diff --git a/.github/workflows/deploy-pr.yaml b/.github/workflows/deploy-pr.yaml index 56938bd..8a705b2 100644 --- a/.github/workflows/deploy-pr.yaml +++ b/.github/workflows/deploy-pr.yaml @@ -118,7 +118,8 @@ jobs: --set frontend_domain_scheme="$FRONTEND_DOMAIN_SCHEME" \ --set image.digest="$DIGEST" \ --set-string rabbitmq.password="$RABBITMQ_PASSWORD" \ - --set-string database.password="$DB_PASSWORD" + --set-string database.password="$DB_PASSWORD" \ + --set-string database.encryptionSecret="$PR" - name: Post preview URLs as PR comment uses: actions/github-script@v7 diff --git a/.github/workflows/deploy-prod.yaml b/.github/workflows/deploy-prod.yaml index 7f99e56..769ff0c 100644 --- a/.github/workflows/deploy-prod.yaml +++ b/.github/workflows/deploy-prod.yaml @@ -129,4 +129,5 @@ jobs: --set-string oauth.mojeid.clientSecret="$MOJEID_CLIENT_SECRET" \ --set-string oauth.csas.clientId="$CSAS_CLIENT_ID" \ --set-string oauth.csas.clientSecret="$CSAS_CLIENT_SECRET" \ - --set-string sentry_dsn="$SENTRY_DSN" \ \ No newline at end of file + --set-string sentry_dsn="$SENTRY_DSN" \ + --set-string database.encryptionSecret="${{ secrets.PROD_DB_ENCRYPTION_KEY }}" \ No newline at end of file diff --git a/7project/charts/myapp-chart/templates/app-deployment.yaml b/7project/charts/myapp-chart/templates/app-deployment.yaml index dc85dbd..02afbfb 100644 --- a/7project/charts/myapp-chart/templates/app-deployment.yaml +++ b/7project/charts/myapp-chart/templates/app-deployment.yaml @@ -101,6 +101,11 @@ spec: secretKeyRef: name: prod key: SENTRY_DSN + - name: DB_ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: prod + key: DB_ENCRYPTION_KEY livenessProbe: httpGet: path: / diff --git a/7project/charts/myapp-chart/templates/prod.yaml b/7project/charts/myapp-chart/templates/prod.yaml index 0b9442d..abb294a 100644 --- a/7project/charts/myapp-chart/templates/prod.yaml +++ b/7project/charts/myapp-chart/templates/prod.yaml @@ -18,3 +18,4 @@ stringData: RABBITMQ_PASSWORD: {{ .Values.rabbitmq.password | default "" | quote }} RABBITMQ_USERNAME: {{ .Values.rabbitmq.username | quote }} SENTRY_DSN: {{ .Values.sentry_dsn | quote }} + DB_ENCRYPTION_KEY: {{ required "Set .Values.database.encryptionSecret" .Values.database.encryptionSecret | quote }} diff --git a/7project/charts/myapp-chart/templates/worker-deployment.yaml b/7project/charts/myapp-chart/templates/worker-deployment.yaml index 11227d3..fbd5182 100644 --- a/7project/charts/myapp-chart/templates/worker-deployment.yaml +++ b/7project/charts/myapp-chart/templates/worker-deployment.yaml @@ -20,7 +20,7 @@ spec: securityContext: allowPrivilegeEscalation: false capabilities: - drop: ["ALL"] + drop: [ "ALL" ] command: - celery - -A @@ -80,3 +80,8 @@ spec: secretKeyRef: name: prod key: CSAS_CLIENT_SECRET + - name: DB_ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: prod + key: DB_ENCRYPTION_KEY diff --git a/7project/charts/myapp-chart/values.yaml b/7project/charts/myapp-chart/values.yaml index 867728e..d20fa70 100644 --- a/7project/charts/myapp-chart/values.yaml +++ b/7project/charts/myapp-chart/values.yaml @@ -75,3 +75,4 @@ database: userName: app-demo-user secretName: app-demo-database-secret password: "" + encryptionSecret: ""