wild-cloud/wild-cloud-poc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Changed requiredSecrets to defaultSecrets

Browse Source
This commit is contained in:
Paul Payne
2025-12-30 00:03:31 +00:00
parent 2684c46de4
commit 8d62d65d6f
20 changed files with 35 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
apps/README.md
View File

@@ -34,7 +34,7 @@ defaultConfig:
dbHostname: postgres.postgres.svc.cluster.local dbHostname: postgres.postgres.svc.cluster.local
dbUsername: immich dbUsername: immich
domain: immich.{{ .cloud.domain }} domain: immich.{{ .cloud.domain }}
requiredSecrets: defaultSecrets:
- apps.immich.dbPassword - apps.immich.dbPassword
- apps.postgres.password - apps.postgres.password
``` ```
@@ -47,7 +47,7 @@ Explanation of the fields:
- `icon`: A URL to an icon representing the app. - `icon`: A URL to an icon representing the app.
- `requires`: A list of other apps that this app depends on. Each entry should be the name of another app. - `requires`: A list of other apps that this app depends on. Each entry should be the name of another app.
- `defaultConfig`: A set of default configuration values for the app. When an app is added using `wild-app-add`, these values will be added to the Wild Cloud `config.yaml` file. - `defaultConfig`: A set of default configuration values for the app. When an app is added using `wild-app-add`, these values will be added to the Wild Cloud `config.yaml` file.
- `requiredSecrets`: A list of secrets that must be set in the Wild Cloud `secrets.yaml` file for the app to function properly. These secrets are typically sensitive information like database passwords or API keys. Keys with random values will be generated automatically when the app is added. - `defaultSecrets`: A list of secrets that must be set in the Wild Cloud `secrets.yaml` file for the app to function properly. These secrets are typically sensitive information like database passwords or API keys. Keys with random values will be generated automatically when the app is added.
### Kustomization ### Kustomization
@@ -168,7 +168,7 @@ Examples of apps with db-init jobs: `gitea`, `codimd`, `immich`, `openproject`
key: apps.appname.dbUrl key: apps.appname.dbUrl
``` ```
Add `apps.appname.dbUrl` to the manifest's `requiredSecrets` and the `wild-app-add` script will generate the complete URL with embedded credentials. Add `apps.appname.dbUrl` to the manifest's `defaultSecrets` and the `wild-app-add` script will generate the complete URL with embedded credentials.
##### Security Context Requirements ##### Security Context Requirements
@@ -198,7 +198,7 @@ For PostgreSQL init jobs, use `runAsUser: 999` (postgres user). For other databa
#### Secrets #### Secrets
Secrets are managed in the `secrets.yaml` file in the Wild Cloud home directory. The app's `manifest.yaml` should list any required secrets under `requiredSecrets`. When the app is added, default secret values will be generated and stored in the `secrets.yaml` file. Secrets are always stored and referenced in the `apps.<app-name>.<secret-name>` yaml path. When `wild-app-deploy` is run, a Secret resource will be created in the Kubernetes cluster with the name `<app-name>-secrets`, containing all secrets defined in the manifest's `requiredSecrets` key. These secrets can then be referenced in the app's Kustomize files using a `secretKeyRef`. Secrets are managed in the `secrets.yaml` file in the Wild Cloud home directory. The app's `manifest.yaml` should list any required secrets under `defaultSecrets`. When the app is added, default secret values will be generated and stored in the `secrets.yaml` file. Secrets are always stored and referenced in the `apps.<app-name>.<secret-name>` yaml path. When `wild-app-deploy` is run, a Secret resource will be created in the Kubernetes cluster with the name `<app-name>-secrets`, containing all secrets defined in the manifest's `defaultSecrets` key. These secrets can then be referenced in the app's Kustomize files using a `secretKeyRef`.
**Important:** Always use the full dotted path from the manifest as the secret key, not just the last segment. For example, to mount a secret in an environment variable, you would use: **Important:** Always use the full dotted path from the manifest as the secret key, not just the last segment. For example, to mount a secret in an environment variable, you would use:

