Skip to content

Acknowledge secret regeneration concern as tracked follow-up #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Copilot wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Acknowledge secret regeneration concern as tracked follow-up #59

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
603930e
ci: fix helm test
neilime Jan 27, 2026
7bd8c25
ci: handle smtp tls without cert-manager
fredleger Feb 16, 2026
d6f6f88
Update postal/templates/smtp/tls-cert.yaml
fredleger Feb 19, 2026
b2837c9
Update postal/templates/smtp/tls-cert.yaml
fredleger Feb 19, 2026
19726a6
Initial plan
Copilot Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/__shared-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,11 @@ jobs:
with:
helm-repositories: |
bitnami https://charts.bitnami.com/bitnami
jetstack https://charts.jetstack.io
helm-set: |
global.railsSecretKey=\$RAILS_SECRET_KEY
global.signingKey=\$SIGNING_KEY
cert-manager.enabled=true
env:
RAILS_SECRET_KEY: ${{ secrets.RAILS_SECRET_KEY }}
SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@

# helm
postal/values-local.yaml
postal/charts/**

# TODO list
.TODO
14 changes: 7 additions & 7 deletions .tool-versions
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
github-cli 2.58.0
helm 3.14.3
helm-ct 3.10.1
helm-docs 1.14.2
kubeconform 0.6.4
kubectl 1.30.5
cosign 2.0.2
cosign 2.0.2
github-cli 2.86.0
helm 3.14.3
helm-ct 3.10.1
helm-docs 1.14.2
kubeconform 0.6.4
kubectl 1.30.5
9 changes: 6 additions & 3 deletions postal/Chart.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
dependencies:
- name: mariadb
repository: https://charts.bitnami.com/bitnami
version: 16.5.0
digest: sha256:b8d5aaa73ffcafb8792593ee848b85ffc743f4ae221ace5e22e4b18dddd732c8
generated: "2024-12-12T00:39:35.18628+01:00"
version: 24.1.1
- name: cert-manager
repository: https://charts.jetstack.io
version: v1.19.3
digest: sha256:dedc4fe64102ad01f78f2e0d93cfaffbd7838d7003472cf2e5d67e78590bee9a
generated: "2026-02-16T18:22:17.714365+01:00"
6 changes: 5 additions & 1 deletion postal/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,5 +35,9 @@ maintainers:
dependencies:
- name: mariadb
repository: https://charts.bitnami.com/bitnami
version: 16.*.*
version: 24.1.1
condition: mariadb.enabled
- name: cert-manager
repository: https://charts.jetstack.io
version: 1.19.3
condition: cert-manager.enabled
2 changes: 0 additions & 2 deletions postal/charts/.gitignore
View file
Open in desktop

This file was deleted.

4 changes: 4 additions & 0 deletions postal/ci/00-hack-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
cert-manager:
enabled: true
crds:
enabled: true
18 changes: 18 additions & 0 deletions postal/ci/01-base-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
image:
registry: fake.registry

