fix: Use real kibana secret from github

adskyiproger · adskyiproger · commit 77952b9ab779 · 2025-11-20T19:05:15.000+02:00
diff --git a/.github/TEMPLATES/secret-mapping-deps.yml b/.github/TEMPLATES/secret-mapping-deps.yml
@@ -25,6 +25,9 @@ postgres-admin-user:
   - POSTGRES_USER
   - POSTGRES_PASSWORD
 
+kibana-users-secret:
+  - KIBANA_USERNAME
+  - KIBANA_PASSWORD
 
 # REPLICAS
 
diff --git a/.github/workflows/github-to-k8s-sync-env.yml b/.github/workflows/github-to-k8s-sync-env.yml
@@ -61,6 +61,7 @@ jobs:
 
           # Iterate over all kubernetes secret names in mapping
           for secret_name in $(yq e 'keys | .[]' "$mapping_file"); do
+          skip_manifest=false
           echo "🔧 Generating Secret: $secret_name"
 
           {
@@ -92,9 +93,14 @@ jobs:
               else
                 echo "⚠️  Warning: $github_var not found in env_file → setting $k8s_var as empty" >&2
                 echo "  $k8s_var: ''"
+                skip_manifest=true
               fi
             done
           } > "k8s-secrets/$secret_name.yaml"
+          if [ "$skip_manifest" = true ]; then
+            echo "⚠️  Skipping $secret_name manifest due to missing variables"
+            rm -f "k8s-secrets/$secret_name.yaml"
+          fi
           done
 
           echo "✅ Generated manifests:"
diff --git a/charts/dependencies/templates/kibana-encryption-secret.yaml b/charts/dependencies/templates/kibana-encryption-secret.yaml
diff --git a/charts/dependencies/templates/kibana-secrets.yaml b/charts/dependencies/templates/kibana-secrets.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.monitoring.enabled }}
+{{- $encryption_secret_name := "kibana-encryption-secret" }}
+{{- $encryption_secret := lookup "v1" "Secret" .Release.Namespace $encryption_secret_name }}
+{{- if not $encryption_secret }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $encryption_secret_name }}
+  annotations:
+    "helm.sh/resource-policy": keep
+stringData:
+  KIBANA_ENCRYPTION_KEY: {{ .Values.encryptionKey | default (randAlphaNum 32) }}
+{{- end }}
+
+{{- $user_secret := lookup "v1" "Secret" .Release.Namespace .Values.kibana.users_secret }}
+{{- if not $user_secret }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.kibana.users_secret }}
+  annotations:
+    "helm.sh/resource-policy": keep
+stringData:
+  KIBANA_USERNAME: {{ randAlphaNum 12 | lower }}
+  KIBANA_PASSWORD: {{ randAlphaNum 32 }}
+{{- end }}
+{{- end }}
diff --git a/charts/dependencies/templates/kibana.yaml b/charts/dependencies/templates/kibana.yaml
@@ -70,13 +70,13 @@ spec:
             - name: KIBANA_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.elasticsearch.users_secret }}
-                  key: KIBANA_USER_ELASTIC_USERNAME
+                  name: {{ .Values.kibana.users_secret }}
+                  key: KIBANA_USERNAME
             - name: KIBANA_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.elasticsearch.users_secret }}
-                  key: KIBANA_USER_ELASTIC_PASSWORD
+                  name: {{ .Values.kibana.users_secret }}
+                  key: KIBANA_PASSWORD
             - name: METRICBEAT_ELASTIC_USERNAME
               valueFrom:
                 secretKeyRef:
diff --git a/charts/dependencies/templates/metricbeat.yaml b/charts/dependencies/templates/metricbeat.yaml
@@ -62,13 +62,13 @@ spec:
             - name: KIBANA_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: elasticsearch-opencrvs-users
-                  key: KIBANA_USER_ELASTIC_USERNAME
+                  name: {{ .Values.kibana.users_secret }}
+                  key: KIBANA_USERNAME
             - name: KIBANA_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: elasticsearch-opencrvs-users
-                  key: KIBANA_USER_ELASTIC_PASSWORD
+                  name: {{ .Values.kibana.users_secret }}
+                  key: KIBANA_PASSWORD
             - name: BEATS_USERNAME
               valueFrom:
                 secretKeyRef:
diff --git a/charts/dependencies/templates/minio-secrets.yaml b/charts/dependencies/templates/minio-secrets.yaml
@@ -6,10 +6,6 @@
 {{- if not $secret }}
 {{- $username := randAlphaNum 16 }}
 {{- $password := randAlphaNum 32 }}
-{{- if $.Values.chart_dev_mode }}
-{{- $username = "minioadmin" }}
-{{- $password = "miniopassword" }}
-{{- end }}
 ---
 apiVersion: v1
 kind: Secret
diff --git a/charts/dependencies/values.yaml b/charts/dependencies/values.yaml
@@ -52,7 +52,6 @@ elasticsearch:
   admin_user_secret_name: elasticsearch-admin-user
   auth_mode: auto
   auth_users:
-    - KIBANA_USER
     - KIBANA_SYSTEM:kibana_system
     - METRICBEAT:beats_system
     - APM:apm_system
@@ -75,7 +74,8 @@ elasticsearch:
 monitoring:
   enabled: false
 
-kibana: {}
+kibana:
+  users_secret: kibana-users-secret
 metricbeat:
   dashboards:
     - kubernetes-e0195ce0-bcaf-11ec-b64f-7dd6e8e82013
@@ -163,7 +163,7 @@ restore:
   backup_server_secret: backup-server-ssh-credentials
   # backup_server_dir: /home/backup/demo
   backup_encryption_secret: restore-encryption-secret
-  
+
   env: {}
 # Priority class for datastore pods to avoid eviction
 priority_class:
