homelab/apps
1
0
Fork 0
mirror of https://github.com/morten-olsen/homelab-apps.git synced 2026-02-08 01:36:28 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
1eaba016440befa40b5e89f84443a3568389a4cf
apps/apps/charts/immich/templates/db-config-job.yaml
Morten Olsen 1eaba01644 fix for immich db password
2026-01-02 14:50:16 +01:00

88 lines
3.2 KiB
YAML
Raw Blame History

apiVersion: batch/v1
kind: Job
metadata:
name: "{{ .Release.Name }}-db-config-generator"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
spec:
restartPolicy: OnFailure
serviceAccountName: "{{ .Release.Name }}-db-config-sa"
containers:
- name: generator
image: python:3.11-slim
command:
- /bin/bash
- -c
- |
set -e
# Install kubectl
apt-get update -qq && apt-get install -y -qq curl > /dev/null 2>&1 && \
curl -sSL "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" -o /tmp/kubectl && \
chmod +x /tmp/kubectl && mv /tmp/kubectl /usr/local/bin/kubectl
PASSWORD_B64=$(cat /secrets/password)
# Decode the password (secret is double base64-encoded, Kubernetes auto-decodes first level)
# Then URL encode the password to handle special characters using Python
PASSWORD=$(python3 -c "import base64; import sys; print(base64.b64decode(sys.stdin.read().strip()).decode('utf-8'))" <<< "$PASSWORD_B64")
ENCODED_PASSWORD=$(python3 -c "import urllib.parse; import sys; print(urllib.parse.quote(sys.stdin.read().strip(), safe=''))" <<< "$PASSWORD")
DB_URL="postgresql://immich:${ENCODED_PASSWORD}@{{ .Release.Name }}-postgres.{{ .Release.Namespace }}.svc.cluster.local:5432/immich"
# Create or update the ConfigMap
kubectl create configmap {{ .Release.Name }}-db-config --from-literal=url="${DB_URL}" --dry-run=client -o yaml | kubectl apply -f -
echo "ConfigMap {{ .Release.Name }}-db-config created/updated successfully"
volumeMounts:
- name: postgres-secret
mountPath: /secrets
readOnly: true
volumes:
- name: postgres-secret
secret:
secretName: "{{ .Release.Name }}-postgres-secret"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ .Release.Name }}-db-config-sa"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-10"
"helm.sh/hook-delete-policy": before-hook-creation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: "{{ .Release.Name }}-db-config-role"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-9"
"helm.sh/hook-delete-policy": before-hook-creation
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "{{ .Release.Name }}-db-config-rolebinding"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-8"
"helm.sh/hook-delete-policy": before-hook-creation
subjects:
- kind: ServiceAccount
name: "{{ .Release.Name }}-db-config-sa"
roleRef:
kind: Role
name: "{{ .Release.Name }}-db-config-role"
apiGroup: rbac.authorization.k8s.io
Reference in New Issue View Git Blame Copy Permalink