:start:common-cartridge'] resources: limits: diff --git a/ansible/roles/schulcloud-server-core/templates/data-deletion-trigger-cronjob.yml.j2 b/ansible/roles/schulcloud-server-core/templates/data-deletion-trigger-cronjob.yml.j2 index 3acda9ad4cf..7f350b86c97 100644 --- a/ansible/roles/schulcloud-server-core/templates/data-deletion-trigger-cronjob.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/data-deletion-trigger-cronjob.yml.j2 @@ -37,6 +37,8 @@ spec: name: data-deletion-trigger-cronjob-configmap - secretRef: name: admin-api-client-secret + - secretRef: + name: api-files-secret command: ['/bin/sh', '-c'] args: ['npm run nest:start:deletion-console -- execution trigger'] resources: diff --git a/ansible/roles/schulcloud-server-core/templates/deployment.yml.j2 b/ansible/roles/schulcloud-server-core/templates/deployment.yml.j2 index 44cdea89a2c..83fe41b0adb 100644 --- a/ansible/roles/schulcloud-server-core/templates/deployment.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/deployment.yml.j2 @@ -57,6 +57,8 @@ spec: name: api-configmap - secretRef: name: api-secret + - secretRef: + name: api-files-secret readinessProbe: httpGet: path: /internal/health diff --git a/ansible/roles/schulcloud-server-core/templates/migration-job.yml.j2 b/ansible/roles/schulcloud-server-core/templates/migration-job.yml.j2 index 09b59075ec1..f9b76dc34a7 100644 --- a/ansible/roles/schulcloud-server-core/templates/migration-job.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/migration-job.yml.j2 @@ -20,6 +20,8 @@ spec: name: api-configmap - secretRef: name: api-secret + - secretRef: + name: api-files-secret command: ['/bin/sh','-c'] args: ['npm run ensureIndexes && npm run migration:up'] resources: diff --git a/ansible/roles/schulcloud-server-core/templates/preview-generator-deployment.yml.j2 b/ansible/roles/schulcloud-server-core/templates/preview-generator-deployment.yml.j2 index 1297956c9f3..ba72d275c75 100644 --- a/ansible/roles/schulcloud-server-core/templates/preview-generator-deployment.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/preview-generator-deployment.yml.j2 @@ -50,6 +50,8 @@ spec: name: preview-generator-configmap - secretRef: name: preview-generator-secret + - secretRef: + name: api-files-secret command: ['npm', 'run', 'nest:start:preview-generator-amqp:prod'] resources: limits: diff --git a/ansible/roles/schulcloud-server-core/templates/tldraw-delete-files-cronjob.yml.j2 b/ansible/roles/schulcloud-server-core/templates/tldraw-delete-files-cronjob.yml.j2 index 6975c9bc728..80b8e5e5e41 100644 --- a/ansible/roles/schulcloud-server-core/templates/tldraw-delete-files-cronjob.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/tldraw-delete-files-cronjob.yml.j2 @@ -28,6 +28,8 @@ spec: name: api-configmap - secretRef: name: api-secret + - secretRef: + name: api-files-secret command: ['/bin/sh', '-c'] args: ['npm run nest:start:tldraw-console -- files deletion-job 24'] resources: diff --git a/ansible/roles/schulcloud-server-core/templates/tldraw-deployment.yml.j2 b/ansible/roles/schulcloud-server-core/templates/tldraw-deployment.yml.j2 index 7b45df2357a..f6f8783dc13 100644 --- a/ansible/roles/schulcloud-server-core/templates/tldraw-deployment.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/tldraw-deployment.yml.j2 @@ -62,6 +62,8 @@ spec: name: api-secret - secretRef: name: tldraw-server-secret + - secretRef: + name: api-files-secret command: ['npm', 'run', 'nest:start:tldraw:prod'] resources: limits: diff --git a/ansible/roles/schulcloud-server-h5p/templates/api-h5p-deployment.yml.j2 b/ansible/roles/schulcloud-server-h5p/templates/api-h5p-deployment.yml.j2 index f24a4ee0ae7..5bed585e511 100644 --- a/ansible/roles/schulcloud-server-h5p/templates/api-h5p-deployment.yml.j2 +++ b/ansible/roles/schulcloud-server-h5p/templates/api-h5p-deployment.yml.j2 @@ -56,6 +56,8 @@ spec: name: api-secret - secretRef: name: api-h5p-editor-secret + - secretRef: + name: api-files-secret command: ['npm', 'run', 'nest:start:h5p:prod'] readinessProbe: httpGet: diff --git a/ansible/roles/schulcloud-server-init/templates/job_init.yml.j2 b/ansible/roles/schulcloud-server-init/templates/job_init.yml.j2 index 25b3b0fc631..b6c777a1ef2 100644 --- a/ansible/roles/schulcloud-server-init/templates/job_init.yml.j2 +++ b/ansible/roles/schulcloud-server-init/templates/job_init.yml.j2 @@ -15,6 +15,8 @@ spec: