v0.2.3

Use bake-action instead of build-and-push action.

.devcontainer/Dockerfile

@@ -1,2 +1,2 @@
-ARG VARIANT="3.4.2"
+ARG VARIANT="3.4.4"
 FROM ghcr.io/rails/devcontainer/images/ruby:${VARIANT}

.devcontainer/devcontainer.json

@@ -6,7 +6,7 @@
         "vscode": {
             "extensions": [
                 "Shopify.ruby-lsp",
-                "ms-azuretools.vscode-docker"
+                "docker.docker"
             ]
         }
     },

.dockerignore

@@ -0,0 +1,7 @@
+**/.git
+**/.gitignore
+/.devcontainer
+/.gitea
+/.github
+/.vscode
+/charts

.gitea/workflows/lint.yaml

@@ -0,0 +1,23 @@
+---
+name: Ruby Lint
+on:
+  push:
+    branches:
+      - "**"
+  pull_request:
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Ruby Setup
+        uses: ruby/setup-ruby@dffc446db9ba5a0c4446edb5bca1c5c473a806c5 # v1.235.0
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+
+      - name: Standard Ruby
+        run: bundle exec standardrb
+

.gitea/workflows/release.yaml

@@ -1,74 +1,27 @@
 ---
-name: Gitea Actions Demo
+name: Release
-run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀
-
 on:
   schedule: 
-    - cron: "0 10 * * *"
+    - cron: "0 0 * * *"
   push:
     branches:
-      - "**"
+      - main
     tags:
       - "v*.*.*"
-  pull_request:
-
 jobs:
-  lint:
-    runs-on: ubuntu-latest
-    permissions:
-      checks: write
-      contents: write
-    steps:
-      - name: Login to Docker
-        uses: docker/login-action@v3
-        with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Ruby Setup
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '3.4'
-          bundler-cache: true
-
-      - run: bundle install
-
-      - name: Standard Ruby
-        run: bundle exec standardrb
-
-
-  test:
-    needs: lint
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Test
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '3.4'
-          bundler-cache: true
-
-      - run: bundle exec rake
-
   docker:
-    needs: test
     runs-on: ubuntu-latest
-    container:
-      image: catthehacker/ubuntu:act-latest
     env:
       DOCKER_ORG: ryanc
       DOCKER_LATEST: latest
     defaults:
       run:
         shell: bash
+    outputs:
+      metadata: ${{ steps.output.outputs.metadata }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0 # all history for all branches and tags
 
@@ -83,14 +36,31 @@ jobs:
           printf "GITHUB_SHA=%s\n" "$GITHUB_SHA"
           printf "VERSION=%s\n" "$VERSION" | tee -a "$GITHUB_OUTPUT"
 
-      - name: Docker meta
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Login to Gitea registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: git.kill0.net
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Docker meta (debian)
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: |
             git.kill0.net/ryanc/kubernaut
+          flavor: |
+            latest=auto
+          bake-target: docker-metadata-action
           tags: |
-            type=schedule
+            type=schedule,pattern=nightly
+            type=edge
             type=ref,event=branch
             type=ref,event=pr
             type=semver,pattern={{version}}
@@ -98,25 +68,37 @@ jobs:
             type=semver,pattern={{major}}
             type=sha
 
-      - name: Set up Docker Buildx
+      - name: Docker meta (alpine)
-        uses: docker/setup-buildx-action@v3
+        id: meta-alpine
-
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
-      - name: Login to Gitea registry
-        uses: docker/login-action@v3
         with:
-          registry: git.kill0.net
+          images: |
-          username: ${{ secrets.DOCKER_USERNAME }}
+            git.kill0.net/ryanc/kubernaut
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          bake-target: docker-metadata-action-alpine
+          flavor: |
+            latest=auto
+            suffix=-alpine,onlatest=true
+          tags: |
+            type=schedule,pattern=nightly
+            type=edge
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
 
