-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathgenerate-secrets
executable file
·86 lines (69 loc) · 3.18 KB
/
generate-secrets
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/usr/bin/env bash
cd "$(dirname "${BASH_SOURCE[0]}")/.."
. bin/util.sh
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
echo "Usage: $0 [-h|--help]"
echo "Generate secrets inside the etc/secrets.yaml file. Existing secrets are overwritten."
exit
fi
if [ -f etc/secrets.yaml ]; then
echo "WARN: etc/secrets.yaml file already exists. The existing secrets can be reset."
echo "Note: for already initialized systems like redis and PostgreSQL changing the secret will not affect the actual password."
read -p "Do you wish to reset all passwords? [y/N] " yn
case $yn in
[Yy]* ) ;;
* ) exit;;
esac
echo "=> Copying current file to etc/secrets.backup.yaml"
cp -p etc/secrets.yaml etc/secrets.backup.yaml
echo
fi
echo "=> Checking tools"
check_command_exists yq
check_command_exists openssl version
echo "=> Generating passwords"
if [ ! -f etc/secrets.yaml ]; then
copy_template etc/secrets.yaml etc/base-secrets.yaml
fi
insert_secret() {
localSecret="${secret:-$(generate_secret)}"
for key in "$@"; do
localSecret="$localSecret" yq -i "$key = strenv(localSecret)" etc/secrets.yaml
done
}
insert_secret ".mongodb.auth.replicaSetKey"
insert_secret ".mongodb.auth.rootPassword"
insert_secret ".mongodb.auth.passwords[0]"
insert_secret ".graylog.graylog.rootPassword"
insert_secret ".kube_prometheus_stack.kube-prometheus-stack.grafana.adminPassword"
nginx_auth_password=$(generate_secret)
secret="thehyve:$(echo $nginx_auth_password | openssl passwd -apr1 -stdin)" insert_secret ".kube_prometheus_stack.nginx_auth"
comment="username: thehyve, password: $nginx_auth_password" yq -i ".kube_prometheus_stack.nginx_auth line_comment |= strenv(comment)" etc/secrets.yaml
insert_secret ".kafka_manager.basicAuth.password"
# Shared postgresql secret
insert_secret \
".postgresql.global.postgresql.auth.postgresPassword" \
".postgresql.auth.replicationPassword" \
".management_portal.postgres.password" \
".app_config.jdbc.password" \
".radar_rest_sources_backend.postgres.password"
insert_secret ".management_portal.managementportal.common_admin_password"
insert_secret ".management_portal.managementportal.frontend_client_secret"
insert_secret ".management_portal.oauth_clients.radar_upload_backend.client_secret"
insert_secret ".management_portal.oauth_clients.radar_upload_connect.client_secret"
insert_secret ".management_portal.oauth_clients.radar_rest_sources_auth_backend.client_secret"
insert_secret ".management_portal.oauth_clients.radar_redcap_integrator.client_secret"
insert_secret ".management_portal.oauth_clients.radar_fitbit_connector.client_secret"
insert_secret ".management_portal.oauth_clients.radar_appconfig.client_secret"
insert_secret ".management_portal.oauth_clients.radar_push_endpoint.client_secret"
insert_secret \
".radar_appserver_postgresql.global.postgresql.auth.postgresPassword" \
".radar_appserver_postgresql.auth.replicationPassword" \
".radar_appserver.postgres.password"
insert_secret ".timescaledb_password"
insert_secret ".grafana_password"
insert_secret ".grafana_metrics_password"
insert_secret ".s3_access_key"
insert_secret ".s3_secret_key"
insert_secret ".radar_upload_postgres_password"
echo "Passwords and secrets have been generated successfully."