coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df09dd42f4e7f05ab1121b5603f2fdf875e91194
net-kingdom/sso-mfa/k8s/postgresql/create-secrets.sh
Bernd Worsch 6d25d088d7 feat(sso-mfa): T02/T03 live apply — age-encrypted secrets, CNPG cluster (NK-WP-0001-T02/T03) 
- Add encrypt-secrets.sh / decrypt-secrets.sh: age-based secrets workflow
  replaces KeePassXC dependency; encrypted .env.age files committed to repo
- Add bootstrap/secrets.enc/: all component secrets encrypted to age pubkey
- Fix .gitignore: allow secrets.enc/**/*.age while blocking plaintext
- Fix verify-t02.sh: update netpol names for Authelia+LLDAP+KeyCape stack
- Fix verify-t03.sh: remove keycloak_db/role checks; fix ((PASS++)) set-e bug
- Update postgresql/cluster.yaml: drop keycloak_db, bootstrap privacyidea_db only
- Update postgresql/create-secrets.sh: remove keycloak secret
- Fix netpol-databases.yaml: add port 8000 for CNPG instance manager HTTP API
- T02 COMPLETE: namespaces, network policies, cert-manager issuers applied
- T03 COMPLETE: CNPG operator installed, net-kingdom-pg cluster healthy

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 02:57:41 +00:00

58 lines
1.9 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# create-secrets.sh — create K8s Secrets for PostgreSQL from gen-secrets.sh output
#
# Usage:
# ./create-secrets.sh <secrets-dir>
#
# <secrets-dir> is the output directory produced by sso-mfa/bootstrap/gen-secrets.sh
# (default: ../../bootstrap/secrets).
#
# Creates one K8s Secret in the databases namespace:
# net-kingdom-pg-privacyidea-app — privacyIDEA DB credentials
#
# Note: net-kingdom-pg-keycloak-app removed — Keycloak replaced by Authelia+LLDAP+KeyCape (T05).
#
# These secrets must exist before applying cluster.yaml.
# Re-run this script whenever you rotate passwords in KeePassXC / gen-secrets.sh.
set -euo pipefail
SECRETS_DIR="${1:-../../bootstrap/secrets}"
if [[ ! -d "$SECRETS_DIR" ]]; then
echo "ERROR: secrets directory not found: $SECRETS_DIR" >&2
echo "Run sso-mfa/bootstrap/gen-secrets.sh first, then re-run this script." >&2
exit 1
fi
PI_SECRETS="$SECRETS_DIR/privacyidea/secrets.env"
if [[ ! -f "$PI_SECRETS" ]]; then
echo "ERROR: $PI_SECRETS not found" >&2
exit 1
fi
# Source the generated env file (KEY=VALUE pairs, no export)
# Use a subshell to avoid polluting the current environment.
PI_DB_PASS=$(bash -c "source $PI_SECRETS 2>/dev/null; echo \$PI_DB_PASSWORD")
if [[ -z "$PI_DB_PASS" ]]; then
echo "ERROR: could not read PI_DB_PASSWORD from $PI_SECRETS" >&2
echo "Check that gen-secrets.sh ran successfully and the file is intact." >&2
exit 1
fi
echo "Creating K8s Secret: net-kingdom-pg-privacyidea-app"
kubectl create secret generic net-kingdom-pg-privacyidea-app \
--namespace=databases \
--from-literal=username=privacyidea \
--from-literal=password="$PI_DB_PASS" \
--dry-run=client -o yaml | kubectl apply -f -
echo ""
echo "Done. Secret created in namespace: databases"
echo ""
echo "Verify:"
echo " kubectl get secrets -n databases"
echo " kubectl describe secret net-kingdom-pg-privacyidea-app -n databases"
Reference in New Issue View Git Blame Copy Permalink