alldigital/PSA
2
0
Fork 0
Code Issues Pull Requests Actions 13 Packages Projects Releases Wiki Activity
PSA/helm/templates/secret.yaml
Hermes 284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Details
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Details
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
Details
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
Details
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Details
Integration Tests / Check for relevant changes (push) Waiting to run
Details
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Details
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Details
Mobile checks / Mobile unit tests (push) Waiting to run
Details
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Details
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Details
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Details
Temporal Readiness / fast-readiness (push) Waiting to run
Details
Temporal Readiness / docker-parity (push) Waiting to run
Details
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Details
Unit Tests / Skipped-test budget (push) Waiting to run
Details
Unit Tests / Nx affected unit tests (push) Waiting to run
Details
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Details
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Details
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
Details
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Details
Initial import of AlgaPSA codebase from PSA server 
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz

Source: /opt/alga-psa on psa.joliet.tech
2026-06-22 16:12:17 -05:00

192 lines
12 KiB
YAML
Raw Permalink Blame History

{{- $ns := include "sebastian.namespace" . -}}
{{- $secretName := printf "%s-secrets" (include "sebastian.fullname" .) -}}
{{- $existing := (lookup "v1" "Secret" $ns $secretName) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName | quote }}
namespace: {{ $ns }}
labels:
{{- include "sebastian.labels" . | nindent 4 }}
annotations:
{{- if .Values.setup.applianceBootstrap.enabled }}
# Appliance (Flux-reconciled): NOT a helm hook. Hook resources are deleted
# (before-hook-creation) before each re-run, which makes the lookup-based
# preservation below fail and regenerates NEXTAUTH_SECRET/CRYPTR_KEY/etc. on
# every reconcile -- silently invalidating the initial admin password hash
# and any encrypted data. As a regular resource it's preserved across
# reconciles, so the lookup keeps the originally generated values;
# resource-policy:keep guards it on uninstall.
"helm.sh/resource-policy": keep
{{- else }}
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
{{- end }}
type: Opaque
data:
{{- if $existing }}
{{- /* Preserve existing generated secrets, allow explicit values to override */}}
NEXTAUTH_SECRET: {{ if and .Values.secrets .Values.secrets.NEXTAUTH_SECRET }}{{ .Values.secrets.NEXTAUTH_SECRET | b64enc | quote }}{{ else }}{{ index $existing.data "NEXTAUTH_SECRET" }}{{ end }}
CRYPTR_KEY: {{ if and .Values.secrets .Values.secrets.CRYPTR_KEY }}{{ .Values.secrets.CRYPTR_KEY | b64enc | quote }}{{ else }}{{ index $existing.data "CRYPTR_KEY" }}{{ end }}
TOKEN_SECRET_KEY: {{ if and .Values.secrets .Values.secrets.TOKEN_SECRET_KEY }}{{ .Values.secrets.TOKEN_SECRET_KEY | b64enc | quote }}{{ else }}{{ index $existing.data "TOKEN_SECRET_KEY" }}{{ end }}
