#!/usr/bin/env bash # creds-status.sh — print a human-readable credential state table. # # Usage: # bash sso-mfa/bootstrap/creds-status.sh # make creds-status set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" STATE_FILE="${1:-$SCRIPT_DIR/creds-state.yaml}" if [[ ! -f "$STATE_FILE" ]]; then echo "ERROR: creds-state.yaml not found: $STATE_FILE" >&2 echo " This file is created at repo init — check your working directory." >&2 exit 1 fi # Simple key extractors (no yaml lib dependency) top_val() { grep -E "^$1:" "$STATE_FILE" | sed 's/^[^:]*: *//' | sed 's/ *#.*//' | tr -d '"'; } nested_val() { grep -E "^ $1:" "$STATE_FILE" | sed 's/^[^:]*: *//' | sed 's/ *#.*//' | tr -d '"'; } status_icon() { case "$1" in true) echo "✔" ;; false) echo "✗" ;; null) echo "—" ;; *) echo "?" ;; esac } echo "=== net-kingdom Credential State ===" echo "" generated_at="$(top_val generated_at)" bundle_at="$(top_val bundle_at)" keepass_confirmed="$(top_val keepass_confirmed)" printf " %-30s %s\n" "Generated at:" "${generated_at:-—}" printf " %-30s %s\n" "Bundle at:" "${bundle_at:-—}" printf " %-30s %s %s\n" "KeePassXC confirmed:" \ "$(status_icon "$keepass_confirmed")" \ "$([ "$keepass_confirmed" = "false" ] && echo "(set keepass_confirmed: true manually)" || true)" echo "" echo " Secrets applied:" for component in postgres lldap authelia privacyidea keycape; do val="$(nested_val "$component")" note="" [[ "$component" == "keycape" && "$val" == "false" ]] && \ note=" (requires PI_ADMIN_TOKEN — post-T04)" printf " %-28s %s%s\n" "$component" "$(status_icon "$val")" "$note" done echo "" enckey="$(top_val enckey_bootstrapped)" pi_admin="$(top_val pi_admin_created)" printf " %-30s %s%s\n" "enckey bootstrapped:" \ "$(status_icon "$enckey")" \ "$([ "$enckey" = "false" ] && echo " ← TIME-SENSITIVE once pod is live" || true)" printf " %-30s %s\n" "pi-admin created:" "$(status_icon "$pi_admin")" echo "" echo "Run 'make creds-verify' to refresh state from the live cluster."