       - name: Docker build and push
-        uses: docker/build-push-action@v5
+        uses: docker/bake-action@76f9fa3a758507623da19f6092dc4089a7e61592 # v6.6.0
         with:
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
+          files: |
-          labels: ${{ steps.meta.outputs.labels }}
+            ./docker-bake.hcl
+            cwd://${{ steps.meta.outputs.bake-file }}
+            cwd://${{ steps.meta-alpine.outputs.bake-file }}
 
       - name: Setup Helm
-        uses: azure/setup-helm@v4.3.0
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
 
       - name: Publish Helm chart
         if: ${{ contains(github.ref, 'refs/tags/') }}

.gitea/workflows/test.yaml

@@ -0,0 +1,22 @@
+---
+name: Ruby Test
+on:
+  push:
+    branches:
+      - "**"
+  pull_request:
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Test
+        uses: ruby/setup-ruby@dffc446db9ba5a0c4446edb5bca1c5c473a806c5 # v1.235.0
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+
+      - run: bundle exec rake
+

Dockerfile

@@ -1,40 +0,0 @@
-FROM ruby:alpine AS base
-
-WORKDIR /app
-
-RUN <<EOT
-  gem update --system --no-document
-  gem install -N bundler
-  apk update
-  apk upgrade --no-cache
-EOT
-
-
-FROM base AS build
-
-RUN <<EOT
-  apk add gcc musl-dev ruby-dev make
-EOT
-
-COPY Gemfile* .
-
-RUN <<EOT
-  bundle config set --local without development
-  bundle install
-EOT
-
-
-FROM base
-
-# RUN useradd ruby --home /app --shell /bin/sh
-RUN adduser ruby -h /app -D
-
-USER ruby:ruby
-
-COPY --from=build /usr/local/bundle /usr/local/bundle
-COPY --from=build --chown=ruby:ruby /app /app
-
-COPY --chown=ruby:ruby . .
-
-EXPOSE 4567
-CMD [ "bundle", "exec", "rackup", "--host", "0.0.0.0", "--port", "4567" ]

Gemfile

@@ -3,13 +3,13 @@ source "https://rubygems.org"
 gem "sinatra"
 gem "sinatra-contrib"
 gem "puma"
-gem "rackup"
 
 gem "anyflake"
 gem "ksuid"
 gem "nanoid"
 gem "ulid"
 gem "uuid7"
+gem "cuid2"
 
 gem "jwt"
 gem "httparty"