IMAP_WEBHOOK_SECRET: {{ if and .Values.secrets .Values.secrets.IMAP_WEBHOOK_SECRET }}{{ .Values.secrets.IMAP_WEBHOOK_SECRET | b64enc | quote }}{{ else }}{{ index $existing.data "IMAP_WEBHOOK_SECRET" }}{{ end }}
AI_DOCUMENT_API_KEY: {{ if and .Values.secrets .Values.secrets.AI_DOCUMENT_API_KEY }}{{ .Values.secrets.AI_DOCUMENT_API_KEY | b64enc | quote }}{{ else if index $existing.data "AI_DOCUMENT_API_KEY" }}{{ index $existing.data "AI_DOCUMENT_API_KEY" }}{{ else }}{{ randAlphaNum 64 | b64enc | quote }}{{ end }}
COLLAB_PERSIST_API_KEY: {{ if and .Values.secrets .Values.secrets.COLLAB_PERSIST_API_KEY }}{{ .Values.secrets.COLLAB_PERSIST_API_KEY | b64enc | quote }}{{ else if index $existing.data "COLLAB_PERSIST_API_KEY" }}{{ index $existing.data "COLLAB_PERSIST_API_KEY" }}{{ else }}{{ randAlphaNum 64 | b64enc | quote }}{{ end }}
HOCUSPOCUS_JWT_SECRET: {{ if and .Values.secrets .Values.secrets.HOCUSPOCUS_JWT_SECRET }}{{ .Values.secrets.HOCUSPOCUS_JWT_SECRET | b64enc | quote }}{{ else }}{{ index $existing.data "HOCUSPOCUS_JWT_SECRET" }}{{ end }}
{{- if and .Values.secrets .Values.secrets.stripe_secret_key }}
stripe_secret_key: {{ .Values.secrets.stripe_secret_key | b64enc | quote }}
{{- else if index $existing.data "stripe_secret_key" }}
stripe_secret_key: {{ index $existing.data "stripe_secret_key" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.stripe_publishable_key }}
stripe_publishable_key: {{ .Values.secrets.stripe_publishable_key | b64enc | quote }}
{{- else if index $existing.data "stripe_publishable_key" }}
stripe_publishable_key: {{ index $existing.data "stripe_publishable_key" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.stripe_webhook_secret }}
stripe_webhook_secret: {{ .Values.secrets.stripe_webhook_secret | b64enc | quote }}
{{- else if index $existing.data "stripe_webhook_secret" }}
stripe_webhook_secret: {{ index $existing.data "stripe_webhook_secret" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.IPINFO_API_TOKEN }}
IPINFO_API_TOKEN: {{ .Values.secrets.IPINFO_API_TOKEN | b64enc | quote }}
{{- else if index $existing.data "IPINFO_API_TOKEN" }}
IPINFO_API_TOKEN: {{ index $existing.data "IPINFO_API_TOKEN" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.APPLE_IAP_KEY_ID }}
APPLE_IAP_KEY_ID: {{ .Values.secrets.APPLE_IAP_KEY_ID | b64enc | quote }}
{{- else if index $existing.data "APPLE_IAP_KEY_ID" }}
APPLE_IAP_KEY_ID: {{ index $existing.data "APPLE_IAP_KEY_ID" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.APPLE_IAP_ISSUER_ID }}
APPLE_IAP_ISSUER_ID: {{ .Values.secrets.APPLE_IAP_ISSUER_ID | b64enc | quote }}
{{- else if index $existing.data "APPLE_IAP_ISSUER_ID" }}
APPLE_IAP_ISSUER_ID: {{ index $existing.data "APPLE_IAP_ISSUER_ID" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.APPLE_IAP_BUNDLE_ID }}
APPLE_IAP_BUNDLE_ID: {{ .Values.secrets.APPLE_IAP_BUNDLE_ID | b64enc | quote }}
{{- else if index $existing.data "APPLE_IAP_BUNDLE_ID" }}
APPLE_IAP_BUNDLE_ID: {{ index $existing.data "APPLE_IAP_BUNDLE_ID" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.APPLE_IAP_PRIVATE_KEY }}
APPLE_IAP_PRIVATE_KEY: {{ .Values.secrets.APPLE_IAP_PRIVATE_KEY | b64enc | quote }}
{{- else if index $existing.data "APPLE_IAP_PRIVATE_KEY" }}
