chore: replace config map with external secret for ietfweb (#501)

* chore: replace config map with external secret for ietfweb * chore: remove admin emails and email hosts and ports from secrets
ietf-tools · Aug 22, 2024 · b388f8b · b388f8b
1 parent 4f5cdb1
commit b388f8b
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 27 deletions.
diff --git a/k8s/iabweb/secrets.yaml b/k8s/iabweb/secrets.yaml
@@ -4,16 +4,14 @@ metadata:
   name: secrets-env
 type: Opaque
 stringData:
-  IABWWW_ADMINS: |-
-    Robert Sparks <rjsparks@nostrum.com>
-    Kesara Rathnayake <kesara@staff.ietf.org>
+  IABWWW_ADMINS: null
 
   IABWWW_ALLOWED_HOSTS: ".iab.org"  # newline-separated list also allowed
   WAGTAILADMIN_BASE_URL: "https://www.iab.org"
 
   # Outgoing email details
-  IABWWW_EMAIL_HOST: "iab.mr.ietf.org"
-  IABWWW_EMAIL_PORT: "10027"
+  IABWWW_EMAIL_HOST: null
+  IABWWW_EMAIL_PORT: null
 
   IABWWW_MATOMO_SITE_ID: null  # must be present to enable Matomo
 

diff --git a/k8s/ietfweb/django-config.yaml b/k8s/ietfweb/django-config.yaml
diff --git a/k8s/ietfweb/kustomization.yaml b/k8s/ietfweb/kustomization.yaml
@@ -8,6 +8,5 @@ configMapGenerator:
       - nginx-default.conf
       - nginx.conf
 resources:
-  - django-config.yaml
   - memcached.yaml
   - wagtail.yaml
diff --git a/k8s/ietfweb/secrets.yaml b/k8s/ietfweb/secrets.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secrets-env
+type: Opaque
+stringData:
+  IETFWWW_ADMINS: null
+
+  IETFWWW_ALLOWED_HOSTS: ".ietf.org"  # newline-separated list also allowed
+  WAGTAILADMIN_BASE_URL: "https://www.ietf.org"
+
+  # Outgoing email details
+  IETFWWW_EMAIL_HOST: null
+  IETFWWW_EMAIL_PORT: null
+
+  IETFWWW_MATOMO_SITE_ID: null  # must be present to enable Matomo
+
+  # Can also be a newline-separated list
+  IETFWWW_CSRF_TRUSTED_ORIGINS: "https://www.ietf.org"
+
+  # Database connection details - to be fetched from Vault
+  # IETFWWW_DB_HOST: ""
+  # IETFWWW_DB_NAME: ""
+  # IETFWWW_DB_PASS: ""
+  # IETFWWW_DB_PORT: ""
+  # IETFWWW_DB_USER: ""
+
+  # Django secret key - to be fetched from Vault
+  # IETFWWW_DJANGO_SECRET_KEY: ""
diff --git a/k8s/ietfweb/wagtail.yaml b/k8s/ietfweb/wagtail.yaml
@@ -57,8 +57,8 @@ spec:
             - name: "DEPLOY_UID"
               value: "$DEPLOY_UID"
           envFrom:
-            - configMapRef:
-                name: django-config
+            - secretRef:
+                name: ietfwww-secrets-env
           securityContext:
             allowPrivilegeEscalation: false
             capabilities: