stt/infra-gravitee-apim
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f1c251ff831a3c1c96348906ee81193dbf5f67b
infra-gravitee-apim/secrets-create.sh
T
sttlab 4f1c251ff8 Simplification of TLS config
2026-05-03 12:48:42 +00:00

65 lines
3.1 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# Create all credential secrets manually before helm install.
# Run once. Re-running with new values requires `kubectl delete secret` first.
set -euo pipefail
NS="gravitee-apim"
MONGO_ROOT_PASSWORD=$(openssl rand -base64 24 | tr -dc 'A-Za-z0-9' | head -c 16)
MONGO_GRAVITEE_PASSWORD=$(openssl rand -base64 24 | tr -dc 'A-Za-z0-9' | head -c 16)
GRAVITEE_ADMIN_PASSWORD=$(openssl rand -base64 24 | tr -dc 'A-Za-z0-9' | head -c 16)
# Ensure namespace exists
kubectl create namespace "${NS}" --dry-run=client -o yaml | kubectl apply -f -
echo "==> Creating MongoDB credentials"
# Used by both the MongoDB chart and the Gravitee chart (consumer)
kubectl -n "${NS}" create secret generic mongodb-credentials \
--from-literal=mongodb-root-password=${MONGO_ROOT_PASSWORD} \
--from-literal=mongodb-passwords=${MONGO_GRAVITEE_PASSWORD} \
--from-literal=mongodb-replica-set-key='' \
--dry-run=client -o yaml | kubectl apply -f -
# Full MongoDB URIs injected via env var override into Gravitee components.
# GRAVITEE_MANAGEMENT_MONGODB_URI overrides management.mongodb.uri in api.
# GRAVITEE_RATELIMIT_MONGODB_URI overrides ratelimit.mongodb.uri in gateway.
MONGO_URI="mongodb://gravitee:${MONGO_GRAVITEE_PASSWORD}@mongodb.gravitee-apim.svc.cluster.local:27017/gravitee?tls=true&authSource=gravitee"
kubectl -n "${NS}" create secret generic gravitee-mongodb-uri \
--from-literal=GRAVITEE_MANAGEMENT_MONGODB_URI="${MONGO_URI}" \
--from-literal=GRAVITEE_RATELIMIT_MONGODB_URI="${MONGO_URI}" \
--dry-run=client -o yaml | kubectl apply -f -
echo "==> Creating Gravitee admin credentials"
ADMIN_BCRYPT=$(htpasswd -bnBC 10 "" "${GRAVITEE_ADMIN_PASSWORD}" | tr -d ':\n')
kubectl -n "${NS}" create secret generic gravitee-admin \
--from-literal=admin-username='admin' \
--from-literal=admin-password-plain="${GRAVITEE_ADMIN_PASSWORD}" \
--from-literal=admin-password-bcrypt="${ADMIN_BCRYPT}" \
--dry-run=client -o yaml | kubectl apply -f -
echo "==> Creating JKS keystore password (used by cert-manager keystores and JAVA_OPTS)"
JKS_PASSWORD=$(openssl rand -base64 24 | tr -dc 'A-Za-z0-9' | head -c 20)
kubectl -n "${NS}" create secret generic gravitee-jks-password \
--from-literal=password="${JKS_PASSWORD}" \
--dry-run=client -o yaml | kubectl apply -f -
echo "==> Creating JWT signing secret (used by Management API)"
JWT_SECRET=$(openssl rand -base64 48 | tr -d '\n')
kubectl -n "${NS}" create secret generic gravitee-jwt \
--from-literal=GRAVITEE_JWT_SECRET="${JWT_SECRET}" \
--dry-run=client -o yaml | kubectl apply -f -
echo "==> Creating CA trust secret for nginx ingress proxy-ssl-secret"
# Contains only ca.crt (no tls.crt/key) to avoid nginx presenting the CA as a client cert.
kubectl -n "${NS}" get secret gravitee-ca-tls -o jsonpath='{.data.ca\.crt}' | base64 -d | \
kubectl -n "${NS}" create secret generic gravitee-ca-trust \
--from-file=ca.crt=/dev/stdin \
--dry-run=client -o yaml | kubectl apply -f -
echo ""
echo "==> Done. Secrets created in namespace ${NS}:"
kubectl -n "${NS}" get secrets | grep -E 'mongodb-credentials|gravitee-mongodb-uri|gravitee-admin|gravitee-jwt|gravitee-jks-password|gravitee-ca-trust'
echo ""
Reference in New Issue View Git Blame Copy Permalink