coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df09dd42f4e7f05ab1121b5603f2fdf875e91194
net-kingdom/sso-mfa/bootstrap/creds-apply.sh
Bernd Worsch c10d7d2f8a feat(creds): implement NK-WP-0004 Credential Management Foundation 
- .sops.yaml + keys/age.pub: SOPS age encryption for all secrets/ paths
- .gitignore: broad secrets/ catch-all (any depth)
- .githooks/pre-commit: blocks unencrypted secrets/, *.env outside bootstrap/,
  and known plaintext patterns (PI_SECRET_KEY=, LLDAP_JWT_SECRET=, etc.)
- Makefile: full credential lifecycle (creds-init/generate/bundle/apply/verify/
  status/rotate) + SOPS helpers (sops-setup/edit/encrypt/decrypt/rotate/check-secrets)
  + hooks/hooks-test
- creds-apply.sh: runs create-secrets.sh in dependency order (postgresql → lldap →
  authelia → privacyidea), skips keycape with printed instructions, updates state
- creds-verify.sh: checks all K8s secrets exist, updates creds-state.yaml
- creds-status.sh: human-readable state table from creds-state.yaml
- creds-rotate.sh: guided rotation for all 9 secret types with impact descriptions
  and atomic multi-component update sequences
- creds-state.yaml: committable state file tracking generation, bundle, KeePassXC
  confirmation, per-component apply status, enckey and pi-admin bootstrap flags

NK-WP-0003-T01 unblocked. /creds-bootstrap skill registered separately.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 23:39:35 +00:00

120 lines
5.0 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# creds-apply.sh — run all create-secrets.sh scripts in dependency order.
#
# Usage:
# bash sso-mfa/bootstrap/creds-apply.sh [secrets-dir]
# make creds-apply
#
# Dependency order:
# 1. postgresql (no dependencies)
# 2. lldap (needs: secrets/lldap/secrets.env)
# 3. authelia (needs: lldap/secrets.env → LLDAP_LDAP_USER_PASS)
# 4. privacyidea (needs: secrets/privacyidea/secrets.env)
# 5. keycape SKIPPED — requires PI_ADMIN_TOKEN from post-T04 bootstrap.
# Run sso-mfa/k8s/keycape/create-pi-token.sh, then
# sso-mfa/k8s/keycape/create-secrets.sh manually.
#
# After each successful component, creds-state.yaml is updated.
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
SECRETS_DIR="${1:-$SCRIPT_DIR/secrets}"
STATE_FILE="$SCRIPT_DIR/creds-state.yaml"
K8S_DIR="$REPO_ROOT/sso-mfa/k8s"
# ── Preflight checks ──────────────────────────────────────────────────────────
if [[ -z "${KUBECONFIG:-}" && ! -f "$HOME/.kube/config" ]]; then
echo "ERROR: KUBECONFIG is not set and ~/.kube/config does not exist." >&2
echo " Set KUBECONFIG or ensure cluster access before running creds-apply." >&2
exit 1
fi
if ! kubectl cluster-info &>/dev/null; then
echo "ERROR: Cannot reach the Kubernetes cluster." >&2
echo " Ensure the cluster is running and KUBECONFIG points to the right context." >&2
exit 1
fi
if [[ ! -d "$SECRETS_DIR" ]]; then
echo "ERROR: secrets directory not found: $SECRETS_DIR" >&2
echo " Run 'make creds-generate' first." >&2
exit 1
fi
echo "=== creds-apply — net-kingdom SSO/MFA secrets ==="
echo "Secrets dir : $SECRETS_DIR"
echo "Cluster : $(kubectl config current-context 2>/dev/null || echo '(unknown)')"
echo ""
# ── Helper: run a component's create-secrets.sh ───────────────────────────────
run_component() {
local component="$1"
local script_dir="$K8S_DIR/$component"
local script="$script_dir/create-secrets.sh"
local state_key="$2"
echo "──────────────────────────────────────────────"
echo "Applying: $component"
if [[ ! -f "$script" ]]; then
echo "ERROR: $script not found" >&2
exit 1
fi
(cd "$script_dir" && bash create-secrets.sh "$SECRETS_DIR")
# Update state file
if [[ -f "$STATE_FILE" ]]; then
sed -i "s|^ $state_key: .*| $state_key: true|" "$STATE_FILE"
echo " [state] secrets_applied.$state_key → true"
fi
echo ""
}
# ── Step 1: PostgreSQL ────────────────────────────────────────────────────────
run_component "postgresql" "postgres"
# ── Step 2: LLDAP ────────────────────────────────────────────────────────────
if [[ ! -f "$SECRETS_DIR/lldap/secrets.env" ]]; then
echo "ERROR: $SECRETS_DIR/lldap/secrets.env not found — run creds-generate first." >&2
exit 1
fi
run_component "lldap" "lldap"
# ── Step 3: Authelia (needs LLDAP bind password from lldap/secrets.env) ───────
run_component "authelia" "authelia"
# ── Step 4: privacyIDEA ───────────────────────────────────────────────────────
if [[ ! -f "$SECRETS_DIR/privacyidea/secrets.env" ]]; then
echo "ERROR: $SECRETS_DIR/privacyidea/secrets.env not found." >&2
exit 1
fi
run_component "privacyidea" "privacyidea"
# ── Step 5: KeyCape — SKIPPED (requires PI_ADMIN_TOKEN) ──────────────────────
echo "──────────────────────────────────────────────"
echo "SKIPPED: keycape (requires PI_ADMIN_TOKEN from post-T04 bootstrap)"
echo ""
echo " After privacyIDEA is Running and bootstrapped:"
echo " 1. TIME-SENSITIVE: run enckey-bootstrap.sh while pod is live:"
echo " bash $K8S_DIR/privacyidea/enckey-bootstrap.sh"
echo ""
echo " 2. Create the pi-admin user:"
echo " bash $K8S_DIR/privacyidea/bootstrap-admin.sh"
echo ""
echo " 3. Generate the PI admin token for KeyCape:"
echo " bash $K8S_DIR/keycape/create-pi-token.sh"
echo ""
echo " 4. Apply KeyCape secrets:"
echo " bash $K8S_DIR/keycape/create-secrets.sh $SECRETS_DIR"
echo ""
echo " 5. Update state:"
echo " make creds-verify"
echo ""
echo "=== creds-apply complete ==="
echo "Run 'make creds-status' to review state."
echo "Run 'make creds-verify' to confirm K8s secrets exist."
Reference in New Issue View Git Blame Copy Permalink