coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df09dd42f4e7f05ab1121b5603f2fdf875e91194
net-kingdom/sso-mfa/k8s/privacyidea/create-secrets.sh
Bernd Worsch 1d94652ba1 feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04) 
Deploy privacyIDEA (MFA core) in the mfa namespace:
- pvc.yaml: privacyidea-data (5Gi) and privacyidea-logs (2Gi)
- configmap.yaml: pi.cfg reading secrets from env vars
- deployment.yaml: Deployment + ClusterIP Service (port 8080)
- middleware.yaml: Traefik RateLimit + admin IP AllowList
- ingress.yaml: pink.coulomb.social (portal + admin), pink-account.coulomb.social (self-service)
- create-secrets.sh: creates privacyidea-config Secret
- enckey-bootstrap.sh: post-deploy key extraction + DR Secrets
- bootstrap-admin.sh: pi-admin, trigger-admin, privacyidea-trigger-admin Secret
- verify-t04.sh: 8-section done-criteria checker

Config points CP-NK-002 (pink.coulomb.social) and CP-NK-003
(pink-account.coulomb.social) registered in CONFIG.md.

pink = PrivacyIDEA Net Knights (project mnemonic).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 01:22:41 +00:00

66 lines
2.4 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# create-secrets.sh — create the privacyidea-config K8s Secret
#
# Usage:
# ./create-secrets.sh [secrets-dir]
#
# <secrets-dir> is the output directory from sso-mfa/bootstrap/gen-secrets.sh
# (default: ../../bootstrap/secrets).
#
# Creates ONE Secret in the mfa namespace:
# privacyidea-config — PI_SECRET_KEY, PI_PEPPER, PI_SQLALCHEMY_DATABASE_URI
#
# This secret must exist before applying deployment.yaml.
#
# The enckey and auditkey Secrets (privacyidea-enckey, privacyidea-auditkeys)
# are created separately by enckey-bootstrap.sh AFTER the first pod start,
# because those keys are auto-generated by the container on first run.
#
# Re-run this script if you rotate PI_SECRET_KEY or PI_PEPPER in KeePassXC.
set -euo pipefail
SECRETS_DIR="${1:-../../bootstrap/secrets}"
PI_ENV="$SECRETS_DIR/privacyidea/secrets.env"
if [[ ! -d "$SECRETS_DIR" ]]; then
echo "ERROR: secrets directory not found: $SECRETS_DIR" >&2
echo "Run sso-mfa/bootstrap/gen-secrets.sh first." >&2
exit 1
fi
if [[ ! -f "$PI_ENV" ]]; then
echo "ERROR: $PI_ENV not found" >&2
exit 1
fi
# Read values from the generated env file in a subshell to avoid polluting env.
PI_SECRET_KEY=$(bash -c "source '$PI_ENV' 2>/dev/null; echo \$PI_SECRET_KEY")
PI_PEPPER=$(bash -c "source '$PI_ENV' 2>/dev/null; echo \$PI_PEPPER")
PI_DB_PASSWORD=$(bash -c "source '$PI_ENV' 2>/dev/null; echo \$PI_DB_PASSWORD")
if [[ -z "$PI_SECRET_KEY" || -z "$PI_PEPPER" || -z "$PI_DB_PASSWORD" ]]; then
echo "ERROR: could not read PI_SECRET_KEY, PI_PEPPER, or PI_DB_PASSWORD from $PI_ENV" >&2
echo "Check that gen-secrets.sh ran successfully." >&2
exit 1
fi
# Construct the SQLAlchemy database URI.
# CloudNativePG read-write service: net-kingdom-pg-rw.databases.svc.cluster.local
PI_DB_URI="postgresql://privacyidea:${PI_DB_PASSWORD}@net-kingdom-pg-rw.databases.svc.cluster.local:5432/privacyidea_db"
echo "Creating K8s Secret: privacyidea-config (namespace: mfa)"
kubectl create secret generic privacyidea-config \
--namespace=mfa \
--from-literal=PI_SECRET_KEY="$PI_SECRET_KEY" \
--from-literal=PI_PEPPER="$PI_PEPPER" \
--from-literal=PI_SQLALCHEMY_DATABASE_URI="$PI_DB_URI" \
--dry-run=client -o yaml | kubectl apply -f -
echo ""
echo "Done. Secret privacyidea-config created in namespace: mfa"
echo ""
echo "Next:"
echo " Apply manifests (see README.md apply order)."
echo " After the pod is Running, run: ./enckey-bootstrap.sh"
Reference in New Issue View Git Blame Copy Permalink