#!/usr/bin/env bash # creds-apply.sh — run all create-secrets.sh scripts in dependency order. # # Usage: # bash sso-mfa/bootstrap/creds-apply.sh [secrets-dir] # make creds-apply # # Dependency order: # 1. postgresql (no dependencies) # 2. lldap (needs: secrets/lldap/secrets.env) # 3. authelia (needs: lldap/secrets.env → LLDAP_LDAP_USER_PASS) # 4. privacyidea (needs: secrets/privacyidea/secrets.env) # 5. keycape SKIPPED — requires PI_ADMIN_TOKEN from post-T04 bootstrap. # Run sso-mfa/k8s/keycape/create-pi-token.sh, then # sso-mfa/k8s/keycape/create-secrets.sh manually. # # After each successful component, creds-state.yaml is updated. set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" SECRETS_DIR="${1:-$SCRIPT_DIR/secrets}" STATE_FILE="$SCRIPT_DIR/creds-state.yaml" K8S_DIR="$REPO_ROOT/sso-mfa/k8s" # ── Preflight checks ────────────────────────────────────────────────────────── if [[ -z "${KUBECONFIG:-}" && ! -f "$HOME/.kube/config" ]]; then echo "ERROR: KUBECONFIG is not set and ~/.kube/config does not exist." >&2 echo " Set KUBECONFIG or ensure cluster access before running creds-apply." >&2 exit 1 fi if ! kubectl cluster-info &>/dev/null; then echo "ERROR: Cannot reach the Kubernetes cluster." >&2 echo " Ensure the cluster is running and KUBECONFIG points to the right context." >&2 exit 1 fi if [[ ! -d "$SECRETS_DIR" ]]; then echo "ERROR: secrets directory not found: $SECRETS_DIR" >&2 echo " Run 'make creds-generate' first." >&2 exit 1 fi echo "=== creds-apply — net-kingdom SSO/MFA secrets ===" echo "Secrets dir : $SECRETS_DIR" echo "Cluster : $(kubectl config current-context 2>/dev/null || echo '(unknown)')" echo "" # ── Helper: run a component's create-secrets.sh ─────────────────────────────── run_component() { local component="$1" local script_dir="$K8S_DIR/$component" local script="$script_dir/create-secrets.sh" local state_key="$2" echo "──────────────────────────────────────────────" echo "Applying: $component" if [[ ! -f "$script" ]]; then echo "ERROR: $script not found" >&2 exit 1 fi (cd "$script_dir" && bash create-secrets.sh "$SECRETS_DIR") # Update state file if [[ -f "$STATE_FILE" ]]; then sed -i "s|^ $state_key: .*| $state_key: true|" "$STATE_FILE" echo " [state] secrets_applied.$state_key → true" fi echo "" } # ── Step 1: PostgreSQL ──────────────────────────────────────────────────────── run_component "postgresql" "postgres" # ── Step 2: LLDAP ──────────────────────────────────────────────────────────── if [[ ! -f "$SECRETS_DIR/lldap/secrets.env" ]]; then echo "ERROR: $SECRETS_DIR/lldap/secrets.env not found — run creds-generate first." >&2 exit 1 fi run_component "lldap" "lldap" # ── Step 3: Authelia (needs LLDAP bind password from lldap/secrets.env) ─────── run_component "authelia" "authelia" # ── Step 4: privacyIDEA ─────────────────────────────────────────────────────── if [[ ! -f "$SECRETS_DIR/privacyidea/secrets.env" ]]; then echo "ERROR: $SECRETS_DIR/privacyidea/secrets.env not found." >&2 exit 1 fi run_component "privacyidea" "privacyidea" # ── Step 5: KeyCape — SKIPPED (requires PI_ADMIN_TOKEN) ────────────────────── echo "──────────────────────────────────────────────" echo "SKIPPED: keycape (requires PI_ADMIN_TOKEN from post-T04 bootstrap)" echo "" echo " After privacyIDEA is Running and bootstrapped:" echo " 1. TIME-SENSITIVE: run enckey-bootstrap.sh while pod is live:" echo " bash $K8S_DIR/privacyidea/enckey-bootstrap.sh" echo "" echo " 2. Create the pi-admin user:" echo " bash $K8S_DIR/privacyidea/bootstrap-admin.sh" echo "" echo " 3. Generate the PI admin token for KeyCape:" echo " bash $K8S_DIR/keycape/create-pi-token.sh" echo "" echo " 4. Apply KeyCape secrets:" echo " bash $K8S_DIR/keycape/create-secrets.sh $SECRETS_DIR" echo "" echo " 5. Update state:" echo " make creds-verify" echo "" echo "=== creds-apply complete ===" echo "Run 'make creds-status' to review state." echo "Run 'make creds-verify' to confirm K8s secrets exist."