#!/usr/bin/env bash # create-secrets.sh — create the privacyidea-config K8s Secret # # Usage: # ./create-secrets.sh [secrets-dir] # # is the output directory from sso-mfa/bootstrap/gen-secrets.sh # (default: ../../bootstrap/secrets). # # Creates ONE Secret in the mfa namespace: # privacyidea-config — PI_SECRET_KEY, PI_PEPPER, PI_SQLALCHEMY_DATABASE_URI # # This secret must exist before applying deployment.yaml. # # The enckey and auditkey Secrets (privacyidea-enckey, privacyidea-auditkeys) # are created separately by enckey-bootstrap.sh AFTER the first pod start, # because those keys are auto-generated by the container on first run. # # Re-run this script if you rotate PI_SECRET_KEY or PI_PEPPER in KeePassXC. set -euo pipefail SECRETS_DIR="${1:-../../bootstrap/secrets}" PI_ENV="$SECRETS_DIR/privacyidea/secrets.env" if [[ ! -d "$SECRETS_DIR" ]]; then echo "ERROR: secrets directory not found: $SECRETS_DIR" >&2 echo "Run sso-mfa/bootstrap/gen-secrets.sh first." >&2 exit 1 fi if [[ ! -f "$PI_ENV" ]]; then echo "ERROR: $PI_ENV not found" >&2 exit 1 fi # Read values from the generated env file in a subshell to avoid polluting env. PI_SECRET_KEY=$(bash -c "source '$PI_ENV' 2>/dev/null; echo \$PI_SECRET_KEY") PI_PEPPER=$(bash -c "source '$PI_ENV' 2>/dev/null; echo \$PI_PEPPER") PI_DB_PASSWORD=$(bash -c "source '$PI_ENV' 2>/dev/null; echo \$PI_DB_PASSWORD") if [[ -z "$PI_SECRET_KEY" || -z "$PI_PEPPER" || -z "$PI_DB_PASSWORD" ]]; then echo "ERROR: could not read PI_SECRET_KEY, PI_PEPPER, or PI_DB_PASSWORD from $PI_ENV" >&2 echo "Check that gen-secrets.sh ran successfully." >&2 exit 1 fi # Construct the SQLAlchemy database URI. # CloudNativePG read-write service: net-kingdom-pg-rw.databases.svc.cluster.local PI_DB_URI="postgresql://privacyidea:${PI_DB_PASSWORD}@net-kingdom-pg-rw.databases.svc.cluster.local:5432/privacyidea_db" echo "Creating K8s Secret: privacyidea-config (namespace: mfa)" kubectl create secret generic privacyidea-config \ --namespace=mfa \ --from-literal=PI_SECRET_KEY="$PI_SECRET_KEY" \ --from-literal=PI_PEPPER="$PI_PEPPER" \ --from-literal=PI_SQLALCHEMY_DATABASE_URI="$PI_DB_URI" \ --dry-run=client -o yaml | kubectl apply -f - echo "" echo "Done. Secret privacyidea-config created in namespace: mfa" echo "" echo "Next:" echo " Apply manifests (see README.md apply order)." echo " After the pod is Running, run: ./enckey-bootstrap.sh"