Gemfile.lock

@@ -3,69 +3,68 @@ GEM
   specs:
     anyflake (0.0.1)
     ast (2.4.3)
-    base64 (0.2.0)
+    base64 (0.3.0)
-    bigdecimal (3.1.9)
+    bigdecimal (3.2.2)
-    csv (3.3.3)
+    csv (3.3.5)
-    diff-lcs (1.6.1)
+    cuid2 (1.0.1)
+    diff-lcs (1.6.2)
     httparty (0.23.1)
       csv
       mini_mime (>= 1.0.0)
       multi_xml (>= 0.5.2)
-    json (2.10.2)
+    json (2.12.2)
-    jwt (2.10.1)
+    jwt (3.1.1)
       base64
     ksuid (1.0.0)
-    language_server-protocol (3.17.0.4)
+    language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
     logger (1.7.0)
     mini_mime (1.1.5)
     minitest (5.25.5)
     multi_json (1.15.0)
-    multi_xml (0.7.1)
+    multi_xml (0.7.2)
       bigdecimal (~> 3.1)
     mustermann (3.0.3)
       ruby2_keywords (~> 0.0.1)
     nanoid (2.0.0)
     nio4r (2.7.4)
-    parallel (1.26.3)
+    parallel (1.27.0)
-    parser (3.3.7.4)
+    parser (3.3.8.0)
       ast (~> 2.4.1)
       racc
     prism (1.4.0)
     puma (6.6.0)
       nio4r (~> 2.0)
     racc (1.8.1)
-    rack (3.1.12)
+    rack (3.1.16)
     rack-protection (4.1.1)
       base64 (>= 0.1.0)
       logger (>= 1.6.0)
       rack (>= 3.0.0, < 4)
-    rack-session (2.1.0)
+    rack-session (2.1.1)
       base64 (>= 0.1.0)
       rack (>= 3.0.0)
     rack-test (2.2.0)
       rack (>= 1.3)
-    rackup (2.2.1)
-      rack (>= 3)
     rainbow (3.1.1)
-    rake (13.2.1)
+    rake (13.3.0)
-    rbs (3.9.2)
+    rbs (3.9.4)
       logger
     regexp_parser (2.10.0)
-    rspec (3.13.0)
+    rspec (3.13.1)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.3)
+    rspec-core (3.13.5)
       rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.3)
+    rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.2)
+    rspec-mocks (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-support (3.13.2)
+    rspec-support (3.13.4)
-    rubocop (1.73.2)
+    rubocop (1.75.8)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -73,20 +72,20 @@ GEM
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.38.0, < 2.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.43.0)
+    rubocop-ast (1.45.1)
       parser (>= 3.3.7.2)
       prism (~> 1.4)
-    rubocop-performance (1.24.0)
+    rubocop-performance (1.25.0)
       lint_roller (~> 1.1)
-      rubocop (>= 1.72.1, < 2.0)
+      rubocop (>= 1.75.0, < 2.0)
       rubocop-ast (>= 1.38.0, < 2.0)
-    ruby-lsp (0.23.13)
+    ruby-lsp (0.24.2)
       language_server-protocol (~> 3.17.0)
       prism (>= 1.2, < 2.0)
-      rbs (>= 3, < 4)
+      rbs (>= 3, < 5)
       sorbet-runtime (>= 0.5.10782)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
@@ -103,19 +102,19 @@ GEM
       rack-protection (= 4.1.1)
       sinatra (= 4.1.1)
       tilt (~> 2.0)
-    sorbet-runtime (0.5.11971)
+    sorbet-runtime (0.5.12204)
-    standard (1.47.0)
+    standard (1.50.0)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.0)
-      rubocop (~> 1.73.0)
+      rubocop (~> 1.75.5)
       standard-custom (~> 1.0.0)
-      standard-performance (~> 1.7)
+      standard-performance (~> 1.8)
     standard-custom (1.0.2)
       lint_roller (~> 1.0)
       rubocop (~> 1.50)
-    standard-performance (1.7.0)
+    standard-performance (1.8.0)
       lint_roller (~> 1.1)
-      rubocop-performance (~> 1.24.0)
+      rubocop-performance (~> 1.25.0)
     tilt (2.6.0)
     ulid (1.4.0)
     unicode-display_width (3.1.4)
@@ -123,7 +122,7 @@ GEM
     unicode-emoji (4.0.4)
     uuid7 (0.2.0)
       zeitwerk (~> 2.4)
-    zeitwerk (2.7.2)
+    zeitwerk (2.7.3)
 
 PLATFORMS
   ruby
@@ -131,6 +130,7 @@ PLATFORMS
 
 DEPENDENCIES
   anyflake
+  cuid2
   httparty
   jwt
   ksuid
@@ -138,7 +138,6 @@ DEPENDENCIES
   nanoid
   puma
   rack-test
-  rackup
   rake
   rspec
   ruby-lsp
@@ -149,4 +148,4 @@ DEPENDENCIES
   uuid7
 
 BUNDLED WITH
-   2.6.6
+   2.6.9

app.rb

@@ -21,11 +21,9 @@ $LOAD_PATH.unshift File.dirname(__FILE__) + "/lib"
 
 require "config"
 
-VERSION = "0.1.4"
+VERSION = "0.2.3"
 
 CHUNK_SIZE = 1024**2
-SESSION_SECRET_HEX_LENGTH = 64
-JWT_SECRET_HEX_LENGTH = 64
 DEFAULT_FLAKEY = 50
 
 NAME = "kubernaut".freeze
@@ -380,19 +378,21 @@ get "/pid", provides: "json" do
   jsonify({ppid: ppid, pid: Process.pid}, pretty:)
 end
 
