#!/usr/bin/env bash set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # shellcheck source=_config.sh source "${SCRIPT_DIR}/_config.sh" SECRETS_DIR="${DEPLOY_DIR}/secrets" NAMESPACE="honeydue" log() { printf '[secrets] %s\n' "$*"; } warn() { printf '[secrets][warn] %s\n' "$*" >&2; } die() { printf '[secrets][error] %s\n' "$*" >&2; exit 1; } # --- Prerequisites --- command -v kubectl >/dev/null 2>&1 || die "Missing: kubectl" kubectl get namespace "${NAMESPACE}" >/dev/null 2>&1 || { log "Creating namespace ${NAMESPACE}..." kubectl apply -f "${DEPLOY_DIR}/manifests/namespace.yaml" } # --- Validate secret files --- require_file() { local path="$1" label="$2" [[ -f "${path}" ]] || die "Missing: ${path} (${label})" [[ -s "${path}" ]] || die "Empty: ${path} (${label})" } require_file "${SECRETS_DIR}/postgres_password.txt" "Postgres password" require_file "${SECRETS_DIR}/secret_key.txt" "SECRET_KEY" require_file "${SECRETS_DIR}/email_host_password.txt" "SMTP password" require_file "${SECRETS_DIR}/fcm_server_key.txt" "FCM server key" require_file "${SECRETS_DIR}/apns_auth_key.p8" "APNS private key" require_file "${SECRETS_DIR}/cloudflare-origin.crt" "Cloudflare origin cert" require_file "${SECRETS_DIR}/cloudflare-origin.key" "Cloudflare origin key" # Validate APNS key format if ! grep -q "BEGIN PRIVATE KEY" "${SECRETS_DIR}/apns_auth_key.p8"; then die "APNS key file does not look like a private key: ${SECRETS_DIR}/apns_auth_key.p8" fi # Validate secret_key length (minimum 32 chars) SECRET_KEY_LEN="$(tr -d '\r\n' < "${SECRETS_DIR}/secret_key.txt" | wc -c | tr -d ' ')" if (( SECRET_KEY_LEN < 32 )); then die "secret_key.txt must be at least 32 characters (got ${SECRET_KEY_LEN})." fi # --- Read optional config values --- REDIS_PASSWORD="$(cfg redis.password 2>/dev/null || true)" ADMIN_AUTH_USER="$(cfg admin.basic_auth_user 2>/dev/null || true)" ADMIN_AUTH_PASSWORD="$(cfg admin.basic_auth_password 2>/dev/null || true)" # --- Create app secrets --- log "Creating honeydue-secrets..." SECRET_ARGS=( --namespace="${NAMESPACE}" --from-literal="POSTGRES_PASSWORD=$(tr -d '\r\n' < "${SECRETS_DIR}/postgres_password.txt")" --from-literal="SECRET_KEY=$(tr -d '\r\n' < "${SECRETS_DIR}/secret_key.txt")" --from-literal="EMAIL_HOST_PASSWORD=$(tr -d '\r\n' < "${SECRETS_DIR}/email_host_password.txt")" --from-literal="FCM_SERVER_KEY=$(tr -d '\r\n' < "${SECRETS_DIR}/fcm_server_key.txt")" ) if [[ -n "${REDIS_PASSWORD}" ]]; then log " Including REDIS_PASSWORD in secrets" SECRET_ARGS+=(--from-literal="REDIS_PASSWORD=${REDIS_PASSWORD}") else # Audit K3S-F1 (CRITICAL) / MEDIUM-4: refuse to deploy with an unauthenticated # Redis. A previous version only warned here, which let a deploy from an # unedited config.yaml silently bring Redis up with no password. die "redis.password is empty in config.yaml — refusing to deploy: Redis would run with NO authentication (audit K3S-F1). Set a strong value, e.g.: openssl rand -base64 32" fi # B2 (Backblaze) object-storage credentials. The api/worker manifests # reference B2_KEY_ID / B2_APP_KEY as required secret keys, so honeydue-secrets # MUST carry them or those pods fail to start. Sourced from config.yaml so the # script and the manifests no longer drift (was a latent gap before 2026-05-16). B2_KEY_ID_VAL="$(cfg storage.b2_key_id 2>/dev/null || true)" B2_APP_KEY_VAL="$(cfg storage.b2_app_key 2>/dev/null || true)" if [[ -n "${B2_KEY_ID_VAL}" && -n "${B2_APP_KEY_VAL}" ]]; then log " Including B2_KEY_ID / B2_APP_KEY in secrets" SECRET_ARGS+=(--from-literal="B2_KEY_ID=${B2_KEY_ID_VAL}") SECRET_ARGS+=(--from-literal="B2_APP_KEY=${B2_APP_KEY_VAL}") else warn "storage.b2_key_id / b2_app_key not set in config.yaml — B2 uploads will be disabled." fi # Observability ingest credentials live in deploy/prod.env (gitignored) so # the values aren't checked into config.yaml. Skipped silently when the # file or keys are absent — the api/worker manifests mark these env vars # optional, so the deployment still rolls without traces. PROD_ENV_FILE="${DEPLOY_DIR}/../deploy/prod.env" if [[ -f "${PROD_ENV_FILE}" ]]; then OBS_TOKEN_VAL="$(grep -E '^OBS_INGEST_TOKEN=' "${PROD_ENV_FILE}" 