coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df09dd42f4e7f05ab1121b5603f2fdf875e91194
net-kingdom/sso-mfa/bootstrap/creds-verify.sh
Bernd Worsch 59ba9e6fe1 fix(creds-bootstrap): harden agent bootstrap for non-interactive execution 
- creds-bootstrap-agent.sh: skip Phase 3 if all secrets already applied
  (avoids CNPG SSL connection drops from repeated reconciliation)
- creds-bootstrap-agent.sh: wait for rollout to complete after restart
  before running enckey/admin bootstrap (fixes race with old pod)
- creds-bootstrap-agent.sh: only restart privacyIDEA when Phase 3 ran
- create-pi-token.sh: use env-var + retry for token fetch (no heredoc
  stdin; handles transient 500 from idle connection pool)
- create-pi-token.sh: create keycape-pi-token K8s Secret after fetching
- creds-verify.sh: map keycape-pi-token to secrets_applied.keycape
  (not pi_admin_created, which caused spurious Phase 5 re-runs)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-21 12:11:13 +00:00

105 lines
3.2 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# creds-verify.sh — check all expected K8s secrets exist and update creds-state.yaml.
#
# Usage:
# bash sso-mfa/bootstrap/creds-verify.sh
# make creds-verify
#
# Checks the following K8s secrets:
# databases/net-kingdom-pg-privacyidea-app → secrets_applied.postgres
# sso/lldap-secrets → secrets_applied.lldap
# sso/authelia-secrets → secrets_applied.authelia
# mfa/privacyidea-config → secrets_applied.privacyidea
# sso/keycape-config → secrets_applied.keycape
# mfa/privacyidea-enckey → enckey_bootstrapped
# sso/keycape-pi-token → pi_admin_created
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
STATE_FILE="$SCRIPT_DIR/creds-state.yaml"
if ! kubectl cluster-info &>/dev/null; then
echo "ERROR: Cannot reach the Kubernetes cluster. Verify KUBECONFIG." >&2
exit 1
fi
# ── Check helper ──────────────────────────────────────────────────────────────
secret_exists() {
local ns="$1" name="$2"
kubectl get secret "$name" --namespace="$ns" --ignore-not-found -o name 2>/dev/null | grep -q .
}
update_state_top() {
local key="$1" value="$2"
if [[ -f "$STATE_FILE" ]]; then
sed -i "s|^$key: .*|$key: $value|" "$STATE_FILE"
fi
}
update_state_nested() {
local key="$1" value="$2"
if [[ -f "$STATE_FILE" ]]; then
sed -i "s|^ $key: .*| $key: $value|" "$STATE_FILE"
fi
}
# ── Results table ─────────────────────────────────────────────────────────────
pass=0
fail=0
check() {
local label="$1" ns="$2" secret="$3" state_fn="$4" state_key="$5"
if secret_exists "$ns" "$secret"; then
printf " %-40s ✔ exists\n" "$label"
"$state_fn" "$state_key" "true"
((pass++)) || true
else
printf " %-40s ✗ missing (ns: %s, secret: %s)\n" "$label" "$ns" "$secret"
"$state_fn" "$state_key" "false"
((fail++)) || true
fi
}
echo "=== creds-verify — net-kingdom SSO/MFA secrets ==="
echo ""
check "postgres (net-kingdom-pg-privacyidea-app)" \
databases net-kingdom-pg-privacyidea-app \
update_state_nested postgres
check "lldap (lldap-secrets)" \
sso lldap-secrets \
update_state_nested lldap
check "authelia (authelia-secrets)" \
sso authelia-secrets \
update_state_nested authelia
check "privacyidea (privacyidea-config)" \
mfa privacyidea-config \
update_state_nested privacyidea
check "keycape (keycape-config)" \
sso keycape-config \
update_state_nested keycape
echo ""
check "enckey (privacyidea-enckey)" \
mfa privacyidea-enckey \
update_state_top enckey_bootstrapped
check "pi-admin token (keycape-pi-token)" \
sso keycape-pi-token \
update_state_nested keycape
echo ""
echo "Results: $pass present, $fail missing"
if [[ -f "$STATE_FILE" ]]; then
echo "State file updated: $STATE_FILE"
fi
[[ "$fail" -eq 0 ]]
Reference in New Issue View Git Blame Copy Permalink