2
apps/discourse/manifest.yaml
View File

@@ -26,7 +26,7 @@ defaultConfig:
from: "{{ .cloud.smtp.from }}" from: "{{ .cloud.smtp.from }}"
tls: {{ .cloud.smtp.tls }} tls: {{ .cloud.smtp.tls }}
startTls: {{ .cloud.smtp.startTls }} startTls: {{ .cloud.smtp.startTls }}
requiredSecrets: defaultSecrets:
- apps.discourse.adminPassword - apps.discourse.adminPassword
- apps.discourse.dbPassword - apps.discourse.dbPassword
- apps.discourse.dbUrl - apps.discourse.dbUrl

2
apps/ghost/manifest.yaml
View File

@@ -24,7 +24,7 @@ defaultConfig:
port: "{{ .cloud.smtp.port }}" port: "{{ .cloud.smtp.port }}"
from: "{{ .cloud.smtp.from }}" from: "{{ .cloud.smtp.from }}"
user: "{{ .cloud.smtp.user }}" user: "{{ .cloud.smtp.user }}"
requiredSecrets: defaultSecrets:
- apps.ghost.adminPassword - apps.ghost.adminPassword
- apps.ghost.dbPassword - apps.ghost.dbPassword
- apps.ghost.smtpPassword - apps.ghost.smtpPassword

4
apps/gitea/README.md
View File

@@ -20,7 +20,7 @@ Sensitive configuration is stored in the `gitea-secrets` secret and managed by t
- `dbPassword` - Database password - `dbPassword` - Database password
- `smtpPassword` - SMTP authentication password - `smtpPassword` - SMTP authentication password
Secrets are defined in `secrets.yaml` and listed in `manifest.yaml` under `requiredSecrets`. The `wild-app-deploy` command automatically ensures all required secrets exist in the `gitea-secrets` secret before deployment. Secrets are defined in `secrets.yaml` and listed in `manifest.yaml` under `defaultSecrets`. The `wild-app-deploy` command automatically ensures all required secrets exist in the `gitea-secrets` secret before deployment.
### Persistent Configuration (app.ini) ### Persistent Configuration (app.ini)
Gitea manages its own `app.ini` file on persistent storage for: Gitea manages its own `app.ini` file on persistent storage for:
@@ -46,7 +46,7 @@ Gitea manages its own `app.ini` file on persistent storage for:
### Secret Settings ### Secret Settings
1. Edit `secrets.yaml` with your secret values 1. Edit `secrets.yaml` with your secret values
2. Ensure the secret key is listed in `manifest.yaml` under `requiredSecrets` 2. Ensure the secret key is listed in `manifest.yaml` under `defaultSecrets`
3. Run `wild-app-deploy gitea` - this will automatically update the `gitea-secrets` secret and restart the pod 3. Run `wild-app-deploy gitea` - this will automatically update the `gitea-secrets` secret and restart the pod
### Web UI Changes ### Web UI Changes

2
apps/gitea/manifest.yaml
View File

@@ -25,7 +25,7 @@ defaultConfig:
port: 465 port: 465
from: no-reply@{{ .cloud.domain }} from: no-reply@{{ .cloud.domain }}
user: TBD user: TBD
requiredSecrets: defaultSecrets:
- apps.gitea.adminPassword - apps.gitea.adminPassword
- apps.gitea.dbPassword - apps.gitea.dbPassword
- apps.gitea.secretKey - apps.gitea.secretKey

2
apps/immich/manifest.yaml
View File

@@ -19,7 +19,7 @@ defaultConfig:
dbUsername: immich dbUsername: immich
domain: immich.{{ .cloud.domain }} domain: immich.{{ .cloud.domain }}
tlsSecretName: wildcard-wild-cloud-tls tlsSecretName: wildcard-wild-cloud-tls
requiredSecrets: defaultSecrets:
- apps.immich.dbPassword - apps.immich.dbPassword
- apps.postgres.password - apps.postgres.password
- apps.redis.password - apps.redis.password

