#!/usr/bin/env bash # create-pi-token.sh — fetch a privacyIDEA admin JWT and store it for KeyCape # # Usage: # ./create-pi-token.sh [secrets-dir] # # Run this script AFTER T04 bootstrap (privacyIDEA admin account created). # It authenticates to the privacyIDEA API, fetches a long-lived admin JWT, # and writes it to secrets/keycape/pi_admin_token. # # After running this script, re-run create-secrets.sh to update the # keycape-config K8s Secret with the real token, then restart KeyCape: # ./create-secrets.sh # kubectl rollout restart deployment/keycape -n sso # # The privacyIDEA admin token does NOT expire by default (it is a permanent # service account token). Store it in KeePassXC as: # net-kingdom/KeyCape/pi-admin-token # # Requires: kubectl, curl, jq set -euo pipefail SECRETS_DIR="${1:-../../bootstrap/secrets}" PI_ENV="$SECRETS_DIR/privacyidea/secrets.env" TOKEN_FILE="$SECRETS_DIR/keycape/pi_admin_token" if [[ ! -f "$PI_ENV" ]]; then echo "ERROR: $PI_ENV not found — run sso-mfa/bootstrap/gen-secrets.sh first." >&2 exit 1 fi read_env() { bash -c "source '$1' 2>/dev/null; echo \${$2}"; } PI_ADMIN_PASSWORD=$(read_env "$PI_ENV" PI_ADMIN_PASSWORD) if [[ -z "$PI_ADMIN_PASSWORD" ]]; then echo "ERROR: PI_ADMIN_PASSWORD is empty in $PI_ENV" >&2 exit 1 fi # Determine privacyIDEA base URL — use cluster-internal URL if kubectl is available # and we can reach the service, otherwise fall back to the public hostname. PI_BASE_URL="" if kubectl get service privacyidea -n mfa &>/dev/null 2>&1; then # Prefer running a one-shot pod inside the cluster to avoid needing # public TLS to be up during bootstrap. PI_BASE_URL="http://privacyidea.mfa.svc.cluster.local:8080" USE_CLUSTER=true else PI_BASE_URL="https://pink.coulomb.social" USE_CLUSTER=false fi echo "Fetching privacyIDEA admin token from: $PI_BASE_URL" if [[ "$USE_CLUSTER" == "true" ]]; then # Run curl inside the cluster (avoids needing public TLS to be live) TOKEN=$(kubectl run -n mfa --rm -i --restart=Never pi-token-fetch \ --image=curlimages/curl:8 --quiet \ -- curl -sf \ -X POST "$PI_BASE_URL/auth" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "username=pi-admin&password=${PI_ADMIN_PASSWORD}" \ 2>/dev/null \ | python3 -c "import sys,json; data=json.load(sys.stdin); print(data['result']['value']['token'])" \ 2>/dev/null || echo "") else TOKEN=$(curl -sf \ -X POST "$PI_BASE_URL/auth" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "username=pi-admin&password=${PI_ADMIN_PASSWORD}" \ | python3 -c "import sys,json; data=json.load(sys.stdin); print(data['result']['value']['token'])" \ 2>/dev/null || echo "") fi if [[ -z "$TOKEN" ]]; then echo "ERROR: failed to fetch token from privacyIDEA." >&2 echo " Verify that privacyIDEA is Running and the pi-admin account exists." >&2 echo " Check: kubectl logs -n mfa \$(kubectl get pod -n mfa -l app.kubernetes.io/name=privacyidea -o name | head -1)" >&2 exit 1 fi mkdir -p "$(dirname "$TOKEN_FILE")" echo -n "$TOKEN" > "$TOKEN_FILE" chmod 600 "$TOKEN_FILE" echo "" echo "Token written to: $TOKEN_FILE" echo "Token preview : ${TOKEN:0:32}…" echo "" echo "IMPORTANT: Store this token in KeePassXC → net-kingdom/KeyCape/pi-admin-token" echo " as a password entry. It cannot be recovered without re-authenticating." echo "" echo "Next steps:" echo " 1. Re-run create-secrets.sh to update keycape-config with the real token." echo " 2. Restart KeyCape: kubectl rollout restart deployment/keycape -n sso"