move api secrets from configmap to .env-backed k8s Secret

This commit is contained in:
2026-06-03 10:32:33 -03:00
parent 2dad62f7e7
commit bd34c8c5ce
5 changed files with 35 additions and 19 deletions

View File

@@ -1,18 +1,21 @@
# Copy to .env and fill in. Used by docker-compose; k8s pulls from the # Copy to `.env` (gitignored) and fill in. Two consumers:
# nvi-config ConfigMap (ctrl/k8s/base/configmap.yaml). #
# 1. k8s/kind path (tilt up): kustomize's secretGenerator in
# ctrl/k8s/base/kustomization.yaml reads this file and builds the
# nvi-secrets Secret. Non-secret config (DATABASE_URL, NVI_DATASET,
# *_MODEL, LANGFUSE_HOST, ...) lives in configmap.yaml — do not
# duplicate those here.
# 2. docker-compose fallback (ctrl/docker-compose.yml): compose reads
# the same file via the shell.
# Warehouse # LLM API keys — set the one(s) matching your active LLM_PROVIDER.
DATABASE_URL=postgresql://nvi:nvi@postgres:5432/nvi GROQ_API_KEY=
# Active dataset (selects api/datasets/<name>/ + Postgres schema + sqlite file).
NVI_DATASET=financial
# LLM
ANTHROPIC_API_KEY= ANTHROPIC_API_KEY=
ANTHROPIC_MODEL=claude-sonnet-4-6 # vLLM and other OpenAI-compatible self-hosted endpoints ignore auth;
# the literal placeholder is fine.
OPENAI_API_KEY=vllm-no-auth
# Langfuse — set LANGFUSE_HOST to your lng WireGuard endpoint; create an # Langfuse (nivii project on the lng cluster). Both keys are project-
# "nvi" project in the lng UI and paste its keys here. # scoped. Public key is safe by design; bundled for uniformity.
LANGFUSE_HOST=http://lng.local.ar:3000
LANGFUSE_PUBLIC_KEY= LANGFUSE_PUBLIC_KEY=
LANGFUSE_SECRET_KEY= LANGFUSE_SECRET_KEY=

View File

@@ -16,7 +16,10 @@ if k8s_context() != 'kind-nvi':
local('kubectl --context kind-nvi create namespace nvi --dry-run=client -o yaml | kubectl --context kind-nvi apply -f -') local('kubectl --context kind-nvi create namespace nvi --dry-run=client -o yaml | kubectl --context kind-nvi apply -f -')
k8s_yaml(kustomize('k8s/overlays/dev')) # --load-restrictor=LoadRestrictionsNone: secretGenerator reads ../../../.env
# (repo root), which kustomize otherwise refuses for security. Safe here —
# it's our own repo, the path is explicit, and the only reachable file is .env.
k8s_yaml(kustomize('k8s/overlays/dev', flags=['--load-restrictor=LoadRestrictionsNone']))
# --- Images --- # --- Images ---

View File

@@ -29,6 +29,8 @@ spec:
envFrom: envFrom:
- configMapRef: - configMapRef:
name: nvi-config name: nvi-config
- secretRef:
name: nvi-secrets
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /healthz path: /healthz

View File

@@ -12,14 +12,10 @@ data:
NVI_DATASET: "financial" NVI_DATASET: "financial"
# LLM. Supported providers: groq, anthropic, openai. # LLM. Supported providers: groq, anthropic, openai.
# Secrets (*_API_KEY) live in the Secret built by kustomize from .env.
LLM_PROVIDER: "groq" LLM_PROVIDER: "groq"
GROQ_API_KEY: "REDACTED_GROQ_API_KEY"
GROQ_MODEL: "llama-3.3-70b-versatile" GROQ_MODEL: "llama-3.3-70b-versatile"
ANTHROPIC_API_KEY: ""
ANTHROPIC_MODEL: "claude-sonnet-4-6" ANTHROPIC_MODEL: "claude-sonnet-4-6"
# Langfuse (nivii project in the lng cluster). # Langfuse (nivii project in the lng cluster).
LANGFUSE_HOST: "http://lng.local.ar" LANGFUSE_HOST: "http://lng.local.ar"
LANGFUSE_PUBLIC_KEY: "REDACTED_LANGFUSE_PUBLIC_KEY"
LANGFUSE_SECRET_KEY: "REDACTED_LANGFUSE_SECRET_KEY"

View File

@@ -21,3 +21,15 @@ configMapGenerator:
- Caddyfile - Caddyfile
options: options:
disableNameSuffixHash: true disableNameSuffixHash: true
# API key Secret built from .env at the repo root. .env is gitignored; only
# .env.example is committed. The path is relative to this kustomization.yaml
# (ctrl/k8s/base/) — `../../../.env` resolves to the repo root.
# disableNameSuffixHash keeps the Secret name stable so api.yaml's secretRef
# doesn't break on every rebuild.
secretGenerator:
- name: nvi-secrets
envs:
- ../../../.env
options:
disableNameSuffixHash: true