#!/usr/bin/env bash # create-secrets.sh — create the lldap-secrets K8s Secret # # Usage: # ./create-secrets.sh [secrets-dir] # # is the output directory from sso-mfa/bootstrap/gen-secrets.sh # (default: ../../bootstrap/secrets). # # Creates ONE Secret in the sso namespace: # lldap-secrets — LLDAP_JWT_SECRET, LLDAP_LDAP_USER_PASS # # LLDAP_LDAP_USER_PASS is also used as the LDAP bind password # by Authelia (authelia/create-secrets.sh) and KeyCape (keycape/create-secrets.sh). # All three read the same value from secrets/lldap/secrets.env. set -euo pipefail SECRETS_DIR="${1:-../../bootstrap/secrets}" LLDAP_ENV="$SECRETS_DIR/lldap/secrets.env" if [[ ! -d "$SECRETS_DIR" ]]; then echo "ERROR: secrets directory not found: $SECRETS_DIR" >&2 echo "Run sso-mfa/bootstrap/gen-secrets.sh first." >&2 exit 1 fi if [[ ! -f "$LLDAP_ENV" ]]; then echo "ERROR: $LLDAP_ENV not found" >&2 echo "If you ran gen-secrets.sh before the KeyCape migration, re-run it to add LLDAP secrets." >&2 exit 1 fi LLDAP_JWT_SECRET=$(bash -c "source '$LLDAP_ENV' 2>/dev/null; echo \$LLDAP_JWT_SECRET") LLDAP_LDAP_USER_PASS=$(bash -c "source '$LLDAP_ENV' 2>/dev/null; echo \$LLDAP_LDAP_USER_PASS") if [[ -z "$LLDAP_JWT_SECRET" || -z "$LLDAP_LDAP_USER_PASS" ]]; then echo "ERROR: could not read LLDAP_JWT_SECRET or LLDAP_LDAP_USER_PASS from $LLDAP_ENV" >&2 exit 1 fi echo "Creating K8s Secret: lldap-secrets (namespace: sso)" kubectl create secret generic lldap-secrets \ --namespace=sso \ --from-literal=LLDAP_JWT_SECRET="$LLDAP_JWT_SECRET" \ --from-literal=LLDAP_LDAP_USER_PASS="$LLDAP_LDAP_USER_PASS" \ --dry-run=client -o yaml | kubectl apply -f - echo "" echo "Done. Secret lldap-secrets created in namespace: sso" echo "" echo "Next:" echo " Apply manifests (see README.md apply order)." echo " After LLDAP is Running, create application groups:" echo " - Log in to https://lldap.coulomb.social with the admin account." echo " - Create group: net-kingdom-users" echo " - Create group: net-kingdom-admins"