#!/usr/bin/env bash # create-secrets.sh — create the keycloak-config K8s Secret # # Usage: # ./create-secrets.sh [secrets-dir] # # is the output directory from sso-mfa/bootstrap/gen-secrets.sh # (default: ../../bootstrap/secrets). # # Creates ONE Secret in the sso namespace: # keycloak-config — KC_DB_URL, KC_DB_PASSWORD, KC_BOOTSTRAP_ADMIN_PASSWORD # # This secret must exist before applying deployment.yaml. # # Re-run with --rotate to update secrets after a rotation in KeePassXC. set -euo pipefail SECRETS_DIR="${1:-../../bootstrap/secrets}" KC_ENV="$SECRETS_DIR/keycloak/secrets.env" PG_ENV="$SECRETS_DIR/postgres/secrets.env" if [[ ! -d "$SECRETS_DIR" ]]; then echo "ERROR: secrets directory not found: $SECRETS_DIR" >&2 echo "Run sso-mfa/bootstrap/gen-secrets.sh first." >&2 exit 1 fi for f in "$KC_ENV" "$PG_ENV"; do if [[ ! -f "$f" ]]; then echo "ERROR: $f not found" >&2 exit 1 fi done # Read values from the generated env files in subshells to avoid polluting env. KC_ADMIN_PASSWORD=$(bash -c "source '$KC_ENV' 2>/dev/null; echo \$KC_ADMIN_PASSWORD") KC_DB_PASSWORD=$(bash -c "source '$KC_ENV' 2>/dev/null; echo \$KC_DB_PASSWORD") if [[ -z "$KC_ADMIN_PASSWORD" || -z "$KC_DB_PASSWORD" ]]; then echo "ERROR: could not read KC_ADMIN_PASSWORD or KC_DB_PASSWORD from $KC_ENV" >&2 echo "Check that gen-secrets.sh ran successfully." >&2 exit 1 fi # Construct the JDBC database URL. # CloudNativePG read-write service: net-kingdom-pg-rw.databases.svc.cluster.local # Keycloak uses JDBC format (jdbc:postgresql://...) — NOT the SQLAlchemy URI format. KC_DB_URL="jdbc:postgresql://net-kingdom-pg-rw.databases.svc.cluster.local:5432/keycloak_db" echo "Creating K8s Secret: keycloak-config (namespace: sso)" kubectl create secret generic keycloak-config \ --namespace=sso \ --from-literal=KC_DB_URL="$KC_DB_URL" \ --from-literal=KC_DB_PASSWORD="$KC_DB_PASSWORD" \ --from-literal=KC_BOOTSTRAP_ADMIN_PASSWORD="$KC_ADMIN_PASSWORD" \ --dry-run=client -o yaml | kubectl apply -f - echo "" echo "Done. Secret keycloak-config created in namespace: sso" echo "" echo "Next:" echo " 1. Edit deployment.yaml: set PROVIDER_JAR_URL to the privacyIDEA provider JAR URL (CP-NK-005)." echo " 2. Apply manifests (see README.md apply order)." echo " 3. After the pod is Running+Ready, run: ./bootstrap-realm.sh"