feat: skip opencloud init — inject all secrets as runtime ENV vars

charts/opencloud/README.md

@@ -237,6 +237,7 @@ This will prepend `my-registry.com/` to all image references in the chart. For e
 | `opencloud.persistence.size` | Size of the persistent volume | `10Gi` |
 | `opencloud.persistence.storageClass` | Storage class | `""` |
 | `opencloud.persistence.accessMode` | Access mode | `ReadWriteOnce` |
+| `opencloud.initSecrets.existingSecret` | Use a pre-created Secret for init credentials (see [Init Secrets](#init-secrets)) | `""` |
 | `opencloud.smtp.enabled` | Enable smtp for opencloud | `false` |
 | `opencloud.smtp.host` | SMTP host | `` |
 | `opencloud.smtp.port` | SMTP port | `587` |
@@ -321,6 +322,34 @@ The following options allow setting up a POSIX-compatible filesystem (such as NF
 >   --namespace your-namespace
 > ```
 
+### Init Secrets
+
+OpenCloud requires internal service credentials (JWT, IDM passwords, transfer secrets, UUIDs, etc.). Instead of running `opencloud init` at startup, the chart injects all credentials as runtime environment variables from a Kubernetes Secret. This eliminates init-time config generation, making deployments fully stateless and restart-safe.
+
+By default, the chart auto-generates and persists these credentials across Helm upgrades.
+
+| Parameter | Description | Default |
+| --------- | ----------- | ------- |
+| `opencloud.initSecrets.existingSecret` | Use a pre-created Secret instead of auto-generating | `""` |
+
+**New installs**: No action needed — the chart generates stable secrets and UUIDs automatically.
+
+**Existing installs upgrading to this version**: No breaking changes. The chart creates a new `*-init` Secret alongside existing resources. If you manage secrets externally, set `opencloud.initSecrets.existingSecret` to your secret name. Required keys:
+
+```
+# Secrets (random strings)
+jwtSecret, machineAuthApiKey, transferSecret, serviceAccountSecret,
+idmServicePassword, idmRevaServicePassword, idmIdpServicePassword,
+collaborationWopiSecret, systemUserApiKey, urlSigningSecret,
+thumbnailsTransferSecret
+
+# UUIDs (stable v4 UUIDs)
+systemUserID, adminUserID, serviceAccountID, graphApplicationID,
+storageUsersMountID
+```
+
+The chart maps these keys to the correct runtime ENV vars for each OpenCloud service, including per-service LDAP bind passwords (e.g., `USERS_LDAP_BIND_PASSWORD` ← `idmRevaServicePassword`).
+
 ### Keycloak Settings
 
 By default the chart deploys an internal Keycloak. It can be disabled and replaced with an external OIDC provider.

charts/opencloud/templates/opencloud/deployment.yaml

@@ -124,7 +124,7 @@ spec:
               type: RuntimeDefault
           imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.image.pullPolicy "global" .Values.global) }}
           command: ["/bin/sh"]
-          args: ["-c", "opencloud init || true; opencloud server"]
+          args: ["-c", "mkdir -p /var/lib/opencloud/.opencloud/config && touch /var/lib/opencloud/.opencloud/config/banned-password-list.txt; opencloud server"]
           {{- with .Values.opencloud.envFrom }}
           envFrom:
             {{- toYaml . | nindent 12 }}
@@ -263,6 +263,129 @@ spec:
                           {{ include "opencloud.opencloud.fullname" . }}
                         {{- end }}
                   key: adminPassword
+            {{- /* Runtime secrets — injected directly, no opencloud init needed */ -}}
+            {{- $initSecretName := .Values.opencloud.initSecrets.existingSecret | default (printf "%s-init" (include "opencloud.opencloud.fullname" .)) }}
+            - name: OC_JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: jwtSecret
+            - name: OC_MACHINE_AUTH_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: machineAuthApiKey
+            - name: OC_TRANSFER_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: transferSecret
+            - name: OC_SERVICE_ACCOUNT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: serviceAccountSecret
+            - name: OC_SERVICE_ACCOUNT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: serviceAccountID
+            - name: IDM_SVC_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: idmServicePassword
+            - name: IDM_REVASVC_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: idmRevaServicePassword
+            - name: IDM_IDPSVC_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: idmIdpServicePassword
+            - name: COLLABORATION_WOPI_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: collaborationWopiSecret
+            - name: OC_SYSTEM_USER_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: systemUserApiKey
+            - name: OC_URL_SIGNING_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: urlSigningSecret
+            - name: THUMBNAILS_TRANSFER_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: thumbnailsTransferSecret
+            - name: OC_SYSTEM_USER_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: systemUserID
+            - name: OC_ADMIN_USER_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: adminUserID
+            - name: GRAPH_APPLICATION_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: graphApplicationID
+            - name: STORAGE_USERS_MOUNT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: storageUsersMountID
+            - name: GATEWAY_STORAGE_USERS_MOUNT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: storageUsersMountID
+            - name: SETTINGS_SERVICE_ACCOUNT_IDS
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: serviceAccountID
+            # Per-service LDAP bind passwords
+            - name: USERS_LDAP_BIND_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: idmRevaServicePassword
+            - name: GROUPS_LDAP_BIND_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: idmRevaServicePassword
+            - name: AUTH_BASIC_LDAP_BIND_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: idmRevaServicePassword
+            - name: IDP_LDAP_BIND_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: idmIdpServicePassword
+            - name: GRAPH_LDAP_BIND_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $initSecretName }}
+                  key: idmServicePassword
+            - name: IDM_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.opencloud.existingSecret | default (include "opencloud.opencloud.fullname" .) }}
+                  key: adminPassword
             # Demo users
             - name: IDM_CREATE_DEMO_USERS
               value: {{ .Values.opencloud.createDemoUsers | quote }}
@@ -345,22 +468,19 @@ spec:
             - name: nats
               containerPort: 9233
           startupProbe:
-            httpGet:
-              path: /health
+            tcpSocket:
               port: 9200
             periodSeconds: 2
             timeoutSeconds: 5
             failureThreshold: 60
           livenessProbe:
-            httpGet:
-              path: /health
+            tcpSocket:
               port: 9200
             periodSeconds: 10
             timeoutSeconds: 5
             failureThreshold: 3
           readinessProbe:
-            httpGet:
-              path: /health
+            tcpSocket:
               port: 9200
             periodSeconds: 5
             timeoutSeconds: 5