name: api-configmap - secretRef: name: api-secret + - secretRef: + name: api-files-secret env: - name: K8S_NAMESPACE valueFrom: diff --git a/ansible/roles/schulcloud-server-init/templates/management-deployment.yml.j2 b/ansible/roles/schulcloud-server-init/templates/management-deployment.yml.j2 index e76ac009555..1fc3b3f0af2 100644 --- a/ansible/roles/schulcloud-server-init/templates/management-deployment.yml.j2 +++ b/ansible/roles/schulcloud-server-init/templates/management-deployment.yml.j2 @@ -53,6 +53,8 @@ spec: name: api-configmap - secretRef: name: api-secret + - secretRef: + name: api-files-secret command: ['npm', 'run', 'nest:start:management:prod'] readinessProbe: httpGet: diff --git a/ansible/roles/schulcloud-server-ldapsync/templates/api-ldap-sync-full-cronjob.yml.j2 b/ansible/roles/schulcloud-server-ldapsync/templates/api-ldap-sync-full-cronjob.yml.j2 index d8b16938b86..41a4d21c783 100644 --- a/ansible/roles/schulcloud-server-ldapsync/templates/api-ldap-sync-full-cronjob.yml.j2 +++ b/ansible/roles/schulcloud-server-ldapsync/templates/api-ldap-sync-full-cronjob.yml.j2 @@ -28,6 +28,8 @@ spec: name: api-configmap - secretRef: name: api-secret + - secretRef: + name: api-files-secret command: ['/schulcloud-server/scripts/ldapSync.sh'] resources: limits: diff --git a/ansible/roles/schulcloud-server-ldapsync/templates/api-ldap-worker-deployment.yml.j2 b/ansible/roles/schulcloud-server-ldapsync/templates/api-ldap-worker-deployment.yml.j2 index f4d6ba016dc..bfcca9e9dd2 100644 --- a/ansible/roles/schulcloud-server-ldapsync/templates/api-ldap-worker-deployment.yml.j2 +++ b/ansible/roles/schulcloud-server-ldapsync/templates/api-ldap-worker-deployment.yml.j2 @@ -53,6 +53,8 @@ spec: name: api-configmap - secretRef: name: api-secret + - secretRef: + name: api-files-secret readinessProbe: httpGet: path: /serverversion diff --git a/ansible/roles/schulcloud-server-migration-system/templates/deployment.yml.j2 b/ansible/roles/schulcloud-server-migration-system/templates/deployment.yml.j2 index 4c032afce64..91859fc969c 100644 --- a/ansible/roles/schulcloud-server-migration-system/templates/deployment.yml.j2 +++ b/ansible/roles/schulcloud-server-migration-system/templates/deployment.yml.j2 @@ -57,6 +57,8 @@ spec: name: api-configmap - secretRef: name: api-secret + - secretRef: + name: api-files-secret readinessProbe: httpGet: path: /internal/health diff --git a/ansible/roles/schulcloud-server-tspsync/templates/api-tsp-sync-base-cronjob.yml.j2 b/ansible/roles/schulcloud-server-tspsync/templates/api-tsp-sync-base-cronjob.yml.j2 index ae71c9b50e4..4e84c9858fe 100644 --- a/ansible/roles/schulcloud-server-tspsync/templates/api-tsp-sync-base-cronjob.yml.j2 +++ b/ansible/roles/schulcloud-server-tspsync/templates/api-tsp-sync-base-cronjob.yml.j2 @@ -24,6 +24,8 @@ spec: envFrom: - secretRef: name: api-secret + - secretRef: + name: api-files-secret command: ['/bin/sh','-c'] args: ['curl -H "X-API-Key: $SYNC_API_KEY" "http://{{ API_TSP_SYNC_SVC|default("api-tsp-sync-svc", true) }}:3030/api/v1/sync?target=tsp-base" | python3 -m json.tool'] restartPolicy: OnFailure diff --git a/ansible/roles/schulcloud-server-tspsync/templates/api-tsp-sync-deployment.yml.j2 b/ansible/roles/schulcloud-server-tspsync/templates/api-tsp-sync-deployment.yml.j2 index 526b6160384..c38da100fa4 100644 --- a/ansible/roles/schulcloud-server-tspsync/templates/api-tsp-sync-deployment.yml.j2 +++ b/ansible/roles/schulcloud-server-tspsync/templates/api-tsp-sync-deployment.yml.j2 @@ -54,6 +54,8 @@ spec: name: api-configmap - secretRef: name: api-secret + - secretRef: + name: api-files-secret readinessProbe: httpGet: path: /serverversion diff --git a/ansible/roles/schulcloud-server-tspsync/templates/api-tsp-sync-school-cronjob.yml.j2 b/ansible/roles/schulcloud-server-tspsync/templates/api-tsp-sync-school-cronjob.yml.j2 index 75a1e0b35ad..ed29f1fccb1 100644 --- a/ansible/roles/schulcloud-server-tspsync/templates/api-tsp-sync-school-cronjob.yml.j2 +++ b/ansible/roles/schulcloud-server-tspsync/templates/api-tsp-sync-school-cronjob.yml.j2 @@ -24,6 +24,8 @@ spec: envFrom: - secretRef: name: api-secret + - secretRef: + name: api-files-secret command: ['/bin/sh','-c'] args: ['curl -H "X-API-Key: $SYNC_API_KEY" "http://{{ API_TSP_SYNC_SVC|default("api-tsp-sync-svc", true) }}:3030/api/v1/sync?target=tsp-school" | python3 -m json.tool'] restartPolicy: OnFailure