#!/usr/bin/env bash # create-secrets.sh — create K8s Secrets for PostgreSQL from gen-secrets.sh output # # Usage: # ./create-secrets.sh # # is the output directory produced by sso-mfa/bootstrap/gen-secrets.sh # (default: ../../bootstrap/secrets). # # Creates one K8s Secret in the databases namespace: # net-kingdom-pg-privacyidea-app — privacyIDEA DB credentials # # Note: net-kingdom-pg-keycloak-app removed — Keycloak replaced by Authelia+LLDAP+KeyCape (T05). # # These secrets must exist before applying cluster.yaml. # Re-run this script whenever you rotate passwords in KeePassXC / gen-secrets.sh. set -euo pipefail SECRETS_DIR="${1:-../../bootstrap/secrets}" if [[ ! -d "$SECRETS_DIR" ]]; then echo "ERROR: secrets directory not found: $SECRETS_DIR" >&2 echo "Run sso-mfa/bootstrap/gen-secrets.sh first, then re-run this script." >&2 exit 1 fi PI_SECRETS="$SECRETS_DIR/privacyidea/secrets.env" if [[ ! -f "$PI_SECRETS" ]]; then echo "ERROR: $PI_SECRETS not found" >&2 exit 1 fi # Source the generated env file (KEY=VALUE pairs, no export) # Use a subshell to avoid polluting the current environment. PI_DB_PASS=$(bash -c "source $PI_SECRETS 2>/dev/null; echo \$PI_DB_PASSWORD") if [[ -z "$PI_DB_PASS" ]]; then echo "ERROR: could not read PI_DB_PASSWORD from $PI_SECRETS" >&2 echo "Check that gen-secrets.sh ran successfully and the file is intact." >&2 exit 1 fi echo "Creating K8s Secret: net-kingdom-pg-privacyidea-app" kubectl create secret generic net-kingdom-pg-privacyidea-app \ --namespace=databases \ --from-literal=username=privacyidea \ --from-literal=password="$PI_DB_PASS" \ --dry-run=client -o yaml | kubectl apply -f - echo "" echo "Done. Secret created in namespace: databases" echo "" echo "Verify:" echo " kubectl get secrets -n databases" echo " kubectl describe secret net-kingdom-pg-privacyidea-app -n databases"