2>/dev/null | cut -d= -f2- || true)" OBS_URL_VAL="$(grep -E '^OBS_TRACES_URL=' "${PROD_ENV_FILE}" 2>/dev/null | cut -d= -f2- || true)" if [[ -n "${OBS_TOKEN_VAL}" ]]; then log " Including OBS_INGEST_TOKEN in secrets" SECRET_ARGS+=(--from-literal="OBS_INGEST_TOKEN=${OBS_TOKEN_VAL}") fi if [[ -n "${OBS_URL_VAL}" ]]; then log " Including OBS_TRACES_URL in secrets" SECRET_ARGS+=(--from-literal="OBS_TRACES_URL=${OBS_URL_VAL}") fi fi kubectl create secret generic honeydue-secrets \ "${SECRET_ARGS[@]}" \ --dry-run=client -o yaml | kubectl apply -f - # --- Create APNS key secret --- log "Creating honeydue-apns-key..." kubectl create secret generic honeydue-apns-key \ --namespace="${NAMESPACE}" \ --from-file="apns_auth_key.p8=${SECRETS_DIR}/apns_auth_key.p8" \ --dry-run=client -o yaml | kubectl apply -f - # --- Create container registry credentials --- # Secret name is gitea-credentials (audit F6): the registry is self-hosted # Gitea, not GHCR. Every deployment manifest references this same name. REGISTRY_SERVER="$(cfg registry.server)" REGISTRY_USER="$(cfg registry.username)" REGISTRY_TOKEN="$(cfg registry.token)" if [[ -n "${REGISTRY_SERVER}" && -n "${REGISTRY_USER}" && -n "${REGISTRY_TOKEN}" ]]; then log "Creating gitea-credentials..." kubectl create secret docker-registry gitea-credentials \ --namespace="${NAMESPACE}" \ --docker-server="${REGISTRY_SERVER}" \ --docker-username="${REGISTRY_USER}" \ --docker-password="${REGISTRY_TOKEN}" \ --dry-run=client -o yaml | kubectl apply -f - else warn "Registry credentials incomplete in config.yaml — skipping gitea-credentials." fi # --- Create Cloudflare origin cert --- log "Creating cloudflare-origin-cert..." kubectl create secret tls cloudflare-origin-cert \ --namespace="${NAMESPACE}" \ --cert="${SECRETS_DIR}/cloudflare-origin.crt" \ --key="${SECRETS_DIR}/cloudflare-origin.key" \ --dry-run=client -o yaml | kubectl apply -f - # --- Create admin basic auth secret --- if [[ -n "${ADMIN_AUTH_USER}" && -n "${ADMIN_AUTH_PASSWORD}" ]]; then command -v htpasswd >/dev/null 2>&1 || die "Missing: htpasswd (install apache2-utils)" log "Creating admin-basic-auth secret..." # -B forces bcrypt (Traefik BasicAuth supports it; avoids weak apr1-MD5). HTPASSWD="$(htpasswd -nbB "${ADMIN_AUTH_USER}" "${ADMIN_AUTH_PASSWORD}")" kubectl create secret generic admin-basic-auth \ --namespace="${NAMESPACE}" \ --from-literal=users="${HTPASSWD}" \ --dry-run=client -o yaml | kubectl apply -f - else warn "admin.basic_auth_user/password not set in config.yaml — skipping admin-basic-auth." warn "Admin panel will NOT have basic auth protection." fi # --- Create Kratos secrets (Ory Kratos identity service) --- # Created only when config.yaml has a kratos.dsn. Until then 03-deploy.sh skips # the Kratos deploy entirely, so the existing stack is unaffected. KRATOS_DSN="$(cfg kratos.dsn 2>/dev/null || true)" if [[ -n "${KRATOS_DSN}" ]]; then log "Creating kratos-secrets..." KR_COOKIE="$(cfg kratos.secrets_cookie 2>/dev/null || true)" KR_CIPHER="$(cfg kratos.secrets_cipher 2>/dev/null || true)" KR_SMTP="$(cfg kratos.smtp_connection_uri 2>/dev/null || true)" KR_GOOGLE="$(cfg kratos.google_client_secret 2>/dev/null || true)" KR_APPLE="$(cfg kratos.apple_private_key 2>/dev/null || true)" [[ -n "${KR_COOKIE}" && -n "${KR_CIPHER}" ]] \ || die "kratos.secrets_cookie / secrets_cipher must be set (generate once: openssl rand -hex 16)" [[ ${#KR_CIPHER} -eq 32 ]] \ || die "kratos.secrets_cipher must be exactly 32 characters (openssl rand -hex 16)" kubectl create secret generic kratos-secrets \ --namespace="${NAMESPACE}" \ --from-literal="dsn=${KRATOS_DSN}" \ --from-literal="secrets_cookie=${KR_COOKIE}" \ --from-literal="secrets_cipher=${KR_CIPHER}" \ --from-literal="smtp_connection_uri=${KR_SMTP}" \ --from-literal="google_client_secret=${KR_GOOGLE}" \ --from-literal="apple_private_key=${KR_APPLE}" \ --dry-run=client -o yaml | kubectl apply -f - else warn "config.yaml has no kratos.dsn — skipping kratos-secrets (Kratos not yet configured)." fi # --- Done --- log "" log "All secrets created in namespace '${NAMESPACE}'." log "Verify: kubectl get secrets -n ${NAMESPACE}"