From 5432d93f85a9c1cda823259a4fe9a559c14e7a28 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Sun, 4 Aug 2024 14:59:11 +0200
Subject: [PATCH] refactor: Convert configmaps containing secrets to secrets
 closes #85

---
 kubenix-modules/attic.nix           | 19 +++++++++++++++----
 kubenix-modules/forgejo/default.nix |  8 ++------
 kubenix-modules/hedgedoc.nix        |  7 ++++++-
 kubenix-modules/immich.nix          | 14 ++++++++++++--
 4 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/kubenix-modules/attic.nix b/kubenix-modules/attic.nix
index c4e4cf9..7d59c8b 100644
--- a/kubenix-modules/attic.nix
+++ b/kubenix-modules/attic.nix
@@ -40,10 +40,12 @@
       generatedConfig = (pkgs.formats.toml { }).generate "attic.toml" atticSettings;
     in
     {
-      configMaps.config.data.config = builtins.readFile generatedConfig;
-
       secrets = {
-        server.stringData.token = "ref+sops://secrets/kubernetes.yaml#attic/jwtToken";
+        server.stringData = {
+          token = "ref+sops://secrets/kubernetes.yaml#attic/jwtToken";
+          config = builtins.readFile generatedConfig;
+        };
+
         database.stringData.password = "ref+sops://secrets/kubernetes.yaml#/attic/databasePassword";
       };
 
@@ -54,6 +56,15 @@
             component = "website";
           };
 
+          strategy = {
+            type = "RollingUpdate";
+
+            rollingUpdate = {
+              maxSurge = 0;
+              maxUnavailable = 1;
+            };
+          };
+
           template = {
             metadata.labels = {
               app = "attic";
@@ -86,7 +97,7 @@
 
               volumes = {
                 data.persistentVolumeClaim.claimName = "data";
-                config.configMap.name = "config";
+                config.secret.secretName = "server";
               };
 
               securityContext = {
diff --git a/kubenix-modules/forgejo/default.nix b/kubenix-modules/forgejo/default.nix
index ea98aaf..74e89f3 100644
--- a/kubenix-modules/forgejo/default.nix
+++ b/kubenix-modules/forgejo/default.nix
@@ -1,10 +1,6 @@
 { lib, myLib, ... }: {
   kubernetes.resources = {
-    configMaps = {
-      config.data = {
-        config = lib.generators.toINI { } (import ./config.nix);
-      };
-    };
+    secrets.forgejo.stringData.config = lib.generators.toINI { } (import ./config.nix);
 
     deployments.server.spec = {
       selector.matchLabels.app = "forgejo";
@@ -55,7 +51,7 @@
 
           volumes = {
             data.persistentVolumeClaim.claimName = "data";
-            config.configMap.name = "config";
+            config.secret.secretName = "forgejo";
           };
         };
       };
diff --git a/kubenix-modules/hedgedoc.nix b/kubenix-modules/hedgedoc.nix
index b91c0de..7cb68cc 100644
--- a/kubenix-modules/hedgedoc.nix
+++ b/kubenix-modules/hedgedoc.nix
@@ -7,6 +7,7 @@
     secrets.hedgedoc.stringData = {
       databaseURL = "ref+sops://secrets/kubernetes.yaml#/hedgedoc/databaseURL";
       sessionSecret = "ref+sops://secrets/kubernetes.yaml#/hedgedoc/sessionSecret";
+      databasePassword = "ref+sops://secrets/kubernetes.yaml#/hedgedoc/databasePassword";
     };
 
     deployments = {
@@ -94,8 +95,12 @@
               env = {
                 POSTGRES_DB.value = "hedgedoc";
                 POSTGRES_USER.value = "hedgedoc";
-                POSTGRES_PASSWORD.value = "ref+sops://secrets/kubernetes.yaml#/hedgedoc/databasePassword";
                 PGDATA.value = "/pgdata/data";
+
+                POSTGRES_PASSWORD.valueFrom.secretKeyRef = {
+                  name = "hedgedoc";
+                  key = "databasePassword";
+                };
               };
 
               volumeMounts = [{
diff --git a/kubenix-modules/immich.nix b/kubenix-modules/immich.nix
index 63a0cb6..e51297f 100644
--- a/kubenix-modules/immich.nix
+++ b/kubenix-modules/immich.nix
@@ -1,5 +1,7 @@
 { myLib, ... }: {
   kubernetes.resources = {
+    secrets.immich.stringData.databasePassword = "ref+sops://secrets/kubernetes.yaml#/immich/databasePassword";
+
     deployments = {
       immich.spec = {
         selector.matchLabels = {
@@ -37,9 +39,13 @@
                 REDIS_HOSTNAME.value = "redis.immich.svc.cluster.local";
                 DB_HOSTNAME.value = "postgres.immich.svc.cluster.local";
                 DB_USERNAME.value = "postgres";
-                DB_PASSWORD.value = "ref+sops://secrets/kubernetes.yaml#/immich/databasePassword";
                 DB_DATABASE_NAME.value = "immich";
                 IMMICH_MACHINE_LEARNING_URL.value = "http://ml.immich.svc.cluster.local";
+
+                DB_PASSWORD.valueFrom.secretKeyRef = {
+                  name = "immich";
+                  key = "databasePassword";
+                };
               };
 
               volumeMounts = [{
@@ -155,11 +161,15 @@
               securityContext.runAsGroup = 999;
 
               env = {
-                POSTGRES_PASSWORD.value = "ref+sops://secrets/kubernetes.yaml#/immich/databasePassword";
                 POSTGRES_USER.value = "postgres";
                 POSTGRES_DB.value = "immich";
                 POSTGRES_INITDB_ARGS.value = "--data-checksums";
                 PGDATA.value = "/pgdata/data";
+
+                POSTGRES_PASSWORD.valueFrom.secretKeyRef = {
+                  name = "immich";
+                  key = "databasePassword";
+                };
               };
 
               volumeMounts = [{