75 lines
2.5 KiB
Bash
Executable File
75 lines
2.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
usage() {
|
|
cat <<'USAGE'
|
|
Build or patch an application env Secret with a URL-encoded PostgreSQL DATABASE_URL.
|
|
|
|
Required environment:
|
|
APP_NAMESPACE Consumer namespace, for example vergabe-teilnahme
|
|
APP_ENV_SECRET Env Secret to create or patch, for example vergabe-teilnahme-env
|
|
APP_DB_SECRET Secret containing the raw cnpg role password
|
|
APP_DB_USER Database user
|
|
APP_DB_HOST Database host
|
|
APP_DB_NAME Database name
|
|
|
|
Optional environment:
|
|
APP_DB_PASSWORD_KEY Secret key containing the raw password (default: password)
|
|
APP_DB_PORT Database port (default: 5432)
|
|
APP_DB_SCHEME URL scheme (default: postgresql)
|
|
USAGE
|
|
}
|
|
|
|
if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
|
|
usage
|
|
exit 0
|
|
fi
|
|
|
|
: "${APP_NAMESPACE:?Set APP_NAMESPACE}"
|
|
: "${APP_ENV_SECRET:?Set APP_ENV_SECRET}"
|
|
: "${APP_DB_SECRET:?Set APP_DB_SECRET}"
|
|
: "${APP_DB_USER:?Set APP_DB_USER}"
|
|
: "${APP_DB_HOST:?Set APP_DB_HOST}"
|
|
: "${APP_DB_NAME:?Set APP_DB_NAME}"
|
|
|
|
APP_DB_PASSWORD_KEY="${APP_DB_PASSWORD_KEY:-password}"
|
|
APP_DB_PORT="${APP_DB_PORT:-5432}"
|
|
APP_DB_SCHEME="${APP_DB_SCHEME:-postgresql}"
|
|
|
|
for cmd in kubectl base64 python3; do
|
|
if ! command -v "$cmd" >/dev/null 2>&1; then
|
|
echo "ERROR: missing required command: $cmd" >&2
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
raw_password="$(
|
|
kubectl get secret "$APP_DB_SECRET" \
|
|
-n "$APP_NAMESPACE" \
|
|
-o "jsonpath={.data.${APP_DB_PASSWORD_KEY}}" | base64 -d
|
|
)"
|
|
|
|
if [[ -z "$raw_password" ]]; then
|
|
echo "ERROR: secret $APP_NAMESPACE/$APP_DB_SECRET did not contain key $APP_DB_PASSWORD_KEY" >&2
|
|
exit 1
|
|
fi
|
|
|
|
encoded_password="$(
|
|
RAW_PASSWORD="$raw_password" python3 -c 'import os, urllib.parse; print(urllib.parse.quote(os.environ["RAW_PASSWORD"], safe=""))'
|
|
)"
|
|
database_url="${APP_DB_SCHEME}://${APP_DB_USER}:${encoded_password}@${APP_DB_HOST}:${APP_DB_PORT}/${APP_DB_NAME}"
|
|
|
|
if kubectl get secret "$APP_ENV_SECRET" -n "$APP_NAMESPACE" >/dev/null 2>&1; then
|
|
patch="$(
|
|
DATABASE_URL="$database_url" python3 -c 'import json, os; print(json.dumps({"stringData": {"DATABASE_URL": os.environ["DATABASE_URL"]}}))'
|
|
)"
|
|
kubectl patch secret "$APP_ENV_SECRET" -n "$APP_NAMESPACE" --type=merge -p "$patch"
|
|
else
|
|
kubectl create secret generic "$APP_ENV_SECRET" \
|
|
-n "$APP_NAMESPACE" \
|
|
--from-literal=DATABASE_URL="$database_url"
|
|
echo "WARN: created $APP_NAMESPACE/$APP_ENV_SECRET with DATABASE_URL only; add other required env keys separately" >&2
|
|
fi
|
|
|
|
echo "Updated DATABASE_URL in secret $APP_NAMESPACE/$APP_ENV_SECRET"
|