APPLE_IAP_PRIVATE_KEY: {{ index $existing.data "APPLE_IAP_PRIVATE_KEY" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.APPLE_IAP_ENVIRONMENT }}
APPLE_IAP_ENVIRONMENT: {{ .Values.secrets.APPLE_IAP_ENVIRONMENT | b64enc | quote }}
{{- else if index $existing.data "APPLE_IAP_ENVIRONMENT" }}
APPLE_IAP_ENVIRONMENT: {{ index $existing.data "APPLE_IAP_ENVIRONMENT" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.APPLE_SIGN_IN_BUNDLE_ID }}
APPLE_SIGN_IN_BUNDLE_ID: {{ .Values.secrets.APPLE_SIGN_IN_BUNDLE_ID | b64enc | quote }}
{{- else if index $existing.data "APPLE_SIGN_IN_BUNDLE_ID" }}
APPLE_SIGN_IN_BUNDLE_ID: {{ index $existing.data "APPLE_SIGN_IN_BUNDLE_ID" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.APPLE_SIGN_IN_TEAM_ID }}
APPLE_SIGN_IN_TEAM_ID: {{ .Values.secrets.APPLE_SIGN_IN_TEAM_ID | b64enc | quote }}
{{- else if index $existing.data "APPLE_SIGN_IN_TEAM_ID" }}
APPLE_SIGN_IN_TEAM_ID: {{ index $existing.data "APPLE_SIGN_IN_TEAM_ID" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.APPLE_SIGN_IN_KEY_ID }}
APPLE_SIGN_IN_KEY_ID: {{ .Values.secrets.APPLE_SIGN_IN_KEY_ID | b64enc | quote }}
{{- else if index $existing.data "APPLE_SIGN_IN_KEY_ID" }}
APPLE_SIGN_IN_KEY_ID: {{ index $existing.data "APPLE_SIGN_IN_KEY_ID" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.APPLE_SIGN_IN_PRIVATE_KEY }}
APPLE_SIGN_IN_PRIVATE_KEY: {{ .Values.secrets.APPLE_SIGN_IN_PRIVATE_KEY | b64enc | quote }}
{{- else if index $existing.data "APPLE_SIGN_IN_PRIVATE_KEY" }}
APPLE_SIGN_IN_PRIVATE_KEY: {{ index $existing.data "APPLE_SIGN_IN_PRIVATE_KEY" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.APPLE_SIGN_IN_ENCRYPTION_KEY }}
APPLE_SIGN_IN_ENCRYPTION_KEY: {{ .Values.secrets.APPLE_SIGN_IN_ENCRYPTION_KEY | b64enc | quote }}
{{- else if index $existing.data "APPLE_SIGN_IN_ENCRYPTION_KEY" }}
APPLE_SIGN_IN_ENCRYPTION_KEY: {{ index $existing.data "APPLE_SIGN_IN_ENCRYPTION_KEY" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.TEAMS_BOT_APP_ID }}
TEAMS_BOT_APP_ID: {{ .Values.secrets.TEAMS_BOT_APP_ID | b64enc | quote }}
{{- else if index $existing.data "TEAMS_BOT_APP_ID" }}
TEAMS_BOT_APP_ID: {{ index $existing.data "TEAMS_BOT_APP_ID" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.TEAMS_BOT_APP_TENANT_ID }}
TEAMS_BOT_APP_TENANT_ID: {{ .Values.secrets.TEAMS_BOT_APP_TENANT_ID | b64enc | quote }}
{{- else if index $existing.data "TEAMS_BOT_APP_TENANT_ID" }}
TEAMS_BOT_APP_TENANT_ID: {{ index $existing.data "TEAMS_BOT_APP_TENANT_ID" }}
{{- end }}
{{- if and .Values.secrets .Values.secrets.TEAMS_BOT_APP_PASSWORD }}
TEAMS_BOT_APP_PASSWORD: {{ .Values.secrets.TEAMS_BOT_APP_PASSWORD | b64enc | quote }}
{{- else if index $existing.data "TEAMS_BOT_APP_PASSWORD" }}
TEAMS_BOT_APP_PASSWORD: {{ index $existing.data "TEAMS_BOT_APP_PASSWORD" }}
{{- end }}
{{- else }}
{{- /* First install — generate or use explicit values */}}
{{- if .Values.secrets }}
NEXTAUTH_SECRET: {{ (.Values.secrets.NEXTAUTH_SECRET | default (randAlphaNum 32)) | b64enc | quote }}
CRYPTR_KEY: {{ (.Values.secrets.CRYPTR_KEY | default (randAlphaNum 32)) | b64enc | quote }}
TOKEN_SECRET_KEY: {{ (.Values.secrets.TOKEN_SECRET_KEY | default (randAlphaNum 32)) | b64enc | quote }}
IMAP_WEBHOOK_SECRET: {{ (.Values.secrets.IMAP_WEBHOOK_SECRET | default (randAlphaNum 48)) | b64enc | quote }}