2
apps/keila/manifest.yaml
View File

@@ -22,7 +22,7 @@ defaultConfig:
user: "{{ .cloud.smtp.user }}" user: "{{ .cloud.smtp.user }}"
tls: {{ .cloud.smtp.tls }} tls: {{ .cloud.smtp.tls }}
startTls: {{ .cloud.smtp.startTls }} startTls: {{ .cloud.smtp.startTls }}
requiredSecrets: defaultSecrets:
- apps.keila.secretKeyBase - apps.keila.secretKeyBase
- apps.keila.dbPassword - apps.keila.dbPassword
- apps.keila.dbUrl - apps.keila.dbUrl

2
apps/listmonk/manifest.yaml
View File

@@ -14,7 +14,7 @@ defaultConfig:
dbUser: listmonk dbUser: listmonk
dbSSLMode: disable dbSSLMode: disable
timezone: UTC timezone: UTC
requiredSecrets: defaultSecrets:
- apps.listmonk.dbPassword - apps.listmonk.dbPassword
- apps.listmonk.dbUrl - apps.listmonk.dbUrl
- apps.postgres.password - apps.postgres.password

2
apps/memcached/manifest.yaml
View File

@@ -16,4 +16,4 @@ defaultConfig:
limits: limits:
memory: 128Mi memory: 128Mi
cpu: 200m cpu: 200m
requiredSecrets: [] defaultSecrets: []

2
apps/mysql/manifest.yaml
View File

@@ -12,6 +12,6 @@ defaultConfig:
user: mysql user: mysql
timezone: UTC timezone: UTC
enableSSL: false enableSSL: false
requiredSecrets: defaultSecrets:
- apps.mysql.rootPassword - apps.mysql.rootPassword
- apps.mysql.password - apps.mysql.password

2
apps/open-webui/manifest.yaml
View File

@@ -13,5 +13,5 @@ defaultConfig:
# Authentication settings # Authentication settings
enableAuth: true enableAuth: true
enableSignup: false enableSignup: false
requiredSecrets: defaultSecrets:
- apps.openWebui.secretKey - apps.openWebui.secretKey

2
apps/openproject/manifest.yaml
View File

@@ -27,7 +27,7 @@ defaultConfig:
tlsSecretName: wildcard-wild-cloud-tls tlsSecretName: wildcard-wild-cloud-tls
cacheStore: memcache cacheStore: memcache
railsRelativeUrlRoot: "" railsRelativeUrlRoot: ""
requiredSecrets: defaultSecrets:
- apps.openproject.dbPassword - apps.openproject.dbPassword
- apps.openproject.adminPassword - apps.openproject.adminPassword
- apps.postgres.password - apps.postgres.password

2
apps/postgres/manifest.yaml
View File

@@ -9,5 +9,5 @@ defaultConfig:
storage: 10Gi storage: 10Gi
image: pgvector/pgvector:pg15 image: pgvector/pgvector:pg15
timezone: UTC timezone: UTC
requiredSecrets: defaultSecrets:
- apps.postgres.password - apps.postgres.password

2
apps/redis/manifest.yaml
View File

@@ -7,5 +7,5 @@ defaultConfig:
image: redis:alpine image: redis:alpine
timezone: UTC timezone: UTC
port: 6379 port: 6379
requiredSecrets: defaultSecrets:
- apps.redis.password - apps.redis.password

2
apps/vllm/manifest.yaml
View File

@@ -18,4 +18,4 @@ defaultConfig:
gpuCount: 1 gpuCount: 1
domain: vllm.{{ .cloud.domain }} domain: vllm.{{ .cloud.domain }}
namespace: llm namespace: llm
requiredSecrets: [] defaultSecrets: []

