honeyDueAPI/deploy-k3s/scripts/02-setup-secrets.sh

#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=_config.sh
source "${SCRIPT_DIR}/_config.sh"

SECRETS_DIR="${DEPLOY_DIR}/secrets"
NAMESPACE="honeydue"

log() { printf '[secrets] %s\n' "$*"; }
warn() { printf '[secrets][warn] %s\n' "$*" >&2; }
die() { printf '[secrets][error] %s\n' "$*" >&2; exit 1; }

# --- Prerequisites ---

command -v kubectl >/dev/null 2>&1 || die "Missing: kubectl"

kubectl get namespace "${NAMESPACE}" >/dev/null 2>&1 || {
  log "Creating namespace ${NAMESPACE}..."
  kubectl apply -f "${DEPLOY_DIR}/manifests/namespace.yaml"
}

# --- Validate secret files ---

require_file() {
  local path="$1" label="$2"
  [[ -f "${path}" ]] || die "Missing: ${path} (${label})"
  [[ -s "${path}" ]] || die "Empty: ${path} (${label})"
}

require_file "${SECRETS_DIR}/postgres_password.txt" "Postgres password"
require_file "${SECRETS_DIR}/secret_key.txt" "SECRET_KEY"
require_file "${SECRETS_DIR}/email_host_password.txt" "SMTP password"
require_file "${SECRETS_DIR}/fcm_server_key.txt" "FCM server key"
require_file "${SECRETS_DIR}/apns_auth_key.p8" "APNS private key"
require_file "${SECRETS_DIR}/cloudflare-origin.crt" "Cloudflare origin cert"
require_file "${SECRETS_DIR}/cloudflare-origin.key" "Cloudflare origin key"

# Validate APNS key format
if ! grep -q "BEGIN PRIVATE KEY" "${SECRETS_DIR}/apns_auth_key.p8"; then
  die "APNS key file does not look like a private key: ${SECRETS_DIR}/apns_auth_key.p8"
fi

# Validate secret_key length (minimum 32 chars)
SECRET_KEY_LEN="$(tr -d '\r\n' < "${SECRETS_DIR}/secret_key.txt" | wc -c | tr -d ' ')"
if (( SECRET_KEY_LEN < 32 )); then
  die "secret_key.txt must be at least 32 characters (got ${SECRET_KEY_LEN})."
fi

# --- Read optional config values ---

REDIS_PASSWORD="$(cfg redis.password 2>/dev/null || true)"
ADMIN_AUTH_USER="$(cfg admin.basic_auth_user 2>/dev/null || true)"
ADMIN_AUTH_PASSWORD="$(cfg admin.basic_auth_password 2>/dev/null || true)"

# --- Create app secrets ---

log "Creating honeydue-secrets..."
SECRET_ARGS=(
  --namespace="${NAMESPACE}"
  --from-literal="POSTGRES_PASSWORD=$(tr -d '\r\n' < "${SECRETS_DIR}/postgres_password.txt")"
  --from-literal="SECRET_KEY=$(tr -d '\r\n' < "${SECRETS_DIR}/secret_key.txt")"
  --from-literal="EMAIL_HOST_PASSWORD=$(tr -d '\r\n' < "${SECRETS_DIR}/email_host_password.txt")"
  --from-literal="FCM_SERVER_KEY=$(tr -d '\r\n' < "${SECRETS_DIR}/fcm_server_key.txt")"
)

if [[ -n "${REDIS_PASSWORD}" ]]; then
  log "  Including REDIS_PASSWORD in secrets"
  SECRET_ARGS+=(--from-literal="REDIS_PASSWORD=${REDIS_PASSWORD}")
fi

# Observability ingest credentials live in deploy/prod.env (gitignored) so
# the values aren't checked into config.yaml. Skipped silently when the
# file or keys are absent — the api/worker manifests mark these env vars
# optional, so the deployment still rolls without traces.
PROD_ENV_FILE="${DEPLOY_DIR}/../deploy/prod.env"
if [[ -f "${PROD_ENV_FILE}" ]]; then
  OBS_TOKEN_VAL="$(grep -E '^OBS_INGEST_TOKEN=' "${PROD_ENV_FILE}" 2>/dev/null | cut -d= -f2- || true)"
  OBS_URL_VAL="$(grep -E '^OBS_TRACES_URL=' "${PROD_ENV_FILE}" 2>/dev/null | cut -d= -f2- || true)"
  if [[ -n "${OBS_TOKEN_VAL}" ]]; then
    log "  Including OBS_INGEST_TOKEN in secrets"
    SECRET_ARGS+=(--from-literal="OBS_INGEST_TOKEN=${OBS_TOKEN_VAL}")
  fi
  if [[ -n "${OBS_URL_VAL}" ]]; then
    log "  Including OBS_TRACES_URL in secrets"
    SECRET_ARGS+=(--from-literal="OBS_TRACES_URL=${OBS_URL_VAL}")
  fi
fi

kubectl create secret generic honeydue-secrets \
  "${SECRET_ARGS[@]}" \
  --dry-run=client -o yaml | kubectl apply -f -

# --- Create APNS key secret ---

log "Creating honeydue-apns-key..."
kubectl create secret generic honeydue-apns-key \
  --namespace="${NAMESPACE}" \
  --from-file="apns_auth_key.p8=${SECRETS_DIR}/apns_auth_key.p8" \
  --dry-run=client -o yaml | kubectl apply -f -

# --- Create GHCR registry credentials ---

REGISTRY_SERVER="$(cfg registry.server)"
REGISTRY_USER="$(cfg registry.username)"
REGISTRY_TOKEN="$(cfg registry.token)"

if [[ -n "${REGISTRY_SERVER}" && -n "${REGISTRY_USER}" && -n "${REGISTRY_TOKEN}" ]]; then
  log "Creating ghcr-credentials..."
  kubectl create secret docker-registry ghcr-credentials \
    --namespace="${NAMESPACE}" \
    --docker-server="${REGISTRY_SERVER}" \
    --docker-username="${REGISTRY_USER}" \
    --docker-password="${REGISTRY_TOKEN}" \
    --dry-run=client -o yaml | kubectl apply -f -
else
  warn "Registry credentials incomplete in config.yaml — skipping ghcr-credentials."
fi

# --- Create Cloudflare origin cert ---

log "Creating cloudflare-origin-cert..."
kubectl create secret tls cloudflare-origin-cert \
  --namespace="${NAMESPACE}" \
  --cert="${SECRETS_DIR}/cloudflare-origin.crt" \
  --key="${SECRETS_DIR}/cloudflare-origin.key" \
  --dry-run=client -o yaml | kubectl apply -f -

# --- Create admin basic auth secret ---

if [[ -n "${ADMIN_AUTH_USER}" && -n "${ADMIN_AUTH_PASSWORD}" ]]; then
  command -v htpasswd >/dev/null 2>&1 || die "Missing: htpasswd (install apache2-utils)"
  log "Creating admin-basic-auth secret..."
  HTPASSWD="$(htpasswd -nb "${ADMIN_AUTH_USER}" "${ADMIN_AUTH_PASSWORD}")"
  kubectl create secret generic admin-basic-auth \
    --namespace="${NAMESPACE}" \
    --from-literal=users="${HTPASSWD}" \
    --dry-run=client -o yaml | kubectl apply -f -
else
  warn "admin.basic_auth_user/password not set in config.yaml — skipping admin-basic-auth."
  warn "Admin panel will NOT have basic auth protection."
fi

# --- Done ---

log ""
log "All secrets created in namespace '${NAMESPACE}'."
log "Verify: kubectl get secrets -n ${NAMESPACE}"