generated from coulomb/repo-seed
tegwick
8929bf65bc
CloudNativePG Cluster CR (net-kingdom-pg, PostgreSQL 16) with two application databases: keycloak_db (owner: keycloak) and privacyidea_db (owner: privacyidea). Passwords managed continuously via managed.roles. WAL archiving section stubbed and commented; activate when object storage is available. ScheduledBackup CR included (daily 02:00 UTC, 7d retention). Also: sync workplan status for T01 (Phase 0a done), T02 (manifests done), T03 (manifests done, restore drill pending); close NK-WP-0002. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
70 lines
2.4 KiB
Bash
Executable File
70 lines
2.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# create-secrets.sh — create K8s Secrets for PostgreSQL from gen-secrets.sh output
|
|
#
|
|
# Usage:
|
|
# ./create-secrets.sh <secrets-dir>
|
|
#
|
|
# <secrets-dir> is the output directory produced by sso-mfa/bootstrap/gen-secrets.sh
|
|
# (default: ../../bootstrap/secrets).
|
|
#
|
|
# Creates two K8s Secrets in the databases namespace:
|
|
# net-kingdom-pg-keycloak-app — keycloak DB credentials
|
|
# net-kingdom-pg-privacyidea-app — privacyIDEA DB credentials
|
|
#
|
|
# These secrets must exist before applying cluster.yaml.
|
|
# Re-run this script whenever you rotate passwords in KeePassXC / gen-secrets.sh.
|
|
|
|
set -euo pipefail
|
|
|
|
SECRETS_DIR="${1:-../../bootstrap/secrets}"
|
|
|
|
if [[ ! -d "$SECRETS_DIR" ]]; then
|
|
echo "ERROR: secrets directory not found: $SECRETS_DIR" >&2
|
|
echo "Run sso-mfa/bootstrap/gen-secrets.sh first, then re-run this script." >&2
|
|
exit 1
|
|
fi
|
|
|
|
PG_SECRETS="$SECRETS_DIR/postgres/secrets.env"
|
|
PI_SECRETS="$SECRETS_DIR/privacyidea/secrets.env"
|
|
|
|
if [[ ! -f "$PG_SECRETS" ]]; then
|
|
echo "ERROR: $PG_SECRETS not found" >&2
|
|
exit 1
|
|
fi
|
|
if [[ ! -f "$PI_SECRETS" ]]; then
|
|
echo "ERROR: $PI_SECRETS not found" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Source the generated env files (they contain KEY=VALUE pairs, no export)
|
|
# Use a subshell to avoid polluting the current environment.
|
|
PG_KC_PASS=$(bash -c "source $PG_SECRETS 2>/dev/null; echo \$PG_KEYCLOAK_PASSWORD")
|
|
PI_DB_PASS=$(bash -c "source $PI_SECRETS 2>/dev/null; echo \$PI_DB_PASSWORD")
|
|
|
|
if [[ -z "$PG_KC_PASS" || -z "$PI_DB_PASS" ]]; then
|
|
echo "ERROR: could not read passwords from secrets files." >&2
|
|
echo "Check that gen-secrets.sh ran successfully and the files are intact." >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "Creating K8s Secret: net-kingdom-pg-keycloak-app"
|
|
kubectl create secret generic net-kingdom-pg-keycloak-app \
|
|
--namespace=databases \
|
|
--from-literal=username=keycloak \
|
|
--from-literal=password="$PG_KC_PASS" \
|
|
--dry-run=client -o yaml | kubectl apply -f -
|
|
|
|
echo "Creating K8s Secret: net-kingdom-pg-privacyidea-app"
|
|
kubectl create secret generic net-kingdom-pg-privacyidea-app \
|
|
--namespace=databases \
|
|
--from-literal=username=privacyidea \
|
|
--from-literal=password="$PI_DB_PASS" \
|
|
--dry-run=client -o yaml | kubectl apply -f -
|
|
|
|
echo ""
|
|
echo "Done. Secrets created in namespace: databases"
|
|
echo ""
|
|
echo "Verify:"
|
|
echo " kubectl get secrets -n databases"
|
|
echo " kubectl describe secret net-kingdom-pg-keycloak-app -n databases"
|