charts/opencloud/templates/opencloud/init-secrets.yaml

@@ -0,0 +1,51 @@
+{{- if and .Values.opencloud.enabled (not .Values.opencloud.initSecrets.existingSecret) }}
+{{- /* Stable init secrets — persisted across helm upgrades via lookup */ -}}
+{{- $secretName := printf "%s-init" (include "opencloud.opencloud.fullname" .) -}}
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace $secretName }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  annotations:
+    "helm.sh/resource-policy": "keep"
+  labels:
+    {{- include "opencloud.labels" . | nindent 4 }}
+    app.kubernetes.io/component: opencloud
+type: Opaque
+data:
+{{- if $existingSecret }}
+  jwtSecret: {{ index $existingSecret.data "jwtSecret" | default (randAlphaNum 32 | b64enc) }}
+  machineAuthApiKey: {{ index $existingSecret.data "machineAuthApiKey" | default (randAlphaNum 32 | b64enc) }}
+  transferSecret: {{ index $existingSecret.data "transferSecret" | default (randAlphaNum 32 | b64enc) }}
+  serviceAccountSecret: {{ index $existingSecret.data "serviceAccountSecret" | default (randAlphaNum 32 | b64enc) }}
+  idmServicePassword: {{ index $existingSecret.data "idmServicePassword" | default (randAlphaNum 32 | b64enc) }}
+  idmRevaServicePassword: {{ index $existingSecret.data "idmRevaServicePassword" | default (randAlphaNum 32 | b64enc) }}
+  idmIdpServicePassword: {{ index $existingSecret.data "idmIdpServicePassword" | default (randAlphaNum 32 | b64enc) }}
+  collaborationWopiSecret: {{ index $existingSecret.data "collaborationWopiSecret" | default (randAlphaNum 32 | b64enc) }}
+  systemUserApiKey: {{ index $existingSecret.data "systemUserApiKey" | default (randAlphaNum 32 | b64enc) }}
+  urlSigningSecret: {{ index $existingSecret.data "urlSigningSecret" | default (randAlphaNum 32 | b64enc) }}
+  thumbnailsTransferSecret: {{ index $existingSecret.data "thumbnailsTransferSecret" | default (randAlphaNum 32 | b64enc) }}
+  systemUserID: {{ index $existingSecret.data "systemUserID" | default (uuidv4 | b64enc) }}
+  adminUserID: {{ index $existingSecret.data "adminUserID" | default (uuidv4 | b64enc) }}
+  serviceAccountID: {{ index $existingSecret.data "serviceAccountID" | default (uuidv4 | b64enc) }}
+  graphApplicationID: {{ index $existingSecret.data "graphApplicationID" | default (uuidv4 | b64enc) }}
+  storageUsersMountID: {{ index $existingSecret.data "storageUsersMountID" | default (uuidv4 | b64enc) }}
+{{- else }}
+  jwtSecret: {{ randAlphaNum 32 | b64enc | quote }}
+  machineAuthApiKey: {{ randAlphaNum 32 | b64enc | quote }}
+  transferSecret: {{ randAlphaNum 32 | b64enc | quote }}
+  serviceAccountSecret: {{ randAlphaNum 32 | b64enc | quote }}
+  idmServicePassword: {{ randAlphaNum 32 | b64enc | quote }}
+  idmRevaServicePassword: {{ randAlphaNum 32 | b64enc | quote }}
+  idmIdpServicePassword: {{ randAlphaNum 32 | b64enc | quote }}
+  collaborationWopiSecret: {{ randAlphaNum 32 | b64enc | quote }}
+  systemUserApiKey: {{ randAlphaNum 32 | b64enc | quote }}
+  urlSigningSecret: {{ randAlphaNum 32 | b64enc | quote }}
+  thumbnailsTransferSecret: {{ randAlphaNum 32 | b64enc | quote }}
+  systemUserID: {{ uuidv4 | b64enc | quote }}
+  adminUserID: {{ uuidv4 | b64enc | quote }}
+  serviceAccountID: {{ uuidv4 | b64enc | quote }}
+  graphApplicationID: {{ uuidv4 | b64enc | quote }}
+  storageUsersMountID: {{ uuidv4 | b64enc | quote }}
+{{- end }}
+{{- end }}

charts/opencloud/values.yaml

@@ -398,6 +398,11 @@ opencloud:
   # Admin password
   # ignored if opencloud.existingSecret is set
   adminPassword: admin
+
+  # Init secrets for deterministic service credentials across restarts.
+  # Set existingSecret to use a pre-created Secret; otherwise auto-generated.
+  initSecrets:
+    existingSecret: ""
 
   # Create demo users
   createDemoUsers: false