#!/usr/bin/env bash # Create all credential secrets manually before helm install. # Run once. Re-running with new values requires `kubectl delete secret` first. set -euo pipefail NS="gravitee-apim" MONGO_ROOT_PASSWORD=$(openssl rand -base64 24 | tr -dc 'A-Za-z0-9' | head -c 16) MONGO_GRAVITEE_PASSWORD=$(openssl rand -base64 24 | tr -dc 'A-Za-z0-9' | head -c 16) GRAVITEE_ADMIN_PASSWORD=$(openssl rand -base64 24 | tr -dc 'A-Za-z0-9' | head -c 16) # Ensure namespace exists kubectl create namespace "${NS}" --dry-run=client -o yaml | kubectl apply -f - echo "==> Creating MongoDB credentials" # Used by both the MongoDB chart and the Gravitee chart (consumer) kubectl -n "${NS}" create secret generic mongodb-credentials \ --from-literal=mongodb-root-password=${MONGO_ROOT_PASSWORD} \ --from-literal=mongodb-passwords=${MONGO_GRAVITEE_PASSWORD} \ --from-literal=mongodb-replica-set-key='' \ --dry-run=client -o yaml | kubectl apply -f - # Full MongoDB URIs injected via env var override into Gravitee components. # GRAVITEE_MANAGEMENT_MONGODB_URI overrides management.mongodb.uri in api. # GRAVITEE_RATELIMIT_MONGODB_URI overrides ratelimit.mongodb.uri in gateway. MONGO_URI="mongodb://gravitee:${MONGO_GRAVITEE_PASSWORD}@mongodb.gravitee-apim.svc.cluster.local:27017/gravitee?tls=true&authSource=gravitee" kubectl -n "${NS}" create secret generic gravitee-mongodb-uri \ --from-literal=GRAVITEE_MANAGEMENT_MONGODB_URI="${MONGO_URI}" \ --from-literal=GRAVITEE_RATELIMIT_MONGODB_URI="${MONGO_URI}" \ --dry-run=client -o yaml | kubectl apply -f - echo "==> Creating Gravitee admin credentials" ADMIN_BCRYPT=$(htpasswd -bnBC 10 "" "${GRAVITEE_ADMIN_PASSWORD}" | tr -d ':\n') kubectl -n "${NS}" create secret generic gravitee-admin \ --from-literal=admin-username='admin' \ --from-literal=admin-password-plain="${GRAVITEE_ADMIN_PASSWORD}" \ --from-literal=admin-password-bcrypt="${ADMIN_BCRYPT}" \ --dry-run=client -o yaml | kubectl apply -f - echo "==> Creating JKS keystore password (used by cert-manager keystores and JAVA_OPTS)" JKS_PASSWORD=$(openssl rand -base64 24 | tr -dc 'A-Za-z0-9' | head -c 20) kubectl -n "${NS}" create secret generic gravitee-jks-password \ --from-literal=password="${JKS_PASSWORD}" \ --dry-run=client -o yaml | kubectl apply -f - echo "==> Creating JWT signing secret (used by Management API)" JWT_SECRET=$(openssl rand -base64 48 | tr -d '\n') kubectl -n "${NS}" create secret generic gravitee-jwt \ --from-literal=GRAVITEE_JWT_SECRET="${JWT_SECRET}" \ --dry-run=client -o yaml | kubectl apply -f - echo "==> Creating CA trust secret for nginx ingress proxy-ssl-secret" # Contains only ca.crt (no tls.crt/key) to avoid nginx presenting the CA as a client cert. kubectl -n "${NS}" get secret gravitee-ca-tls -o jsonpath='{.data.ca\.crt}' | base64 -d | \ kubectl -n "${NS}" create secret generic gravitee-ca-trust \ --from-file=ca.crt=/dev/stdin \ --dry-run=client -o yaml | kubectl apply -f - echo "" echo "==> Done. Secrets created in namespace ${NS}:" kubectl -n "${NS}" get secrets | grep -E 'mongodb-credentials|gravitee-mongodb-uri|gravitee-admin|gravitee-jwt|gravitee-jks-password|gravitee-ca-trust' echo ""