ordinarthur/anydrop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
anydrop/k8s/secrets.example.yml
ordinarthur 6ba5401c4d
All checks were successful
Build & Deploy / build-and-deploy (push) Successful in 1m11s
Details
chore(infra): point cloud relay at shared cluster MinIO 
Drop the standalone MinIO StatefulSet — the cluster already runs one
in the `minio` namespace, exposed at minio.arthurbarre.fr. Use that
with a scoped anydrop user + bucket instead of spinning up a second
instance.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-20 11:25:19 +02:00

67 lines
2.4 KiB
YAML
Raw Blame History

# ---------------------------------------------------------------------------
# Template for cluster secrets. DO NOT commit the real file.
#
# To create the real secrets on the cluster:
#
# # Postgres — generate a strong password
# POSTGRES_PASSWORD=$(openssl rand -base64 32 | tr -d '=+/')
# kubectl -n anydrop create secret generic postgres-credentials \
# --from-literal=username=anydrop \
# --from-literal=password="$POSTGRES_PASSWORD"
#
# # App secrets — session signing + DB URL
# SESSION_SECRET=$(openssl rand -base64 64 | tr -d '=+/')
# DATABASE_URL="postgres://anydrop:${POSTGRES_PASSWORD}@postgres.anydrop.svc.cluster.local:5432/anydrop"
# kubectl -n anydrop create secret generic anydrop-app-secrets \
# --from-literal=SESSION_SECRET="$SESSION_SECRET" \
# --from-literal=DATABASE_URL="$DATABASE_URL"
#
# # MinIO — reuses the shared cluster MinIO in the `minio` namespace.
# # Create a scoped user + policy on MinIO (one-shot), then store its
# # credentials here. Don't use the MinIO root account.
# # kubectl -n minio exec deploy/minio -- sh -c '
# # mc alias set local http://localhost:9000 "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD"
# # mc mb --ignore-existing local/transfers
# # mc anonymous set none local/transfers
# # mc admin user add local anydrop <STRONG_SECRET>
# # # Attach a policy scoped to the transfers bucket only.
# # '
# kubectl -n anydrop create secret generic minio-credentials \
# --from-literal=access_key="anydrop" \
# --from-literal=secret_key="<STRONG_SECRET>"
#
# Rotate by replacing the secret and restarting the pods:
# kubectl -n anydrop rollout restart deployment/anydrop-server
# ---------------------------------------------------------------------------
apiVersion: v1
kind: Secret
metadata:
name: postgres-credentials
namespace: anydrop
type: Opaque
stringData:
username: anydrop
password: CHANGE_ME_STRONG_PASSWORD
---
apiVersion: v1
kind: Secret
metadata:
name: anydrop-app-secrets
namespace: anydrop
type: Opaque
stringData:
SESSION_SECRET: CHANGE_ME_64_BYTE_RANDOM_STRING
DATABASE_URL: postgres://anydrop:CHANGE_ME@postgres.anydrop.svc.cluster.local:5432/anydrop
---
apiVersion: v1
kind: Secret
metadata:
name: minio-credentials
namespace: anydrop
type: Opaque
stringData:
access_key: CHANGE_ME_ACCESS_KEY
secret_key: CHANGE_ME_SECRET_KEY
Reference in New Issue View Git Blame Copy Permalink