-get "/token" do
+get "/token", provides: "json" do
+  pretty = params.key? :pretty
+
   exp = Time.now.to_i + SECONDS_PER_MINUTE * 2
   payload = {name: "anonymous", exp: exp, jti: Random.uuid}
   expires_at = Time.at(exp).to_datetime
-  token = JWT.encode payload, JWT_SECRET, "HS256"
+  token = JWT.encode payload, config.jwt_secret.unwrap, "HS256"
   x = {token: token, expires_at: expires_at}
 
-  jsonify x
+  jsonify x, pretty:
 end
 
 get "/token/validate" do
   token = req_headers["authorization"].split[1]
-  payload = JWT.decode token, JWT_SECRET, true, algorithm: "HS256"
+  payload = JWT.decode token, config.jwt_secret.unwrap, true, algorithm: "HS256"
 
   jsonify payload
 end
@@ -444,7 +444,13 @@ end
 
 get "/_cat/env" do
   stream do |out|
-    ENV.sort.each do |k, v|
+    e = if params.key? :rack
+      env
+    else
+      ENV
+    end
+
+    e.sort.each do |k, v|
       out << "#{k}=#{v}\n"
     end
   end

charts/kubernaut/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.4
+version: 0.2.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.4"
+appVersion: "0.2.3"

config/puma.rb

@@ -1 +1,5 @@
 ENV["PUMA_PID"] = Process.pid.to_s
+
+port ENV.fetch("PORT", 4567)
+
+pidfile ENV["PIDFILE"] if ENV["PIDFILE"]

docker-bake.hcl

@@ -0,0 +1,22 @@
+group "default" {
+    targets = [ "bookworm", "alpine" ]
+}
+
+target "docker-metadata-action" {}
+target "docker-metadata-action-alpine" {}
+
+target "_common" {
+    args = {
+        RUBY_VERSION = "3.4.4"
+    }
+}
+
+target "bookworm" {
+    dockerfile = "./dockerfiles/bookworm.Dockerfile"
+    inherits = [ "_common", "docker-metadata-action" ]
+}
+
+target "alpine" {
+    dockerfile = "./dockerfiles/alpine.Dockerfile"
+    inherits = [ "_common", "docker-metadata-action-alpine" ]
+}

dockerfiles/alpine.Dockerfile

@@ -0,0 +1,54 @@
+ARG RUBY_VERSION="3.4.4"
+ARG BASE_REGISTRY="docker.io"
+FROM ${BASE_REGISTRY}/ruby:${RUBY_VERSION}-alpine AS base
+
+ENV RACK_ENV="production" \
+  BUNDLE_DEPLOYMENT=true \
+  BUNDLE_PATH="/usr/local/bundle" \
+  BUNDLE_WITHOUT="development test" \
+  RUBY_YJIT_ENABLE=true
+
+WORKDIR /kubernaut
+
+RUN \
+  --mount=type=cache,id=var-cache-apk,target=/var/cache/apk,sharing=locked \
+  apk update -q; \
+  apk add bash jemalloc
+
+RUN \
+  --mount=type=cache,id=usr-local-bundle-cache,target=${BUNDLE_PATH},sharing=locked \
+  gem update --system --no-document; \
+  gem install -N bundler
+
+FROM base AS build
+
+RUN \
+  --mount=type=cache,id=var-cache-apk,target=/var/cache/apk,sharing=locked \
+  apk update -q; \
+  apk add musl-dev gcc make; \
+  apk add bash jemalloc
+
+COPY Gemfile Gemfile.lock ./
+
+RUN \
+  --mount=type=cache,id=usr-local-bundle-ruby-cache,target=${BUNDLE_PATH}/ruby/3.4.0/cache,sharing=locked \
+  bundle install
+
+COPY . .
+
+FROM base
+
+ENV PORT=4567
+
+RUN \
+  addgroup --system --gid 666 kubernaut; \
+  adduser --system --uid 666 --ingroup kubernaut --shell /bin/bash --disabled-password kubernaut
+
+COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
+COPY --from=build /kubernaut /kubernaut
+
+USER kubernaut:kubernaut
+
+EXPOSE $PORT
+ENTRYPOINT [ "/kubernaut/dockerfiles/entrypoint.sh" ]
+CMD [ "bundle", "exec", "puma" ]

