AgileWebs/thalos-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
31e09b2050
thalos-service/docs/runbooks/containerization.md
José René White Enciso 31e09b2050 fix(thalos-service): harden identity secret resolution
2026-03-31 15:59:38 -06:00

1.2 KiB
Raw Blame History

Containerization Runbook

Image Build

If the repo consumes internal packages from Gitea, pass feed credentials as build args.

docker build   --build-arg NUGET_FEED_USERNAME=<gitea-login>   --build-arg NUGET_FEED_TOKEN=<gitea-token>   -t agilewebs/thalos-service:dev .

Local Run

docker run --rm -p 8080:8080 \
  -e ThalosIdentity__Secrets__SessionSigning=<session-signing-secret> \
  -e ThalosIdentity__Secrets__Oidc__Google__ClientId=<google-client-id> \
  -e ThalosIdentity__Secrets__Oidc__Google__Issuer=https://accounts.google.com \
  --name thalos-service agilewebs/thalos-service:dev

Health Probe

  • Path: /health
  • Fallback path: /healthz
  • Port: 8080

Runtime Notes

  • Exposes internal identity runtime endpoint set and gRPC service.
  • Google OIDC claim validation requires ThalosIdentity:Secrets:Oidc:Google:ClientId.
  • Session refresh signing requires ThalosIdentity:Secrets:SessionSigning; there is no baked-in production fallback secret.
  • If the host does not provide configuration, AddThalosServiceRuntime() supplies a local in-memory session-signing default strictly for isolated tests and developer-only runtime wiring.