jobs:
initialize:
enable: false

web:
replicaCount: 0

smtp:
replicaCount: 0

worker:
replicaCount: 0

cert-manager:
enabled: true
45 changes: 45 additions & 0 deletions postal/ci/02-smtp-tls-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# SECURITY NOTE: These are example values for CI/testing purposes only.
# In production, these values MUST be replaced with actual secrets.
# Consider using environment variables or secret management systems.
global:
# checkov:skip=CKV_SECRET_6:sample value only
railsSecretKey: LvH4wQpMsNbzuXcNIkvedxBLT9VSSXcjC5LbIcGOS0x06ooTLqtAnPradCvAjIHS7hO90KdUSjfY4xtMWPb6SRdSLH03JNest3xVNJx0ORzhtJYaJX9wjqfH6NTAHyEt
# checkov:skip=CKV_SECRET_13:sample value only
signingKey: |
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDSAOXj/qF/TzuP
Ut/ns25uK/jBnIZCwQUJyODksJCRCUU9CUgafZwyyTvox91Es36Xqg/xVfunR/d/
AFiabpqBY2om1Kvi1CvRLiZCiuKAY9zPtTjPqOKnDEcR6fPqq/9cSZaUNOytqBjK
N82bGTlAWXcWauY6kmciyJASkSHNA5/nzoVlmCvcGAHxVQq/SyDSbGOcKBW26ayC
N04peX3hOnOkOm+R6pdg/gnSK3P8NsW3MxP+MugcZGnyUZXysGWRZgh7A7vtrVcp
omMZsdw7KjcJr4z/2gHtogIQU2O6O2nWQZfowVdcNfPsvzumL3XokTOtNSeWxj2u
N8vmToTnAgMBAAECggEAEeDwsYHupuOMew2/sT618pw8v+L/DTTYpHYdK2say7ZB
1knxgQvbnflC5/UIEf7EEs5wMAg1dg7q872ITZGIBub7VRX7EkMk/diTekvPr8WQ
uYBAt3E15qnlbRGBaiO9iFJdhv2gfsJWZfTtRLyXgrJ7MIXmVus665uupF4FxinW
u/vQnxZOp0lNd1y/9wWP9qx5c47H2DVjxtbog5Wbo3GjjUWIEpsJWs/CBSoINhNc
THFKvimVgPOcqz8vhyrobnUJAFEBH4AcDIydrCVBEEpwTKRhs1ww+Asrj+w+Am+/
1TMQfXpnym3KIQx9uaFqHPNFfb6/+6s5/xib2dJZMQKBgQD6tv0+SvFY9znxWp2x
IOQKJzPKfVWhtiLL1mSHmL1jR/WOFzoe8u4oKiYdyATECXGf/5bd4aOIRKxaFnDC
TUYBtoDFqejHlRjAjz280zASd/YB1TTk9LwPtxCF3DDXtuM2qRooCqO1gn7kSwBq
IpLT4H2edj/EA2CvP6V9QY3VVwKBgQDWbjSnZHq+LIO7582cY04bOSkhTCSh+kA2
wjp0C+ZriFlKoiwMQAz6D5YFGE2rhAeur00l01Emgtq+T0dcZ6k4o+JfUQZVS4Qp
AY1EoEGLG7XvjVJhB5Dpdjk5zso/6L5vpsroH4Cz3ejdE7YcdQmvEXzW5PS2lJpb
+DajDBIC8QKBgHoee8fF1T0SXuTS0JCghrLzWWS+G+HCx7wl1528pjMfr9ngMm00
wxBJR3umG7wpJXFbm27EI1WSrajL2WyrGvhmnt6o3juowf+5RccdzwKP8AIAid0j
4B5/esrY7+mCqbXMNHNgi1E0GP62EaOg54fQhx+SVYjyZDu4crFKJv3NAoGBALUD
u3dDn0pDEcHiYPQP8LOSgWIWgSYrt2GCfQ3RreZA5//U/xIoT8wYtDAA4DBV+JZC
bgHsbajw9e+JxVgAOh4SWtrT72C5qwtiv/qavjnMXr2ms1AtrusmXhCqvJlOxNRE
HS3uyhsMzbMzHJzRQCeFv7k49kvbDqNs2dKyMdJBAoGBAKyd19QDKgl14Qcfpyrt
NWufWVbukOFVJlh6XCxR9qyMZRAtw9cJbQshUfaOXxzh1H7soJ+Bq4ySW7MkzhCG
oDDsor1Y3hxiLCDctwdr8qX3F0je4ow7HftyFTlh5xtSbmYV/EnHpO40tuKBLqnA
ZPicQao+s/8DQwNr25oSL+kM
-----END PRIVATE KEY-----

