generated from coulomb/repo-seed
feat(sso-mfa): T02/T03 live apply — age-encrypted secrets, CNPG cluster (NK-WP-0001-T02/T03)
- Add encrypt-secrets.sh / decrypt-secrets.sh: age-based secrets workflow replaces KeePassXC dependency; encrypted .env.age files committed to repo - Add bootstrap/secrets.enc/: all component secrets encrypted to age pubkey - Fix .gitignore: allow secrets.enc/**/*.age while blocking plaintext - Fix verify-t02.sh: update netpol names for Authelia+LLDAP+KeyCape stack - Fix verify-t03.sh: remove keycloak_db/role checks; fix ((PASS++)) set-e bug - Update postgresql/cluster.yaml: drop keycloak_db, bootstrap privacyidea_db only - Update postgresql/create-secrets.sh: remove keycloak secret - Fix netpol-databases.yaml: add port 8000 for CNPG instance manager HTTP API - T02 COMPLETE: namespaces, network policies, cert-manager issuers applied - T03 COMPLETE: CNPG operator installed, net-kingdom-pg cluster healthy Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -4,11 +4,13 @@
|
||||
# Checks:
|
||||
# 1. CloudNativePG operator is installed and running
|
||||
# 2. Cluster net-kingdom-pg is Ready
|
||||
# 3. Both application databases exist (keycloak_db, privacyidea_db)
|
||||
# 4. Both application roles exist (keycloak, privacyidea)
|
||||
# 3. privacyidea_db database exists
|
||||
# 4. privacyidea role exists
|
||||
# 5. K8s Secrets are present in the databases namespace
|
||||
# 6. (Optional) Scheduled backup CR is present when backup is configured
|
||||
#
|
||||
# Note: keycloak_db removed — Keycloak replaced by Authelia+LLDAP+KeyCape (T05).
|
||||
#
|
||||
# Usage:
|
||||
# chmod +x verify-t03.sh
|
||||
# ./verify-t03.sh
|
||||
@@ -19,9 +21,9 @@ PASS=0
|
||||
FAIL=0
|
||||
WARN=0
|
||||
|
||||
pass() { echo " [PASS] $1"; ((PASS++)); }
|
||||
fail() { echo " [FAIL] $1"; ((FAIL++)); }
|
||||
warn() { echo " [WARN] $1"; ((WARN++)); }
|
||||
pass() { echo " [PASS] $1"; PASS=$((PASS + 1)); }
|
||||
fail() { echo " [FAIL] $1"; FAIL=$((FAIL + 1)); }
|
||||
warn() { echo " [WARN] $1"; WARN=$((WARN + 1)); }
|
||||
|
||||
section() { echo ""; echo "── $1 ──────────────────────────────────────"; }
|
||||
|
||||
@@ -76,15 +78,9 @@ section "3. Databases"
|
||||
|
||||
if [[ -n "$PRIMARY_POD" ]]; then
|
||||
DB_LIST=$(kubectl exec -n databases "$PRIMARY_POD" -- \
|
||||
psql -U postgres -tAc "SELECT datname FROM pg_database WHERE datname IN ('keycloak_db','privacyidea_db') ORDER BY datname;" \
|
||||
psql -U postgres -tAc "SELECT datname FROM pg_database WHERE datname = 'privacyidea_db';" \
|
||||
2>/dev/null || echo "")
|
||||
|
||||
if echo "$DB_LIST" | grep -q "keycloak_db"; then
|
||||
pass "keycloak_db exists"
|
||||
else
|
||||
fail "keycloak_db not found"
|
||||
fi
|
||||
|
||||
if echo "$DB_LIST" | grep -q "privacyidea_db"; then
|
||||
pass "privacyidea_db exists"
|
||||
else
|
||||
@@ -99,15 +95,9 @@ section "4. Database roles"
|
||||
|
||||
if [[ -n "$PRIMARY_POD" ]]; then
|
||||
ROLE_LIST=$(kubectl exec -n databases "$PRIMARY_POD" -- \
|
||||
psql -U postgres -tAc "SELECT rolname FROM pg_roles WHERE rolname IN ('keycloak','privacyidea') ORDER BY rolname;" \
|
||||
psql -U postgres -tAc "SELECT rolname FROM pg_roles WHERE rolname = 'privacyidea';" \
|
||||
2>/dev/null || echo "")
|
||||
|
||||
if echo "$ROLE_LIST" | grep -q "keycloak"; then
|
||||
pass "role keycloak exists"
|
||||
else
|
||||
fail "role keycloak not found"
|
||||
fi
|
||||
|
||||
if echo "$ROLE_LIST" | grep -q "privacyidea"; then
|
||||
pass "role privacyidea exists"
|
||||
else
|
||||
@@ -120,7 +110,7 @@ fi
|
||||
# ── 5. K8s Secrets ────────────────────────────────────────────────────────────
|
||||
section "5. K8s Secrets (databases namespace)"
|
||||
|
||||
for secret in net-kingdom-pg-keycloak-app net-kingdom-pg-privacyidea-app; do
|
||||
for secret in net-kingdom-pg-privacyidea-app; do
|
||||
if kubectl get secret "$secret" -n databases &>/dev/null; then
|
||||
pass "Secret $secret exists"
|
||||
else
|
||||
|
||||
Reference in New Issue
Block a user