6
bin/wild-app-add
View File

@@ -109,7 +109,7 @@ mkdir -p "${DEST_APP_DIR}"
# Step 1: Copy manifest.yaml from repository first # Step 1: Copy manifest.yaml from repository first
MANIFEST_FILE="${SOURCE_APP_DIR}/manifest.yaml" MANIFEST_FILE="${SOURCE_APP_DIR}/manifest.yaml"
if [ -f "${MANIFEST_FILE}" ]; then if [ -f "${MANIFEST_FILE}" ]; then
# manifest.yaml is allowed to have gomplate variables in the defaultConfig and requiredSecrets sections. # manifest.yaml is allowed to have gomplate variables in the defaultConfig and defaultSecrets sections.
# We need to use gomplate to process these variables before using yq. # We need to use gomplate to process these variables before using yq.
echo "Processing app manifest." echo "Processing app manifest."
DEST_MANIFEST="${DEST_APP_DIR}/manifest.yaml" DEST_MANIFEST="${DEST_APP_DIR}/manifest.yaml"
@@ -155,7 +155,7 @@ if yq eval '.defaultConfig' "${DEST_MANIFEST}" | grep -q -v '^null$'; then
fi fi
# Scaffold required secrets into .wildcloud/secrets.yaml if they don't exist # Scaffold required secrets into .wildcloud/secrets.yaml if they don't exist
if yq eval '.requiredSecrets' "${DEST_MANIFEST}" | grep -q -v '^null$'; then if yq eval '.defaultSecrets' "${DEST_MANIFEST}" | grep -q -v '^null$'; then
# Ensure .wildcloud/secrets.yaml exists # Ensure .wildcloud/secrets.yaml exists
if [ ! -f "${SECRETS_FILE}" ]; then if [ ! -f "${SECRETS_FILE}" ]; then
@@ -174,7 +174,7 @@ if yq eval '.requiredSecrets' "${DEST_MANIFEST}" | grep -q -v '^null$'; then
random_secret=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32) random_secret=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32)
yq eval ".${secret_path} = \"${random_secret}\"" -i "${SECRETS_FILE}" yq eval ".${secret_path} = \"${random_secret}\"" -i "${SECRETS_FILE}"
fi fi
done < <(yq eval '.requiredSecrets[]' "${DEST_MANIFEST}") done < <(yq eval '.defaultSecrets[]' "${DEST_MANIFEST}")
echo "Required secrets declared in app manifest added to '${SECRETS_FILE}'." echo "Required secrets declared in app manifest added to '${SECRETS_FILE}'."
fi fi

6
bin/wild-app-deploy
View File

@@ -63,14 +63,14 @@ deploy_secrets() {
local app_name="$1" local app_name="$1"
local target_namespace="${2:-${app_name}}" # Default to app name if not specified local target_namespace="${2:-${app_name}}" # Default to app name if not specified
# Check if app has a manifest with requiredSecrets # Check if app has a manifest with defaultSecrets
local manifest_file="apps/${app_name}/manifest.yaml" local manifest_file="apps/${app_name}/manifest.yaml"
if [ ! -f "${manifest_file}" ]; then if [ ! -f "${manifest_file}" ]; then
return 0 return 0
fi fi
# Check if there are required secrets defined # Check if there are required secrets defined
if ! yq eval '.requiredSecrets' "${manifest_file}" | grep -q -v '^null$'; then if ! yq eval '.defaultSecrets' "${manifest_file}" | grep -q -v '^null$'; then
return 0 return 0
fi fi
@@ -89,7 +89,7 @@ deploy_secrets() {
echo "Error: Required secret '${secret_path}' not found in ${SECRETS_FILE} for app '${app_name}'" echo "Error: Required secret '${secret_path}' not found in ${SECRETS_FILE} for app '${app_name}'"
exit 1 exit 1
fi fi
done < <(yq eval '.requiredSecrets[]' "${manifest_file}") done < <(yq eval '.defaultSecrets[]' "${manifest_file}")
# Create/update app secret in cluster # Create/update app secret in cluster
if [ -n "${secret_data}" ]; then if [ -n "${secret_data}" ]; then

