railiance-apps/tools/forgejo-openbao-eso-token-apply.sh
tegwick 844a3503bb Add interim coulombcore OpenBao token bootstrap for Forgejo mailer ESO
Document two OpenBao instances and add forgejo-openbao-eso-token-apply for
ClusterSecretStore openbao-forgejo on bao.coulomb.social.
2026-07-07 14:35:49 +02:00

46 lines
No EOL
1.9 KiB
Bash
Executable file

#!/usr/bin/env bash
# Create/read-limited OpenBao token on coulombcore (bao.coulomb.social) and store it
# on railiance01 for External Secrets (ClusterSecretStore openbao-forgejo).
set -euo pipefail
POLICY_NAME="${OPENBAO_FORGEJO_POLICY:-workload-kv-read-forgejo-mailer}"
POLICY_FILE="${OPENBAO_FORGEJO_POLICY_FILE:-$HOME/railiance-platform/openbao/policies/workload-kv-read-forgejo-mailer.hcl}"
BAO_ADDR="${BAO_ADDR:-https://bao.coulomb.social}"
RAILIANCE01_KUBECONFIG="${RAILIANCE01_KUBECONFIG:-$HOME/.kube/config-hosteurope}"
SECRET_NAME="${OPENBAO_FORGEJO_ESO_SECRET:-openbao-forgejo-eso-token}"
SECRET_NS="${OPENBAO_FORGEJO_ESO_NAMESPACE:-external-secrets}"
if ! command -v bao >/dev/null 2>&1; then
echo "ERROR: bao CLI not found" >&2
exit 1
fi
if [[ ! -f "$POLICY_FILE" ]]; then
echo "ERROR: policy file missing: $POLICY_FILE" >&2
exit 1
fi
echo "OpenBao addr: $BAO_ADDR"
echo "Policy: $POLICY_NAME"
read -r -s -p "OpenBao operator token (coulombcore / bao.coulomb.social): " BAO_TOKEN
echo >&2
export BAO_ADDR BAO_TOKEN
health="$(curl -fsS "$BAO_ADDR/v1/sys/health")"
if echo "$health" | grep -q '"sealed":true'; then
echo "ERROR: OpenBao at $BAO_ADDR reports sealed" >&2
exit 1
fi
bao policy write "$POLICY_NAME" "$POLICY_FILE"
token_json="$(bao token create -policy="$POLICY_NAME" -display-name="eso-forgejo-mailer" -period=720h -format=json)"
token="$(python3 -c "import json,sys; print(json.load(sys.stdin)['auth']['client_token'])" <<<"$token_json")"
KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl create namespace "$SECRET_NS" --dry-run=client -o yaml | KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl apply -f -
KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl create secret generic "$SECRET_NAME" \
--namespace "$SECRET_NS" \
--from-literal=token="$token" \
--dry-run=client -o yaml | KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl apply -f -
unset BAO_TOKEN token token_json
echo "ok: applied $SECRET_NS/$SECRET_NAME on railiance01 (token not printed)"