Automated Manifest Update (#4478)

This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow. Reviewed-on: #4478 Co-authored-by: gitea-bot <gitea-bot@alexlebens.net> Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
2026-03-06 06:27:10 +00:00
parent 7d2c0c912a
commit 896fb526b3
69 changed files with 1902 additions and 246 deletions
--- a/clusters/cl01tl/manifests/postiz/ConfigMap-postiz-valkey-init-scripts.yaml
+++ b/clusters/cl01tl/manifests/postiz/ConfigMap-postiz-valkey-init-scripts.yaml
@@ -23,6 +23,28 @@ data:
    log() {
      echo "$(date) $1" | tee -a "$LOGFILE" >&2
    }
+    # Function to get password for a user
+    # Usage: get_user_password <username> [password_key]
+    # Returns: password via stdout, exits with error if not found
+    get_user_password() {
+      username="$1"
+      password_key="${2:-$username}"
+      password=""
+      # Try to get password from existing secret first (priority)
+      if [ -f "/valkey-users-secret/$password_key" ]; then
+        password=$(cat "/valkey-users-secret/$password_key")
+        log "Using password from existing secret for user $username"
+      elif [ -f "/valkey-auth-secret/${username}-password" ]; then
+        # Fallback to inline password
+        password=$(cat "/valkey-auth-secret/${username}-password")
+        log "Using inline password for user $username"
+      else
+        log "ERROR: No password found for user $username"
+        return 1
+      fi
+
+      echo "$password"
+    }

    # Clean old log if requested
    if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then
@@ -46,6 +68,37 @@ data:
      echo "bind * -::*"
      echo "dir /data"
    } >>"$VALKEY_CONFIG"
+    # Create secure directory for ACL file
+    log "Creating /etc/valkey directory for ACL file"
+    mkdir -p /etc/valkey
+
+    # Set aclfile path in valkey.conf
+    echo "aclfile /etc/valkey/users.acl" >>"$VALKEY_CONFIG"
+
+    # Remove or reset existing ACL file if present (it may be read-only from previous run)
+    log "Preparing ACL file at /etc/valkey/users.acl"
+    if [ -f /etc/valkey/users.acl ]; then
+      log "Removing existing read-only users.acl file"
+      chmod 0600 /etc/valkey/users.acl
+      rm -f /etc/valkey/users.acl
+    fi
+
+    # Create ACL file with secure permissions
+    touch /etc/valkey/users.acl
+    chmod 0600 /etc/valkey/users.acl
+    # Generate ACL entries for each user
+    log "Generating ACL entries for users"
+
+    # User: default
+    PASSWORD=$(get_user_password "default" "default") || exit 1
+
+    # Hash the password and write ACL entry
+    PASSHASH=$(echo -n "$PASSWORD" | sha256sum | cut -f 1 -d " ")
+    echo "user default on #$PASSHASH ~* &* +@all" >> /etc/valkey/users.acl
+
+    # Set final permissions
+    chmod 0400 /etc/valkey/users.acl
+    log "ACL file created with 0400 permissions"
    # Replica mode configuration
    log "Configuring replication mode"

@@ -73,7 +126,16 @@ data:
        echo "# Replica Configuration"
        echo "replicaof $MASTER_HOST $MASTER_PORT"
        echo "replica-announce-ip postiz-valkey-$POD_INDEX.postiz-valkey-headless.postiz.svc.cluster.local"
+        echo ""
+        echo "# Master authentication"
      } >>"$VALKEY_CONFIG"
+      # Get the password for the replication user
+      REPL_PASSWORD=$(get_user_password "default" "default") || exit 1
+
+      # Write masterauth configuration
+      echo "masterauth $REPL_PASSWORD" >>"$VALKEY_CONFIG"
+      echo "masteruser default" >>"$VALKEY_CONFIG"
+      log "Configured masterauth with user default"
    fi

    # Append extra configs if present