8
docs/agent-context/wildcloud/apps-system.md
View File

@@ -43,7 +43,7 @@ defaultConfig:
storage: 10Gi storage: 10Gi
dbHostname: postgres.postgres.svc.cluster.local dbHostname: postgres.postgres.svc.cluster.local
dbUsername: myapp dbUsername: myapp
requiredSecrets: defaultSecrets:
- apps.myapp.dbPassword - apps.myapp.dbPassword
- apps.postgres.password - apps.postgres.password
``` ```
@@ -55,7 +55,7 @@ requiredSecrets:
- `icon` - A URL to an icon representing the app - `icon` - A URL to an icon representing the app
- `requires` - A list of other apps that this app depends on (each entry should be the name of another app) - `requires` - A list of other apps that this app depends on (each entry should be the name of another app)
- `defaultConfig` - A set of default configuration values for the app (when an app is added using `wild-app-add`, these values will be added to the Wild Cloud `config.yaml` file) - `defaultConfig` - A set of default configuration values for the app (when an app is added using `wild-app-add`, these values will be added to the Wild Cloud `config.yaml` file)
- `requiredSecrets` - A list of secrets that must be set in the Wild Cloud `secrets.yaml` file for the app to function properly (these secrets are typically sensitive information like database passwords or API keys; keys with random values will be generated automatically when the app is added) - `defaultSecrets` - A list of secrets that must be set in the Wild Cloud `secrets.yaml` file for the app to function properly (these secrets are typically sensitive information like database passwords or API keys; keys with random values will be generated automatically when the app is added)
### Kustomization Configuration ### Kustomization Configuration
@@ -354,7 +354,7 @@ spec:
```yaml ```yaml
# In manifest.yaml # In manifest.yaml
requiredSecrets: defaultSecrets:
- apps.myapp.dbUrl - apps.myapp.dbUrl
# Generated secret (by wild-app-add) # Generated secret (by wild-app-add)
@@ -509,7 +509,7 @@ Wild Cloud includes apps for common self-hosted services:
**Manifest Design**: **Manifest Design**:
- Include comprehensive `defaultConfig` for all configurable values - Include comprehensive `defaultConfig` for all configurable values
- List all `requiredSecrets` the app needs - List all `defaultSecrets` the app needs
- Specify dependencies in `requires` field - Specify dependencies in `requires` field
- Use semantic versioning - Use semantic versioning

