From 733f7ae9cf5ee9cda6348d3037143fffc05ac9e6 Mon Sep 17 00:00:00 2001 From: Manas Srivastava Date: Thu, 21 May 2026 20:17:49 +0530 Subject: [PATCH] chore(oss-prep): replace dev-default secrets with CHANGE_ME, parametrize MONGO_ADMIN_URI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per /tmp/oss-plan-2026-05-21/OSS-01-secrets-audit.md + OSS-05-infra-split.md: - k8s/secrets.yaml: PLATFORM_DB_PASSWORD + CUSTOMER_DB_PASSWORD + MINIO_ROOT_USER + MINIO_ROOT_PASSWORD → CHANGE_ME (were 'instant'/'instant_cust'/'minioadmin'/'minioadmin123' — local-dev convenience defaults that operators MUST replace) - k8s/data/minio-secret.yaml: same MinIO defaults → CHANGE_ME, comment notes self-hosted MinIO is retired - k8s/provisioner/deployment.yaml: MONGO_ADMIN_URI inline value 'mongodb://root:root@...' → secretKeyRef pointing at mongodb-admin Secret (matches the pattern every other credential already uses) - k8s/data/mongodb.yaml: append mongodb-admin Secret stub (with CHANGE_ME placeholder) so the secretKeyRef has a target This unlocks the infra repo for OSS publication. Note: git history still contains the dev-default values — operator should run `git filter-repo` before publishing if history-clean is required. Co-Authored-By: Claude Opus 4.7 (1M context) --- .gitignore | 3 +++ k8s/data/minio-secret.yaml | 10 +++++++--- k8s/data/mongodb.yaml | 18 ++++++++++++++++++ k8s/provisioner/deployment.yaml | 10 +++++++++- k8s/secrets.yaml | 14 +++++++++----- 5 files changed, 46 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index 3359b7b..f79d08d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,5 @@ node_modules/ k8s/secrets.local.yaml + +# Internal Claude Code skills +.claude/ diff --git a/k8s/data/minio-secret.yaml b/k8s/data/minio-secret.yaml index 3dc6e8f..c62f605 100644 --- a/k8s/data/minio-secret.yaml +++ b/k8s/data/minio-secret.yaml @@ -1,4 +1,8 @@ -# MinIO root credentials — local dev only. +# MinIO root credentials — legacy local-dev path (in-cluster MinIO retired +# 2026-05-20). Operators MUST replace placeholders before applying. Local-dev +# convenience values were here historically; OSS publication requires +# placeholders so a fresh clone cannot accidentally come up with the same +# credentials as every other clone. # Apply: kubectl apply -f data/minio-secret.yaml # The API pod reads these same values from instant-secrets (instant namespace). apiVersion: v1 @@ -8,5 +12,5 @@ metadata: namespace: instant-data type: Opaque stringData: - MINIO_ROOT_USER: "minioadmin" - MINIO_ROOT_PASSWORD: "minioadmin123" + MINIO_ROOT_USER: "CHANGE_ME" + MINIO_ROOT_PASSWORD: "CHANGE_ME" diff --git a/k8s/data/mongodb.yaml b/k8s/data/mongodb.yaml index ca68a40..64b23f4 100644 --- a/k8s/data/mongodb.yaml +++ b/k8s/data/mongodb.yaml @@ -72,3 +72,21 @@ spec: ports: - port: 27017 targetPort: 27017 + +--- +# Secret consumed by provisioner deployment as MONGO_ADMIN_URI (added 2026-05-21 +# for OSS prep — was previously inlined in provisioner/deployment.yaml). +# Operators MUST replace placeholders. The URI format is: +# mongodb://:@mongodb.instant-data.svc.cluster.local:27017 +# where / match MONGO_INITDB_ROOT_USERNAME/PASSWORD set on +# the mongodb StatefulSet (see the env vars above in this same file once you +# template them). +apiVersion: v1 +kind: Secret +metadata: + name: mongodb-admin + namespace: instant-data +type: Opaque +stringData: + MONGO_ADMIN_URI: "CHANGE_ME" + diff --git a/k8s/provisioner/deployment.yaml b/k8s/provisioner/deployment.yaml index dcf9249..0b39001 100644 --- a/k8s/provisioner/deployment.yaml +++ b/k8s/provisioner/deployment.yaml @@ -116,8 +116,16 @@ spec: value: "k8s" - name: REDIS_PROVISION_HOST value: "redis-provision.instant-data.svc.cluster.local:6379" + # MONGO_ADMIN_URI was historically inlined here as + # `mongodb://root:root@...` for local-dev convenience. For OSS + # publication it is sourced from a Secret so the manifest contains + # no credentials. Operators MUST create the secret before applying; + # see infra/k8s/data/mongodb.yaml for the matching Secret template. - name: MONGO_ADMIN_URI - value: "mongodb://root:root@mongodb.instant-data.svc.cluster.local:27017" + valueFrom: + secretKeyRef: + name: mongodb-admin + key: MONGO_ADMIN_URI - name: MONGO_HOST value: "mongodb.instant-data.svc.cluster.local:27017" - name: PROVISIONER_SECRET diff --git a/k8s/secrets.yaml b/k8s/secrets.yaml index db8c2ef..78bfb85 100644 --- a/k8s/secrets.yaml +++ b/k8s/secrets.yaml @@ -13,8 +13,10 @@ metadata: namespace: instant type: Opaque stringData: - PLATFORM_DB_PASSWORD: instant - CUSTOMER_DB_PASSWORD: instant_cust + # Local-dev convenience values were here historically. For OSS publication + # every credential is CHANGE_ME — operators MUST replace before applying. + PLATFORM_DB_PASSWORD: "CHANGE_ME" + CUSTOMER_DB_PASSWORD: "CHANGE_ME" # New Relic license key — rotate via kubectl patch (see comment at top of file). # Empty/CHANGE_ME means the Go agent fails open and logs a warning at startup. NEW_RELIC_LICENSE_KEY: "CHANGE_ME" @@ -49,9 +51,11 @@ stringData: R2_API_TOKEN: "CHANGE_ME" R2_ENDPOINT: "CHANGE_ME" R2_BUCKET_NAME: "CHANGE_ME" - # MinIO credentials (same values as in infra/k8s/data/minio-secret.yaml) - MINIO_ROOT_USER: "minioadmin" - MINIO_ROOT_PASSWORD: "minioadmin123" + # MinIO credentials (same values as in infra/k8s/data/minio-secret.yaml). + # Used only by the legacy self-hosted MinIO Deployment, which was retired + # 2026-05-20 in favour of DigitalOcean Spaces. Operators MUST replace. + MINIO_ROOT_USER: "CHANGE_ME" + MINIO_ROOT_PASSWORD: "CHANGE_ME" # Comma-separated list of admin user emails (case-insensitive). Empty # / unset → admin endpoints reject every caller (closed-by-default). # Read by api/internal/middleware/admin.go on every request, no app