groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2026-05-24. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
f4f522d5e6712ba47ab1cef66f2abaeddcb4dcd3
app/apps/groombook/overlays/uat/kustomization.yaml
T
Paperclip 0eda43e930 fix(GRO-451): re-seal UAT secrets with correct cluster certificate 
UAT is down (503) because sealed secrets were encrypted with the wrong
key. This commit:

- Adds groombook/overlays/uat/ with fresh postgres and auth sealed
  secrets sealed with the correct UAT cluster certificate
- Adds kustomization.yaml that:
  - Uses correct image tags (2026.04.03-90be1be)
  - Injects all auth env vars from groombook-auth-uat
  - Points to groombook-postgres-credentials-uat
  - Uses UAT hostname (groombook.uat.farh.net)
  - Deletes the base component's postgres-credentials SealedSecret
    (namespace-scoped, not namespace-wide, causes noise in UAT)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-04 12:27:23 +00:00

113 lines
3.5 KiB
YAML
Raw Blame History

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: groombook-uat
images:
- name: ghcr.io/groombook/api
newTag: "2026.04.03-90be1be"
- name: ghcr.io/groombook/web
newTag: "2026.04.03-90be1be"
- name: ghcr.io/groombook/migrate
newTag: "2026.04.03-90be1be"
- name: ghcr.io/groombook/seed
newTag: "2026.04.03-90be1be"
resources:
- ../../base
- postgres-sealed-secret.yaml
- auth-sealed-secret.yaml
patches:
# UAT: delete the base postgres-credentials SealedSecret (scoped to groombook namespace, not groombook-uat)
# The base component ../components/postgres-credentials creates a namespace-scoped (not namespace-wide)
# SealedSecret that the namespace transformer cannot fix. Remove it to avoid noise.
- target:
kind: SealedSecret
name: groombook-postgres-credentials
patch: |
- op: remove
path: /metadata
# UAT: inject auth env vars from groombook-auth-uat sealed secret into API
- target:
kind: Deployment
name: api
patch: |
- op: add
path: /spec/template/spec/containers/0/env
value:
- name: NODE_ENV
value: production
- name: AUTH_DISABLED
value: "false"
- name: BETTER_AUTH_URL
valueFrom:
secretKeyRef:
name: groombook-auth-uat
key: BETTER_AUTH_URL
- name: BETTER_AUTH_SECRET
valueFrom:
secretKeyRef:
name: groombook-auth-uat
key: BETTER_AUTH_SECRET
- name: OIDC_ISSUER
valueFrom:
secretKeyRef:
name: groombook-auth-uat
key: OIDC_ISSUER
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: groombook-auth-uat
key: OIDC_CLIENT_ID
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: groombook-auth-uat
key: OIDC_CLIENT_SECRET
- name: OIDC_AUDIENCE
valueFrom:
secretKeyRef:
name: groombook-auth-uat
key: OIDC_AUDIENCE
- name: OIDC_INTERNAL_BASE
valueFrom:
secretKeyRef:
name: groombook-auth-uat
key: OIDC_INTERNAL_BASE
# UAT: single Postgres instance instead of 3
- target:
kind: Cluster
name: groombook-postgres
patch: |
- op: replace
path: /spec/instances
value: 1
- op: replace
path: /spec/storage/size
value: 5Gi
- op: replace
path: /spec/bootstrap/initdb/secret/name
value: groombook-postgres-credentials-uat
# UAT: use uat hostname for HTTPRoute
- target:
kind: HTTPRoute
name: groombook
patch: |
- op: replace
path: /spec/hostnames
value:
- groombook.uat.farh.net
# UAT: point migrate job at UAT postgres credentials
- target:
kind: Job
labelSelector: "app.kubernetes.io/name=migrate"
patch: |
- op: replace
path: /spec/template/spec/containers/0/env/0/valueFrom/secretKeyRef/name
value: groombook-postgres-credentials-uat
# UAT: point seed job at UAT postgres credentials
- target:
kind: Job
labelSelector: "app.kubernetes.io/name=seed"
patch: |
- op: replace
path: /spec/template/spec/containers/0/env/0/valueFrom/secretKeyRef/name
value: groombook-postgres-credentials-uat
Reference in New Issue View Git Blame Copy Permalink