AI_DOCUMENT_API_KEY: {{ (.Values.secrets.AI_DOCUMENT_API_KEY | default (randAlphaNum 64)) | b64enc | quote }}
COLLAB_PERSIST_API_KEY: {{ (.Values.secrets.COLLAB_PERSIST_API_KEY | default (randAlphaNum 64)) | b64enc | quote }}
HOCUSPOCUS_JWT_SECRET: {{ (.Values.secrets.HOCUSPOCUS_JWT_SECRET | default (randAlphaNum 64)) | b64enc | quote }}
{{- if .Values.secrets.stripe_secret_key }}
stripe_secret_key: {{ .Values.secrets.stripe_secret_key | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.stripe_publishable_key }}
stripe_publishable_key: {{ .Values.secrets.stripe_publishable_key | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.stripe_webhook_secret }}
stripe_webhook_secret: {{ .Values.secrets.stripe_webhook_secret | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.IPINFO_API_TOKEN }}
IPINFO_API_TOKEN: {{ .Values.secrets.IPINFO_API_TOKEN | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.APPLE_IAP_KEY_ID }}
APPLE_IAP_KEY_ID: {{ .Values.secrets.APPLE_IAP_KEY_ID | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.APPLE_IAP_ISSUER_ID }}
APPLE_IAP_ISSUER_ID: {{ .Values.secrets.APPLE_IAP_ISSUER_ID | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.APPLE_IAP_BUNDLE_ID }}
APPLE_IAP_BUNDLE_ID: {{ .Values.secrets.APPLE_IAP_BUNDLE_ID | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.APPLE_IAP_PRIVATE_KEY }}
APPLE_IAP_PRIVATE_KEY: {{ .Values.secrets.APPLE_IAP_PRIVATE_KEY | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.APPLE_IAP_ENVIRONMENT }}
APPLE_IAP_ENVIRONMENT: {{ .Values.secrets.APPLE_IAP_ENVIRONMENT | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.APPLE_SIGN_IN_BUNDLE_ID }}
APPLE_SIGN_IN_BUNDLE_ID: {{ .Values.secrets.APPLE_SIGN_IN_BUNDLE_ID | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.APPLE_SIGN_IN_TEAM_ID }}
APPLE_SIGN_IN_TEAM_ID: {{ .Values.secrets.APPLE_SIGN_IN_TEAM_ID | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.APPLE_SIGN_IN_KEY_ID }}
APPLE_SIGN_IN_KEY_ID: {{ .Values.secrets.APPLE_SIGN_IN_KEY_ID | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.APPLE_SIGN_IN_PRIVATE_KEY }}
APPLE_SIGN_IN_PRIVATE_KEY: {{ .Values.secrets.APPLE_SIGN_IN_PRIVATE_KEY | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.APPLE_SIGN_IN_ENCRYPTION_KEY }}
APPLE_SIGN_IN_ENCRYPTION_KEY: {{ .Values.secrets.APPLE_SIGN_IN_ENCRYPTION_KEY | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.TEAMS_BOT_APP_ID }}
TEAMS_BOT_APP_ID: {{ .Values.secrets.TEAMS_BOT_APP_ID | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.TEAMS_BOT_APP_TENANT_ID }}
TEAMS_BOT_APP_TENANT_ID: {{ .Values.secrets.TEAMS_BOT_APP_TENANT_ID | b64enc | quote }}
{{- end }}
{{- if .Values.secrets.TEAMS_BOT_APP_PASSWORD }}
TEAMS_BOT_APP_PASSWORD: {{ .Values.secrets.TEAMS_BOT_APP_PASSWORD | b64enc | quote }}
{{- end }}
{{- else }}
NEXTAUTH_SECRET: {{ randAlphaNum 32 | b64enc | quote }}
CRYPTR_KEY: {{ randAlphaNum 32 | b64enc | quote }}
TOKEN_SECRET_KEY: {{ randAlphaNum 32 | b64enc | quote }}
IMAP_WEBHOOK_SECRET: {{ randAlphaNum 48 | b64enc | quote }}
AI_DOCUMENT_API_KEY: {{ randAlphaNum 64 | b64enc | quote }}
COLLAB_PERSIST_API_KEY: {{ randAlphaNum 64 | b64enc | quote }}
HOCUSPOCUS_JWT_SECRET: {{ randAlphaNum 64 | b64enc | quote }}
{{- end }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink