sttlab
83 lines
3.2 KiB
Bash
Executable File
83 lines
3.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Create all credential secrets before the first helm install.
|
|
# Skips any secret that already exists — delete it first to regenerate.
|
|
|
|
set -euo pipefail
|
|
|
|
NS="gravitee-apim"
|
|
|
|
# Ensure namespace exists
|
|
kubectl create namespace "${NS}" --dry-run=client -o yaml | kubectl apply -f -
|
|
|
|
secret_exists() {
|
|
kubectl -n "${NS}" get secret "$1" >/dev/null 2>&1
|
|
}
|
|
|
|
echo "==> Creating MongoDB credentials"
|
|
if secret_exists mongodb-credentials; then
|
|
echo " mongodb-credentials already exists, skipping"
|
|
else
|
|
MONGO_ROOT_PASSWORD=$(openssl rand -base64 24 | tr -dc 'A-Za-z0-9' | head -c 16)
|
|
MONGO_GRAVITEE_PASSWORD=$(openssl rand -base64 24 | tr -dc 'A-Za-z0-9' | head -c 16)
|
|
kubectl -n "${NS}" create secret generic mongodb-credentials \
|
|
--from-literal=mongodb-root-password="${MONGO_ROOT_PASSWORD}" \
|
|
--from-literal=mongodb-passwords="${MONGO_GRAVITEE_PASSWORD}" \
|
|
--from-literal=mongodb-replica-set-key=''
|
|
fi
|
|
|
|
echo "==> Creating MongoDB URI secret"
|
|
if secret_exists gravitee-mongodb-uri; then
|
|
echo " gravitee-mongodb-uri already exists, skipping"
|
|
else
|
|
MONGO_GRAVITEE_PASSWORD=$(kubectl -n "${NS}" get secret mongodb-credentials \
|
|
-o jsonpath='{.data.mongodb-passwords}' | base64 -d)
|
|
MONGO_URI="mongodb://gravitee:${MONGO_GRAVITEE_PASSWORD}@mongodb.gravitee-apim.svc.cluster.local:27017/gravitee?tls=true&authSource=gravitee"
|
|
kubectl -n "${NS}" create secret generic gravitee-mongodb-uri \
|
|
--from-literal=GRAVITEE_MANAGEMENT_MONGODB_URI="${MONGO_URI}" \
|
|
--from-literal=GRAVITEE_RATELIMIT_MONGODB_URI="${MONGO_URI}"
|
|
fi
|
|
|
|
echo "==> Creating Gravitee admin credentials"
|
|
if secret_exists gravitee-admin; then
|
|
echo " gravitee-admin already exists, skipping"
|
|
else
|
|
GRAVITEE_ADMIN_PASSWORD=$(openssl rand -base64 24 | tr -dc 'A-Za-z0-9' | head -c 16)
|
|
ADMIN_BCRYPT=$(htpasswd -bnBC 10 "" "${GRAVITEE_ADMIN_PASSWORD}" | tr -d ':\n')
|
|
kubectl -n "${NS}" create secret generic gravitee-admin \
|
|
--from-literal=admin-username='admin' \
|
|
--from-literal=admin-password-plain="${GRAVITEE_ADMIN_PASSWORD}" \
|
|
--from-literal=admin-password-bcrypt="${ADMIN_BCRYPT}"
|
|
fi
|
|
|
|
echo "==> Creating JKS keystore password"
|
|
if secret_exists gravitee-jks-password; then
|
|
echo " gravitee-jks-password already exists, skipping"
|
|
else
|
|
JKS_PASSWORD=$(openssl rand -base64 24 | tr -dc 'A-Za-z0-9' | head -c 20)
|
|
kubectl -n "${NS}" create secret generic gravitee-jks-password \
|
|
--from-literal=password="${JKS_PASSWORD}"
|
|
fi
|
|
|
|
echo "==> Creating JWT signing secret"
|
|
if secret_exists gravitee-jwt; then
|
|
echo " gravitee-jwt already exists, skipping"
|
|
else
|
|
JWT_SECRET=$(openssl rand -base64 48 | tr -d '\n')
|
|
kubectl -n "${NS}" create secret generic gravitee-jwt \
|
|
--from-literal=GRAVITEE_JWT_SECRET="${JWT_SECRET}"
|
|
fi
|
|
|
|
echo "==> Creating API properties encryption key"
|
|
if secret_exists gravitee-encryption; then
|
|
echo " gravitee-encryption already exists, skipping"
|
|
else
|
|
ENCRYPTION_KEY=$(openssl rand -hex 16)
|
|
kubectl -n "${NS}" create secret generic gravitee-encryption \
|
|
--from-literal=api-properties-encryption-secret="${ENCRYPTION_KEY}"
|
|
fi
|
|
|
|
echo ""
|
|
echo "==> Done. Secrets in namespace ${NS}:"
|
|
kubectl -n "${NS}" get secrets | grep -E 'mongodb-credentials|gravitee-mongodb-uri|gravitee-admin|gravitee-jwt|gravitee-jks-password|gravitee-ca-trust'
|
|
echo ""
|