From 57cef36379f60e499a045a188216553dffcc9f89 Mon Sep 17 00:00:00 2001 From: Trey t Date: Sat, 25 Apr 2026 00:38:37 -0500 Subject: [PATCH] deploy-k3s: align _config.sh::generate_env with live ConfigMap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit generate_env was missing 5 keys that exist in the live honeydue-config ConfigMap (drift introduced over time by manual kubectl patches): STATIC_DIR, STORAGE_UPLOAD_DIR, STORAGE_BASE_URL, B2_REGION, B2_USE_SSL. Without these, running 03-deploy.sh would silently drop them and break static asset serving + B2 region/TLS. Also: - Move B2_KEY_ID/B2_APP_KEY out of generate_env: they're credentials and belong in honeydue-secrets, not cleartext in the ConfigMap. The api/worker deployments still need to be wired to read them via envFrom: secretRef before B2 uploads will work — pre-existing gap, not caused by this commit. - Use the in-namespace short DNS form for REDIS_URL ('redis:6379') to match what the live cluster has — pods' resolv.conf search path already covers honeydue.svc.cluster.local. - config.yaml.example: add b2_region, b2_use_ssl, upload_dir, base_url, static_dir under storage so a fresh bootstrap sets them correctly. Verified by sourcing _config.sh and diffing generate_env output against `kubectl get cm honeydue-config -o jsonpath='{.data}'`: clean. Co-Authored-By: Claude Opus 4.7 (1M context) --- deploy-k3s/config.yaml.example | 5 +++++ deploy-k3s/scripts/_config.sh | 18 ++++++++++++++---- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/deploy-k3s/config.yaml.example b/deploy-k3s/config.yaml.example index 3c2c709..712f8e4 100644 --- a/deploy-k3s/config.yaml.example +++ b/deploy-k3s/config.yaml.example @@ -72,8 +72,13 @@ storage: b2_app_key: "" b2_bucket: "" b2_endpoint: "" # e.g. s3.us-west-004.backblazeb2.com + b2_region: "" # e.g. us-east-005 + b2_use_ssl: true max_file_size: 10485760 allowed_types: "image/jpeg,image/png,image/gif,image/webp,application/pdf" + upload_dir: /app/uploads # filesystem path inside the api container + base_url: /uploads # public URL prefix served by the api + static_dir: /app/static # static asset path inside the api container # --- Worker Schedules (UTC hours) --- worker: diff --git a/deploy-k3s/scripts/_config.sh b/deploy-k3s/scripts/_config.sh index 09fd558..4bcf4df 100755 --- a/deploy-k3s/scripts/_config.sh +++ b/deploy-k3s/scripts/_config.sh @@ -118,8 +118,9 @@ lines = [ f\"DB_MAX_OPEN_CONNS={db['max_open_conns']}\", f\"DB_MAX_IDLE_CONNS={db['max_idle_conns']}\", f\"DB_MAX_LIFETIME={db['max_lifetime']}\", - # Redis (K8s internal DNS — password injected if configured) - f\"REDIS_URL=redis://{':%s@' % val(rd.get('password')) if rd.get('password') else ''}redis.honeydue.svc.cluster.local:6379/0\", + # Redis (in-namespace DNS short form — password injected if configured; + # short form works because /etc/resolv.conf in pods searches honeydue.svc.cluster.local) + f\"REDIS_URL=redis://{':%s@' % val(rd.get('password')) if rd.get('password') else ''}redis:6379/0\", 'REDIS_DB=0', # Email f\"EMAIL_HOST={em['host']}\", @@ -139,12 +140,21 @@ lines = [ f\"OVERDUE_REMINDER_HOUR={wk['overdue_reminder_hour']}\", f\"DAILY_DIGEST_HOUR={wk['daily_digest_hour']}\", # B2 Storage - f\"B2_KEY_ID={val(st['b2_key_id'])}\", - f\"B2_APP_KEY={val(st['b2_app_key'])}\", + # B2_KEY_ID and B2_APP_KEY are intentionally NOT emitted into the + # ConfigMap — they're credentials and belong in honeydue-secrets + # (set by 02-setup-secrets.sh). Wire them into the api/worker + # deployments via envFrom: secretRef when B2 uploads need to be + # active. Leaving them in cleartext here would leak via + # `kubectl get cm`. f\"B2_BUCKET_NAME={val(st['b2_bucket'])}\", f\"B2_ENDPOINT={val(st['b2_endpoint'])}\", + f\"B2_REGION={val(st.get('b2_region'))}\", + f\"B2_USE_SSL={b(st.get('b2_use_ssl', True))}\", f\"STORAGE_MAX_FILE_SIZE={st['max_file_size']}\", f\"STORAGE_ALLOWED_TYPES={st['allowed_types']}\", + f\"STORAGE_UPLOAD_DIR={val(st.get('upload_dir', '/app/uploads'))}\", + f\"STORAGE_BASE_URL={val(st.get('base_url', '/uploads'))}\", + f\"STATIC_DIR={val(st.get('static_dir', '/app/static'))}\", # Features f\"FEATURE_PUSH_ENABLED={b(ft['push_enabled'])}\", f\"FEATURE_EMAIL_ENABLED={b(ft['email_enabled'])}\",