dockerfiles/bookworm.Dockerfile

@@ -0,0 +1,62 @@
+ARG RUBY_VERSION="3.4.4"
+ARG BASE_REGISTRY="docker.io"
+ARG DEBIAN_VERSION="bookworm"
+FROM ${BASE_REGISTRY}/ruby:${RUBY_VERSION}-slim-${DEBIAN_VERSION} AS base
+
+ENV RACK_ENV="production" \
+  BUNDLE_DEPLOYMENT=true \
+  BUNDLE_PATH="/usr/local/bundle" \
+  BUNDLE_WITHOUT="development test" \
+  RUBY_YJIT_ENABLE=true
+
+WORKDIR /kubernaut
+
+RUN rm -f /etc/apt/apt.conf.d/docker-clean
+
+RUN \
+  --mount=type=cache,id=var-cache-apt,target=/var/cache/apt,sharing=locked \
+  --mount=type=cache,id=var-lib-apt,target=/var/lib/apt,sharing=locked \
+  apt-get update -qq; \
+  apt-get install --yes --no-install-recommends \
+  libjemalloc2
+
+RUN \
+  --mount=type=cache,id=usr-local-bundle-cache,target=${BUNDLE_PATH},sharing=locked \
+  gem update --system --no-document; \
+  gem install -N bundler
+
+ENV DEBIAN_FRONTEND="noninteractive"
+
+FROM base AS build
+
+RUN \
+  --mount=type=cache,id=var-cache-apt,target=/var/cache/apt,sharing=locked \
+  --mount=type=cache,id=var-lib-apt,target=/var/lib/apt,sharing=locked \
+  apt-get update -qq; \
+  apt-get install --yes --no-install-recommends \
+  build-essential
+
+COPY Gemfile Gemfile.lock ./
+
+RUN \
+  --mount=type=cache,id=usr-local-bundle-ruby-cache,target=${BUNDLE_PATH}/ruby/3.4.0/cache,sharing=locked \
+  bundle install
+
+COPY . .
+
+FROM base
+
+ENV PORT=4567
+
+RUN \
+  groupadd --system --gid 666 kubernaut; \
+  useradd --system --uid 666 --gid kubernaut --create-home --shell /bin/bash kubernaut
+
+COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
+COPY --from=build /kubernaut /kubernaut
+
+USER kubernaut:kubernaut
+
+EXPOSE $PORT
+ENTRYPOINT [ "/kubernaut/dockerfiles/entrypoint.sh" ]
+CMD [ "bundle", "exec", "puma" ]

dockerfiles/entrypoint.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# output debugging info
+ruby --version
+printf "rubygems %s\n" "$(gem --version)"
+bundle version
+
+if [ -z "${LD_PRELOAD+x}" ]; then
+    LD_PRELOAD="$(find /usr/lib -name libjemalloc.so.2 -print -quit)"
+    export LD_PRELOAD
+fi
+
+exec "${@}"

kustomize/app/deployment.yaml

@@ -16,18 +16,24 @@ spec:
     spec:
       containers:
         - name: kubernaut
-          image: git.kill0.net/ryanc/kubernaut:0.1.4
+          image: git.kill0.net/ryanc/kubernaut:0.2.3
-          imagePullPolicy: Always
+          imagePullPolicy: IfNotPresent
           ports:
             - name: sinatra-web
               containerPort: 4567
           env:
-            - name: SESSION_SECRET
+            - name: KUBERNAUT_SESSION_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: kubernaut-session-secret
+                  name: kubernaut
                   key: session_secret
                   optional: true
+            - name: KUBERNAUT_JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: kubernaut
+                  key: jwt_secret
+                  optional: true
           envFrom:
             - configMapRef:
                 name: kubernaut-configmap

kustomize/app/kustomization.yaml

@@ -3,7 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kubernaut
 resources:
-  - secret.yaml
   - configmap.yaml
   - deployment.yaml
   - hpa.yaml