smtp:
tls:
enabled: true
hosts:
- smtp.example.local

cert-manager:
enabled: true
54 changes: 54 additions & 0 deletions postal/ci/03-ingress-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# SECURITY NOTE: These are example values for CI/testing purposes only.
# In production, these values MUST be replaced with actual secrets.
# Consider using environment variables or secret management systems.
global:
# checkov:skip=CKV_SECRET_6:sample value only
railsSecretKey: LvH4wQpMsNbzuXcNIkvedxBLT9VSSXcjC5LbIcGOS0x06ooTLqtAnPradCvAjIHS7hO90KdUSjfY4xtMWPb6SRdSLH03JNest3xVNJx0ORzhtJYaJX9wjqfH6NTAHyEt
# checkov:skip=CKV_SECRET_13:sample value only
signingKey: |
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDSAOXj/qF/TzuP
Ut/ns25uK/jBnIZCwQUJyODksJCRCUU9CUgafZwyyTvox91Es36Xqg/xVfunR/d/
AFiabpqBY2om1Kvi1CvRLiZCiuKAY9zPtTjPqOKnDEcR6fPqq/9cSZaUNOytqBjK
N82bGTlAWXcWauY6kmciyJASkSHNA5/nzoVlmCvcGAHxVQq/SyDSbGOcKBW26ayC
N04peX3hOnOkOm+R6pdg/gnSK3P8NsW3MxP+MugcZGnyUZXysGWRZgh7A7vtrVcp
omMZsdw7KjcJr4z/2gHtogIQU2O6O2nWQZfowVdcNfPsvzumL3XokTOtNSeWxj2u
N8vmToTnAgMBAAECggEAEeDwsYHupuOMew2/sT618pw8v+L/DTTYpHYdK2say7ZB
1knxgQvbnflC5/UIEf7EEs5wMAg1dg7q872ITZGIBub7VRX7EkMk/diTekvPr8WQ
uYBAt3E15qnlbRGBaiO9iFJdhv2gfsJWZfTtRLyXgrJ7MIXmVus665uupF4FxinW
u/vQnxZOp0lNd1y/9wWP9qx5c47H2DVjxtbog5Wbo3GjjUWIEpsJWs/CBSoINhNc
THFKvimVgPOcqz8vhyrobnUJAFEBH4AcDIydrCVBEEpwTKRhs1ww+Asrj+w+Am+/
1TMQfXpnym3KIQx9uaFqHPNFfb6/+6s5/xib2dJZMQKBgQD6tv0+SvFY9znxWp2x
IOQKJzPKfVWhtiLL1mSHmL1jR/WOFzoe8u4oKiYdyATECXGf/5bd4aOIRKxaFnDC
TUYBtoDFqejHlRjAjz280zASd/YB1TTk9LwPtxCF3DDXtuM2qRooCqO1gn7kSwBq
IpLT4H2edj/EA2CvP6V9QY3VVwKBgQDWbjSnZHq+LIO7582cY04bOSkhTCSh+kA2
wjp0C+ZriFlKoiwMQAz6D5YFGE2rhAeur00l01Emgtq+T0dcZ6k4o+JfUQZVS4Qp
AY1EoEGLG7XvjVJhB5Dpdjk5zso/6L5vpsroH4Cz3ejdE7YcdQmvEXzW5PS2lJpb
+DajDBIC8QKBgHoee8fF1T0SXuTS0JCghrLzWWS+G+HCx7wl1528pjMfr9ngMm00
wxBJR3umG7wpJXFbm27EI1WSrajL2WyrGvhmnt6o3juowf+5RccdzwKP8AIAid0j
4B5/esrY7+mCqbXMNHNgi1E0GP62EaOg54fQhx+SVYjyZDu4crFKJv3NAoGBALUD
u3dDn0pDEcHiYPQP8LOSgWIWgSYrt2GCfQ3RreZA5//U/xIoT8wYtDAA4DBV+JZC
bgHsbajw9e+JxVgAOh4SWtrT72C5qwtiv/qavjnMXr2ms1AtrusmXhCqvJlOxNRE
HS3uyhsMzbMzHJzRQCeFv7k49kvbDqNs2dKyMdJBAoGBAKyd19QDKgl14Qcfpyrt
NWufWVbukOFVJlh6XCxR9qyMZRAtw9cJbQshUfaOXxzh1H7soJ+Bq4ySW7MkzhCG
oDDsor1Y3hxiLCDctwdr8qX3F0je4ow7HftyFTlh5xtSbmYV/EnHpO40tuKBLqnA
ZPicQao+s/8DQwNr25oSL+kM
-----END PRIVATE KEY-----

ingress:
enabled: true
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: letsencrypt
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: chart-example-tls
hosts:
- chart-example.local

cert-manager:
enabled: true
17 changes: 0 additions & 17 deletions postal/ci/base-values.yaml
View file
Open in desktop

This file was deleted.

40 changes: 0 additions & 40 deletions postal/ci/ingress-values.yaml
View file
Open in desktop

This file was deleted.

20 changes: 0 additions & 20 deletions postal/ci/smtp-tls-values.yaml
View file
Open in desktop

This file was deleted.

12 changes: 10 additions & 2 deletions postal/templates/secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,14 @@ metadata:
{{- end }}
data:
mariadb-password: {{ .Values.mariadb.auth.password | b64enc | quote }}
signing-key: {{ .Values.global.signingKey | required "You must provide a global.signingKey value" | b64enc | quote }}
rails-secret-key: {{ .Values.global.railsSecretKey | required "You must provide a global.railsSecretKey value" | b64enc | quote }}
{{- if .Values.global.signingKey }}
signing-key: {{ .Values.global.signingKey | b64enc | quote }}
{{- else }}
signing-key: {{ genPrivateKey "rsa" | b64enc | quote }}
{{- end }}
{{- if .Values.global.railsSecretKey }}
rails-secret-key: {{ .Values.global.railsSecretKey | b64enc | quote }}
{{- else }}
rails-secret-key: {{ randAlphaNum 128 | b64enc | quote }}
{{- end }}
{{- end }}
16 changes: 16 additions & 0 deletions postal/templates/smtp/tls-cert.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,20 @@ spec:
name: {{ .Values.smtp.tls.certManager.issuer.name }}
kind: {{ .Values.smtp.tls.certManager.issuer.kind }}
group: {{ .Values.smtp.tls.certManager.issuer.group }}
{{- else if and .Values.smtp.tls.enabled (eq .Values.smtp.tls.source "self-signed") }}
{{- $ca := genCA "test-ca" 365 }}
{{- $host := include "postal.smtp.fullname" . }}
{{- if and .Values.smtp.tls.hosts (gt (len .Values.smtp.tls.hosts) 0) }}
{{- $host = index .Values.smtp.tls.hosts 0 }}
{{- end }}
{{- $cert := genSignedCert $host nil nil 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "postal.smtp.fullname" . }}-tls
labels:
{{- include "postal.labels" . | nindent 4 }}
data:
tls.crt: {{ $cert.Cert | b64enc }}
tls.key: {{ $cert.Key | b64enc }}
{{- end }}
Loading
Loading