coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d0ed7d9cd66ccb60a6a4a59e8cd3878073671cb7
net-kingdom/sso-mfa/k8s/keycloak/create-secrets.sh
Bernd Worsch d0ed7d9cd6 feat(sso-mfa): T05 Keycloak manifests (NK-WP-0001-T05) 
Deploys Keycloak (SSO core) in the sso namespace.

Files:
  sso-mfa/k8s/keycloak/pvc.yaml          — keycloak-data PVC (build cache)
  sso-mfa/k8s/keycloak/middleware.yaml   — rate-limit, admin-allowlist, HSTS
  sso-mfa/k8s/keycloak/deployment.yaml   — Deployment + Service; init container
                                           downloads privacyIDEA provider JAR
  sso-mfa/k8s/keycloak/ingress.yaml      — Ingress for kc.coulomb.social (CP-NK-004)
  sso-mfa/k8s/keycloak/create-secrets.sh — keycloak-config Secret
  sso-mfa/k8s/keycloak/bootstrap-realm.sh— hardens master realm, creates net-kingdom realm
  sso-mfa/k8s/keycloak/README.md         — apply order, custom image guide, DR
  sso-mfa/k8s/verify-t05.sh              — T05 done-criteria verification script

Config points added: CP-NK-004 (kc.coulomb.social), CP-NK-005 (provider JAR URL).
CP-NK-005 must be set before applying deployment.yaml.

Pending: apply to live cluster, set CP-NK-005, run bootstrap-realm.sh, verify-t05.sh.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 02:00:51 +00:00

66 lines
2.3 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# create-secrets.sh — create the keycloak-config K8s Secret
#
# Usage:
# ./create-secrets.sh [secrets-dir]
#
# <secrets-dir> is the output directory from sso-mfa/bootstrap/gen-secrets.sh
# (default: ../../bootstrap/secrets).
#
# Creates ONE Secret in the sso namespace:
# keycloak-config — KC_DB_URL, KC_DB_PASSWORD, KC_BOOTSTRAP_ADMIN_PASSWORD
#
# This secret must exist before applying deployment.yaml.
#
# Re-run with --rotate to update secrets after a rotation in KeePassXC.
set -euo pipefail
SECRETS_DIR="${1:-../../bootstrap/secrets}"
KC_ENV="$SECRETS_DIR/keycloak/secrets.env"
PG_ENV="$SECRETS_DIR/postgres/secrets.env"
if [[ ! -d "$SECRETS_DIR" ]]; then
echo "ERROR: secrets directory not found: $SECRETS_DIR" >&2
echo "Run sso-mfa/bootstrap/gen-secrets.sh first." >&2
exit 1
fi
for f in "$KC_ENV" "$PG_ENV"; do
if [[ ! -f "$f" ]]; then
echo "ERROR: $f not found" >&2
exit 1
fi
done
# Read values from the generated env files in subshells to avoid polluting env.
KC_ADMIN_PASSWORD=$(bash -c "source '$KC_ENV' 2>/dev/null; echo \$KC_ADMIN_PASSWORD")
KC_DB_PASSWORD=$(bash -c "source '$KC_ENV' 2>/dev/null; echo \$KC_DB_PASSWORD")
if [[ -z "$KC_ADMIN_PASSWORD" || -z "$KC_DB_PASSWORD" ]]; then
echo "ERROR: could not read KC_ADMIN_PASSWORD or KC_DB_PASSWORD from $KC_ENV" >&2
echo "Check that gen-secrets.sh ran successfully." >&2
exit 1
fi
# Construct the JDBC database URL.
# CloudNativePG read-write service: net-kingdom-pg-rw.databases.svc.cluster.local
# Keycloak uses JDBC format (jdbc:postgresql://...) — NOT the SQLAlchemy URI format.
KC_DB_URL="jdbc:postgresql://net-kingdom-pg-rw.databases.svc.cluster.local:5432/keycloak_db"
echo "Creating K8s Secret: keycloak-config (namespace: sso)"
kubectl create secret generic keycloak-config \
--namespace=sso \
--from-literal=KC_DB_URL="$KC_DB_URL" \
--from-literal=KC_DB_PASSWORD="$KC_DB_PASSWORD" \
--from-literal=KC_BOOTSTRAP_ADMIN_PASSWORD="$KC_ADMIN_PASSWORD" \
--dry-run=client -o yaml | kubectl apply -f -
echo ""
echo "Done. Secret keycloak-config created in namespace: sso"
echo ""
echo "Next:"
echo " 1. Edit deployment.yaml: set PROVIDER_JAR_URL to the privacyIDEA provider JAR URL (CP-NK-005)."
echo " 2. Apply manifests (see README.md apply order)."
echo " 3. After the pod is Running+Ready, run: ./bootstrap-realm.sh"
Reference in New Issue View Git Blame Copy Permalink