fix dockerfile

helm-chart/renku/templates/secrets-storage/deployment.yaml

@@ -87,6 +87,7 @@ spec:
         - name: encryption-key
           secret:
             secretName: {{ template "renku.fullname" . }}-secrets-storage
+        {{- include "certificates.volumes" . | nindent 8 }}
     {{- with .Values.secretsStorage.nodeSelector }}
       nodeSelector:
         {{ toYaml . | nindent 8 }}

helm-chart/renku/templates/setup-job-platform-init.yaml

@@ -31,8 +31,56 @@ spec:
             runAsNonRoot: true
           env:
             - name: K8S_NAMESPACE
-              value: {{ .Release.namespace}}
+              value: {{ .Release.Namespace}}
             - name: RENKU_FULLNAME
               value: {{ template "renku.fullname" . }}
             - name: PLATFORM_INIT_CONFIG
-              value: {{ .Values.global.platformConfig}}
+              value: {{ .Values.global.platformConfig| default (printf "{}") | quote }}
+      serviceAccountName: {{ template "renku.fullname" . }}-platform-init
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "renku.fullname" . }}-platform-init
+  labels:
+    app: {{ template "renku.name" . }}
+    chart: {{ template "renku.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - patch
+      - create
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "renku.fullname" . }}-platform-init
+  labels:
+    app: {{ template "renku.name" . }}
+    chart: {{ template "renku.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "renku.fullname" . }}-platform-init
+  labels:
+    app: {{ template "renku.name" . }}
+    chart: {{ template "renku.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "renku.fullname" . }}-platform-init
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "renku.fullname" . }}-platform-init
+    namespace: {{ .Release.Namespace }}

helm-chart/renku/values.yaml

@@ -5,6 +5,8 @@
 ## Global variables
 ## Shared values/secrets
 global:
+  platformConfig: |
+    {} 
   gitlab:
     ## Name of the postgres database to be used by Gitlab
     postgresDatabase: gitlabhq_production

scripts/platform-init/Dockerfile

@@ -1,7 +1,10 @@
-FROM python:3.12-alpine
-
+FROM python:3.12-slim-bookworm
+RUN apt-get update && apt-get install -y \
+    tini && \
+    rm -rf /var/lib/apt/lists/*
 COPY requirements.txt platform-init.py /app/
 WORKDIR /app
-RUN pip install -r requirements.txt
+RUN pip3 install -r requirements.txt
 USER 1000:1000
 
+ENTRYPOINT [ "tini", "-g", "--", "python" ]

scripts/platform-init/platform-init.py

@@ -193,7 +193,7 @@ def init_secret_service_secret(config: Config):
 
 def main():
     config = Config.from_env()
-    k8s_config.load_kube_config()
+    k8s_config.load_incluster_config()
     logging.info("Initializing Renku platform")
     init_secret_service_secret(config)