Migrate secret env variables to k8s Secret object

manifests/polis-secret.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: polis-secret
+type: Opaque
+data:
+  POSTGRES_USER: cG9zdGdyZXM=
+  POSTGRES_DB: cG9saXMtZGV2
+  POSTGRES_PORT: NTQzMg==
+  POSTGRES_HOST: cG9zdGdyZXM6NTQzMg==
+  POSTGRES_PASSWORD: b2lQb3JnM05yejB5cURMRQ==
+  STRIPE_SECRET_KEY: c2tfdGVzdF9ORkJERVRoa3BIQ1lCelhQSnVCbFk4VFc=
+
+  # Note(geoah): This seems to be needed until the following TODO is resolved:
+  # https://github.com/compdemocracy/polis/blob/9a294140bbfc50d5bbb50ce4e474f4ad72541881/server/src/session.ts#L8-L10
+  ENCRYPTION_PASSWORD_00001: UExFQVNFX0NIQU5HRV9NRQ==
+
+  # These may be the deprecated settings for submitting web requests to the math worker
+  WEBSERVER_USERNAME: d3MtdXNlcg==
+  WEBSERVER_PASS: d3MtcGFzcw==

manifests/polis-server.yaml

@@ -10,27 +10,16 @@ data:
 
   # Database
   READ_ONLY_DATABASE_URL: ""
-  POSTGRES_DB: "polis-dev"
-  POSTGRES_PORT: "5432"
-  POSTGRES_HOST: "postgres:5432"
-  POSTGRES_USER: "postgres"
-  POSTGRES_PASSWORD: "oiPorg3Nrz0yqDLE"
-  DATABASE_URL: postgres://postgres:oiPorg3Nrz0yqDLE@postgres:5432/polis-dev
   POSTGRES_DOCKER: "true"
-
   DATABASE_FOR_READS_NAME: DATABASE_URL
 
-  # These may be the deprecated settings for submitting web requests to the math worker
-  WEBSERVER_USERNAME: ws-user
-  WEBSERVER_PASS: ws-pass
-
   # Set to `false` for production
   DEV_MODE: "true"
 
   # Set the domain name; make sure this matches what"s running on math node
-  DOMAIN_OVERRIDE: polisserver.com
-  API_DEV_HOSTNAME: polisserver.com
-  API_PROD_HOSTNAME: polisserver.com
+  DOMAIN_OVERRIDE: polis.local
+  API_DEV_HOSTNAME: polis.local
+  API_PROD_HOSTNAME: polis.local
 
   # Options: prod, preprod, dev
   MATH_ENV: dev
@@ -54,11 +43,6 @@ data:
 
   # These pieces of functionality will likely be removed in the near future
   DISABLE_INTERCOM: "true"
-  STRIPE_SECRET_KEY: sk_test_NFBDEThkpHCYBzXPJuBlY8TW
-
-  # Note(geoah): This seems to be needed until the following TODO is resolved:
-  # https://github.com/compdemocracy/polis/blob/9a294140bbfc50d5bbb50ce4e474f4ad72541881/server/src/session.ts#L8-L10
-  ENCRYPTION_PASSWORD_00001: "PLEASE-CHANGE-ME"
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -76,6 +60,39 @@ spec:
       containers:
         - image: docker.io/compdem/polis-server:dev
           name: polis-server
+          env:
+          - name: POSTGRES_DB
+            valueFrom:
+              secretKeyRef:
+                name: polis-secret
+                key: POSTGRES_DB
+          - name: POSTGRES_USER
+            valueFrom:
+              secretKeyRef:
+                name: polis-secret
+                key: POSTGRES_USER
+          - name: POSTGRES_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: polis-secret
+                key: POSTGRES_PASSWORD
+          - name: POSTGRES_HOST
+            valueFrom:
+              secretKeyRef:
+                name: polis-secret
+                key: POSTGRES_HOST
+          - name: DATABASE_URL
+            value: postgres://$(POSTGRES_USER):$(POSTGRES_PASSWORD)@$(POSTGRES_HOST)/$(POSTGRES_DB)
+          - name: STRIPE_SECRET_KEY
+            valueFrom:
+              secretKeyRef:
+                name: polis-secret
+                key: STRIPE_SECRET_KEY
+          - name: ENCRYPTION_PASSWORD_00001
+            valueFrom:
+              secretKeyRef:
+                name: polis-secret
+                key: ENCRYPTION_PASSWORD_00001
           envFrom:
           - configMapRef:
               name: polis-server
@@ -107,7 +124,7 @@ metadata:
   name: polis-server
 spec:
   rules:
-    - host: polisserver.com
+    - host: polis.local
       http:
         paths:
           - path: /

manifests/postgres.yaml

@@ -1,16 +1,5 @@
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: postgres
-  labels:
-    app: postgres
-data:
-  POSTGRES_DB: polis-dev
-  POSTGRES_USER: postgres
-  POSTGRES_PASSWORD: oiPorg3Nrz0yqDLE
----
 kind: PersistentVolumeClaim
-apiVersion: v1
 metadata:
   name: postgres-pv-claim
   labels:
@@ -42,9 +31,22 @@ spec:
       containers:
       - name: postgres
         image: docker.io/compdem/polis-postgres:dev
-        envFrom:
-        - configMapRef:
-            name: postgres
+        env:
+        - name: POSTGRES_DB
+          valueFrom:
+            secretKeyRef:
+              name: polis-secret
+              key: POSTGRES_DB
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: polis-secret
+              key: POSTGRES_USER
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: polis-secret
+              key: POSTGRES_PASSWORD
         ports:
         - containerPort: 5432
           name: postgresdb

skaffold.yaml

@@ -24,6 +24,7 @@ build:
       dockerfile: server/Dockerfile
 manifests:
   rawYaml:
+  - manifests/polis-secret.yaml
   - manifests/polis-file-server.yaml
   - manifests/polis-math.yaml
   - manifests/postgres.yaml