kustomize/app/secret.yaml

@@ -1,15 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: kubernaut-session-secret
-  namespace: kubernaut
-spec:
-  encryptedData:
-    session_secret: AgCY08t0AU418znEZt5d252J+lH+fwYki2g6jdJpfdRfVQjnA+b52P0KWrs/x5pB0PKab6Z3JY/Tz0SQCaoIsCR4IzUO3a095aulRqb6Qr1Lz8udBVta4JJMZLmo26tuUfVHlpD1d6J8rkBSm8vzckFLkOA1Wfl/9rS3K4qwiDogA5pI0ULghFkeEx1yKdRwPq0k8PuvOvLUJ6oNq3e5n+B/BrVWdQ+7XQxUq/AMANJrDbe+RD33f99LArHYA7bFMbY8YRazXSTAkeunpTlxTjuGZKYvJKupo29LHz2OVbZVX/hI0nZkdVpcgqvbxF6Vw9CuCeAmtKYl7A3qsAWqDLUdP3hRLsk2P9RDNhEzYWh4ml8APzziWzihdJbGEjwLy7HsHgKslM0XbBnRQDlxp/JtvcWdjQp33A+QOON32zOKHi+qJjDYyGebS1+xkPbnyb1MPSJVAtFpj7dlLbFekLFDZEbXuJYUl1wKdFOIjJHmNK/MTEV2kOhtiVj/aeKgSXwor9hR7Uxzs5ZSawp9uWw+hpr58EX6I+RtfO4yjFC6FjnagiU6SlI1Q2F7/nv82g1UWTYMpNN5bduS1YFWmsnXvK+W7YQHpSForr5ndtCSHmclbXb5Fc33sywC5u6Bi2Gu5/MW6d73BOog5BC3QtOuEQ044Q+cuU3RIlKADBqKLzZmHlmukyyGuZfXJnGjlWGKp3J1KecucTo6XC9QHpUkjXEKdlE63mOI1VuOGyBIHl60v4bnWiBg+aDZVHipz4JLKsVB0HOgBBK7+tOX6tr1GDG/F7Nz/i9ebzUV6i8Ec1jHf+2ZcTtBkNXBIkHc84+4Qd33/gOuP+lizLfIhfQ3DFWbwyfYumpVbeapyYhB0CE=
-  template:
-    metadata:
-      creationTimestamp: null
-      name: kubernaut-session-secret
-      namespace: kubernaut

kustomize/kustomization.yaml

@@ -6,4 +6,3 @@ metadata:
 resources:
   - namespace.yaml
   - ./app
-  - ./memcached

kustomize/memcached/deployment.yaml

@@ -1,21 +0,0 @@
----
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  name: kubernaut-memcached
-
-spec:
-  selector:
-    matchLabels:
-      app: kubernaut-memcached
-  template:
-    metadata:
-      labels:
-        app: kubernaut-memcached
-    spec:
-      containers:
-        - name: kubernaut-memcached
-          image: memcached:latest
-          ports:
-            - name: memcached
-              containerPort: 11211

kustomize/memcached/kustomization.yaml

@@ -1,7 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: kubernaut
-resources:
-  - deployment.yaml
-  - services.yaml

kustomize/memcached/services.yaml

@@ -1,13 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: kubernaut-memcached
-
-spec:
-  ports:
-    - name: memcached
-      port: 11211
-      targetPort: memcached
-  selector:
-    app: kubernaut-memcached

lib/config.rb

@@ -1,5 +1,8 @@
 require "sensitive"
 
+SESSION_SECRET_HEX_LENGTH = 64
+JWT_SECRET_HEX_LENGTH = 64
+
 class Config
   attr_accessor :cat
 
@@ -9,7 +12,7 @@ class Config
     @prefix = prefix
     @cat = cat
 
-    session_secret ||= ENV.fetch "SESSION_SECRET" do
+    session_secret ||= fetch_env "SESSION_SECRET" do
       SecureRandom.hex SESSION_SECRET_HEX_LENGTH
     end