diff --git a/apps/base/artifactapi/api-deployment.yaml b/apps/base/artifactapi/api-deployment.yaml index c29b7df..abf16de 100644 --- a/apps/base/artifactapi/api-deployment.yaml +++ b/apps/base/artifactapi/api-deployment.yaml @@ -48,10 +48,25 @@ spec: - secretRef: name: environment optional: false + env: + # Terraform provider registry signing. The secret is mounted + # optional, so the pod runs before it exists; artifactapi keeps the + # registry disabled until a readable key is present. + - name: TF_SIGNING_KEY_PATH + value: /etc/artifactapi/tf-signing/private-key.asc + - name: TF_SIGNING_KEY_PASSPHRASE + valueFrom: + secretKeyRef: + name: artifactapi-tf-signing + key: passphrase + optional: true volumeMounts: - name: combined-certs mountPath: /etc/ssl/combined readOnly: true + - name: tf-signing-key + mountPath: /etc/artifactapi/tf-signing + readOnly: true livenessProbe: failureThreshold: 3 httpGet: @@ -88,4 +103,8 @@ spec: path: ca.crt - name: combined-certs emptyDir: {} + - name: tf-signing-key + secret: + secretName: artifactapi-tf-signing + optional: true restartPolicy: Always