4
docs/agent-context/wildcloud/configuration-system.md
View File

@@ -247,7 +247,7 @@ wild-secret-set apps.database '{"user":"admin","password":"secret"}'
When you run `wild-app-add`, Wild Cloud automatically generates required secrets: When you run `wild-app-add`, Wild Cloud automatically generates required secrets:
1. **Reads App Manifest**: Identifies `requiredSecrets` list 1. **Reads App Manifest**: Identifies `defaultSecrets` list
2. **Checks Existing Secrets**: Never overwrites existing values 2. **Checks Existing Secrets**: Never overwrites existing values
3. **Generates Missing Secrets**: Creates secure random values 3. **Generates Missing Secrets**: Creates secure random values
4. **Updates secrets.yaml**: Adds new secrets with proper structure 4. **Updates secrets.yaml**: Adds new secrets with proper structure
@@ -255,7 +255,7 @@ When you run `wild-app-add`, Wild Cloud automatically generates required secrets
**Example App Manifest**: **Example App Manifest**:
```yaml ```yaml
name: ghost name: ghost
requiredSecrets: defaultSecrets:
- apps.ghost.dbPassword # Auto-generated if missing - apps.ghost.dbPassword # Auto-generated if missing
- apps.ghost.jwtSecret # Auto-generated if missing - apps.ghost.jwtSecret # Auto-generated if missing
- apps.postgresql.password # Auto-generated if missing (dependency) - apps.postgresql.password # Auto-generated if missing (dependency)

8
docs/guides/adding-apps.md
View File

@@ -34,7 +34,7 @@ defaultConfig:
dbHostname: postgres.postgres.svc.cluster.local dbHostname: postgres.postgres.svc.cluster.local
dbUsername: immich dbUsername: immich
domain: immich.{{ .cloud.domain }} domain: immich.{{ .cloud.domain }}
requiredSecrets: defaultSecrets:
- apps.immich.dbPassword - apps.immich.dbPassword
- apps.postgres.password - apps.postgres.password
``` ```
@@ -47,7 +47,7 @@ Explanation of the fields:
- `icon`: A URL to an icon representing the app. - `icon`: A URL to an icon representing the app.
- `requires`: A list of other apps that this app depends on. Each entry should be the name of another app. - `requires`: A list of other apps that this app depends on. Each entry should be the name of another app.
- `defaultConfig`: A set of default configuration values for the app. When an app is added using `wild-app-add`, these values will be added to the Wild Cloud `config.yaml` file. - `defaultConfig`: A set of default configuration values for the app. When an app is added using `wild-app-add`, these values will be added to the Wild Cloud `config.yaml` file.
- `requiredSecrets`: A list of secrets that must be set in the Wild Cloud `secrets.yaml` file for the app to function properly. These secrets are typically sensitive information like database passwords or API keys. Keys with random values will be generated automatically when the app is added. - `defaultSecrets`: A list of secrets that must be set in the Wild Cloud `secrets.yaml` file for the app to function properly. These secrets are typically sensitive information like database passwords or API keys. Keys with random values will be generated automatically when the app is added.
### Kustomization ### Kustomization
@@ -168,7 +168,7 @@ Examples of apps with db-init jobs: `gitea`, `codimd`, `immich`, `openproject`
key: apps.appname.dbUrl key: apps.appname.dbUrl
``` ```
Add `apps.appname.dbUrl` to the manifest's `requiredSecrets` and the `wild-app-add` script will generate the complete URL with embedded credentials. Add `apps.appname.dbUrl` to the manifest's `defaultSecrets` and the `wild-app-add` script will generate the complete URL with embedded credentials.
##### Security Context Requirements ##### Security Context Requirements
@@ -198,7 +198,7 @@ For PostgreSQL init jobs, use `runAsUser: 999` (postgres user). For other databa
#### Secrets #### Secrets
Secrets are managed in the `secrets.yaml` file in the Wild Cloud home directory. The app's `manifest.yaml` should list any required secrets under `requiredSecrets`. When the app is added, default secret values will be generated and stored in the `secrets.yaml` file. Secrets are always stored and referenced in the `apps.<app-name>.<secret-name>` yaml path. When `wild-app-deploy` is run, a Secret resource will be created in the Kubernetes cluster with the name `<app-name>-secrets`, containing all secrets defined in the manifest's `requiredSecrets` key. These secrets can then be referenced in the app's Kustomize files using a `secretKeyRef`. Secrets are managed in the `secrets.yaml` file in the Wild Cloud home directory. The app's `manifest.yaml` should list any required secrets under `defaultSecrets`. When the app is added, default secret values will be generated and stored in the `secrets.yaml` file. Secrets are always stored and referenced in the `apps.<app-name>.<secret-name>` yaml path. When `wild-app-deploy` is run, a Secret resource will be created in the Kubernetes cluster with the name `<app-name>-secrets`, containing all secrets defined in the manifest's `defaultSecrets` key. These secrets can then be referenced in the app's Kustomize files using a `secretKeyRef`.
**Important:** Always use the full dotted path from the manifest as the secret key, not just the last segment. For example, to mount a secret in an environment variable, you would use: **Important:** Always use the full dotted path from the manifest as the secret key, not just the last segment. For example, to mount a secret in an environment variable, you would use: