coulomb/railiance-apps
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1799f5e43dffff199e9f45ef8da11a4113d0dc8b
railiance-apps/tools/build-database-url-secret.sh

75 lines
2.5 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
usage() {
cat <<'USAGE'
Build or patch an application env Secret with a URL-encoded PostgreSQL DATABASE_URL.
Required environment:
APP_NAMESPACE Consumer namespace, for example vergabe-teilnahme
APP_ENV_SECRET Env Secret to create or patch, for example vergabe-teilnahme-env
APP_DB_SECRET Secret containing the raw cnpg role password
APP_DB_USER Database user
APP_DB_HOST Database host
APP_DB_NAME Database name
Optional environment:
APP_DB_PASSWORD_KEY Secret key containing the raw password (default: password)
APP_DB_PORT Database port (default: 5432)
APP_DB_SCHEME URL scheme (default: postgresql)
USAGE
}
if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
usage
exit 0
fi
: "${APP_NAMESPACE:?Set APP_NAMESPACE}"
: "${APP_ENV_SECRET:?Set APP_ENV_SECRET}"
: "${APP_DB_SECRET:?Set APP_DB_SECRET}"
: "${APP_DB_USER:?Set APP_DB_USER}"
: "${APP_DB_HOST:?Set APP_DB_HOST}"
: "${APP_DB_NAME:?Set APP_DB_NAME}"
APP_DB_PASSWORD_KEY="${APP_DB_PASSWORD_KEY:-password}"
APP_DB_PORT="${APP_DB_PORT:-5432}"
APP_DB_SCHEME="${APP_DB_SCHEME:-postgresql}"
for cmd in kubectl base64 python3; do
if ! command -v "$cmd" >/dev/null 2>&1; then
echo "ERROR: missing required command: $cmd" >&2
exit 1
fi
done
raw_password="$(
kubectl get secret "$APP_DB_SECRET" \
-n "$APP_NAMESPACE" \
-o "jsonpath={.data.${APP_DB_PASSWORD_KEY}}" | base64 -d
)"
if [[ -z "$raw_password" ]]; then
echo "ERROR: secret $APP_NAMESPACE/$APP_DB_SECRET did not contain key $APP_DB_PASSWORD_KEY" >&2
exit 1
fi
encoded_password="$(
RAW_PASSWORD="$raw_password" python3 -c 'import os, urllib.parse; print(urllib.parse.quote(os.environ["RAW_PASSWORD"], safe=""))'
)"
database_url="${APP_DB_SCHEME}://${APP_DB_USER}:${encoded_password}@${APP_DB_HOST}:${APP_DB_PORT}/${APP_DB_NAME}"
if kubectl get secret "$APP_ENV_SECRET" -n "$APP_NAMESPACE" >/dev/null 2>&1; then
patch="$(
DATABASE_URL="$database_url" python3 -c 'import json, os; print(json.dumps({"stringData": {"DATABASE_URL": os.environ["DATABASE_URL"]}}))'
)"
kubectl patch secret "$APP_ENV_SECRET" -n "$APP_NAMESPACE" --type=merge -p "$patch"
else
kubectl create secret generic "$APP_ENV_SECRET" \
-n "$APP_NAMESPACE" \
--from-literal=DATABASE_URL="$database_url"
echo "WARN: created $APP_NAMESPACE/$APP_ENV_SECRET with DATABASE_URL only; add other required env keys separately" >&2
fi
echo "Updated DATABASE_URL in secret $APP_NAMESPACE/$APP_ENV_SECRET"
Reference in New Issue View Git Blame Copy Permalink