generated from coulomb/repo-seed
feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04)
Deploy privacyIDEA (MFA core) in the mfa namespace: - pvc.yaml: privacyidea-data (5Gi) and privacyidea-logs (2Gi) - configmap.yaml: pi.cfg reading secrets from env vars - deployment.yaml: Deployment + ClusterIP Service (port 8080) - middleware.yaml: Traefik RateLimit + admin IP AllowList - ingress.yaml: pink.coulomb.social (portal + admin), pink-account.coulomb.social (self-service) - create-secrets.sh: creates privacyidea-config Secret - enckey-bootstrap.sh: post-deploy key extraction + DR Secrets - bootstrap-admin.sh: pi-admin, trigger-admin, privacyidea-trigger-admin Secret - verify-t04.sh: 8-section done-criteria checker Config points CP-NK-002 (pink.coulomb.social) and CP-NK-003 (pink-account.coulomb.social) registered in CONFIG.md. pink = PrivacyIDEA Net Knights (project mnemonic). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
65
sso-mfa/k8s/privacyidea/create-secrets.sh
Executable file
65
sso-mfa/k8s/privacyidea/create-secrets.sh
Executable file
@@ -0,0 +1,65 @@
|
||||
#!/usr/bin/env bash
|
||||
# create-secrets.sh — create the privacyidea-config K8s Secret
|
||||
#
|
||||
# Usage:
|
||||
# ./create-secrets.sh [secrets-dir]
|
||||
#
|
||||
# <secrets-dir> is the output directory from sso-mfa/bootstrap/gen-secrets.sh
|
||||
# (default: ../../bootstrap/secrets).
|
||||
#
|
||||
# Creates ONE Secret in the mfa namespace:
|
||||
# privacyidea-config — PI_SECRET_KEY, PI_PEPPER, PI_SQLALCHEMY_DATABASE_URI
|
||||
#
|
||||
# This secret must exist before applying deployment.yaml.
|
||||
#
|
||||
# The enckey and auditkey Secrets (privacyidea-enckey, privacyidea-auditkeys)
|
||||
# are created separately by enckey-bootstrap.sh AFTER the first pod start,
|
||||
# because those keys are auto-generated by the container on first run.
|
||||
#
|
||||
# Re-run this script if you rotate PI_SECRET_KEY or PI_PEPPER in KeePassXC.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
SECRETS_DIR="${1:-../../bootstrap/secrets}"
|
||||
PI_ENV="$SECRETS_DIR/privacyidea/secrets.env"
|
||||
|
||||
if [[ ! -d "$SECRETS_DIR" ]]; then
|
||||
echo "ERROR: secrets directory not found: $SECRETS_DIR" >&2
|
||||
echo "Run sso-mfa/bootstrap/gen-secrets.sh first." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ ! -f "$PI_ENV" ]]; then
|
||||
echo "ERROR: $PI_ENV not found" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Read values from the generated env file in a subshell to avoid polluting env.
|
||||
PI_SECRET_KEY=$(bash -c "source '$PI_ENV' 2>/dev/null; echo \$PI_SECRET_KEY")
|
||||
PI_PEPPER=$(bash -c "source '$PI_ENV' 2>/dev/null; echo \$PI_PEPPER")
|
||||
PI_DB_PASSWORD=$(bash -c "source '$PI_ENV' 2>/dev/null; echo \$PI_DB_PASSWORD")
|
||||
|
||||
if [[ -z "$PI_SECRET_KEY" || -z "$PI_PEPPER" || -z "$PI_DB_PASSWORD" ]]; then
|
||||
echo "ERROR: could not read PI_SECRET_KEY, PI_PEPPER, or PI_DB_PASSWORD from $PI_ENV" >&2
|
||||
echo "Check that gen-secrets.sh ran successfully." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Construct the SQLAlchemy database URI.
|
||||
# CloudNativePG read-write service: net-kingdom-pg-rw.databases.svc.cluster.local
|
||||
PI_DB_URI="postgresql://privacyidea:${PI_DB_PASSWORD}@net-kingdom-pg-rw.databases.svc.cluster.local:5432/privacyidea_db"
|
||||
|
||||
echo "Creating K8s Secret: privacyidea-config (namespace: mfa)"
|
||||
kubectl create secret generic privacyidea-config \
|
||||
--namespace=mfa \
|
||||
--from-literal=PI_SECRET_KEY="$PI_SECRET_KEY" \
|
||||
--from-literal=PI_PEPPER="$PI_PEPPER" \
|
||||
--from-literal=PI_SQLALCHEMY_DATABASE_URI="$PI_DB_URI" \
|
||||
--dry-run=client -o yaml | kubectl apply -f -
|
||||
|
||||
echo ""
|
||||
echo "Done. Secret privacyidea-config created in namespace: mfa"
|
||||
echo ""
|
||||
echo "Next:"
|
||||
echo " Apply manifests (see README.md apply order)."
|
||||
echo " After the pod is Running, run: ./enckey-bootstrap.sh"
|
||||
Reference in New Issue
Block a user