168 lines
5.0 KiB
Bash
Executable File
168 lines
5.0 KiB
Bash
Executable File
#!/bin/bash
|
|
# Generate CI/CD Secrets for Bakery-IA
|
|
#
|
|
# This script creates Kubernetes secrets required for the CI/CD pipeline.
|
|
# Run this script once during initial setup.
|
|
#
|
|
# Usage:
|
|
# ./generate-secrets.sh [options]
|
|
#
|
|
# Options:
|
|
# --registry-url Container registry URL (default: gitea.bakery-ia.local:5000)
|
|
# --gitea-user Gitea username (will prompt if not provided)
|
|
# --gitea-password Gitea password (will prompt if not provided)
|
|
# --dry-run Print commands without executing
|
|
|
|
set -e
|
|
|
|
# Colors for output
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
NC='\033[0m' # No Color
|
|
|
|
# Default values
|
|
REGISTRY_URL="${REGISTRY_URL:-gitea.bakery-ia.local:5000}"
|
|
DRY_RUN=false
|
|
KUBECTL="kubectl"
|
|
|
|
# Check if running in microk8s
|
|
if command -v microk8s &> /dev/null; then
|
|
KUBECTL="microk8s kubectl"
|
|
fi
|
|
|
|
# Parse arguments
|
|
while [[ $# -gt 0 ]]; do
|
|
case $1 in
|
|
--registry-url)
|
|
REGISTRY_URL="$2"
|
|
shift 2
|
|
;;
|
|
--gitea-user)
|
|
GITEA_USERNAME="$2"
|
|
shift 2
|
|
;;
|
|
--gitea-password)
|
|
GITEA_PASSWORD="$2"
|
|
shift 2
|
|
;;
|
|
--dry-run)
|
|
DRY_RUN=true
|
|
shift
|
|
;;
|
|
*)
|
|
echo -e "${RED}Unknown option: $1${NC}"
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
echo "=========================================="
|
|
echo " Bakery-IA CI/CD Secrets Generator"
|
|
echo "=========================================="
|
|
echo ""
|
|
|
|
# Prompt for credentials if not provided
|
|
if [ -z "$GITEA_USERNAME" ]; then
|
|
read -p "Enter Gitea username: " GITEA_USERNAME
|
|
fi
|
|
|
|
if [ -z "$GITEA_PASSWORD" ]; then
|
|
read -s -p "Enter Gitea password: " GITEA_PASSWORD
|
|
echo ""
|
|
fi
|
|
|
|
# Generate webhook secret
|
|
WEBHOOK_SECRET=$(openssl rand -hex 32)
|
|
|
|
echo ""
|
|
echo -e "${YELLOW}Configuration:${NC}"
|
|
echo " Registry URL: $REGISTRY_URL"
|
|
echo " Gitea User: $GITEA_USERNAME"
|
|
echo " Webhook Secret: ${WEBHOOK_SECRET:0:8}..."
|
|
echo ""
|
|
|
|
# Function to create secret
|
|
create_secret() {
|
|
local cmd="$1"
|
|
if [ "$DRY_RUN" = true ]; then
|
|
echo -e "${YELLOW}[DRY-RUN]${NC} $cmd"
|
|
else
|
|
eval "$cmd"
|
|
fi
|
|
}
|
|
|
|
# Ensure namespaces exist
|
|
echo -e "${GREEN}Creating namespaces if they don't exist...${NC}"
|
|
create_secret "$KUBECTL create namespace tekton-pipelines --dry-run=client -o yaml | $KUBECTL apply -f -"
|
|
create_secret "$KUBECTL create namespace flux-system --dry-run=client -o yaml | $KUBECTL apply -f -"
|
|
|
|
echo ""
|
|
echo -e "${GREEN}Creating secrets...${NC}"
|
|
|
|
# 1. Webhook Secret
|
|
echo " Creating gitea-webhook-secret..."
|
|
create_secret "$KUBECTL create secret generic gitea-webhook-secret \
|
|
--namespace tekton-pipelines \
|
|
--from-literal=secretToken='$WEBHOOK_SECRET' \
|
|
--dry-run=client -o yaml | $KUBECTL apply -f -"
|
|
|
|
# 2. Registry Credentials (docker-registry type)
|
|
echo " Creating gitea-registry-credentials..."
|
|
create_secret "$KUBECTL create secret docker-registry gitea-registry-credentials \
|
|
--namespace tekton-pipelines \
|
|
--docker-server='$REGISTRY_URL' \
|
|
--docker-username='$GITEA_USERNAME' \
|
|
--docker-password='$GITEA_PASSWORD' \
|
|
--dry-run=client -o yaml | $KUBECTL apply -f -"
|
|
|
|
# 3. Git Credentials for Tekton
|
|
echo " Creating gitea-git-credentials..."
|
|
create_secret "$KUBECTL create secret generic gitea-git-credentials \
|
|
--namespace tekton-pipelines \
|
|
--from-literal=username='$GITEA_USERNAME' \
|
|
--from-literal=password='$GITEA_PASSWORD' \
|
|
--dry-run=client -o yaml | $KUBECTL apply -f -"
|
|
|
|
# 4. Flux Git Credentials
|
|
echo " Creating gitea-credentials for Flux..."
|
|
create_secret "$KUBECTL create secret generic gitea-credentials \
|
|
--namespace flux-system \
|
|
--from-literal=username='$GITEA_USERNAME' \
|
|
--from-literal=password='$GITEA_PASSWORD' \
|
|
--dry-run=client -o yaml | $KUBECTL apply -f -"
|
|
|
|
# Label all secrets
|
|
echo ""
|
|
echo -e "${GREEN}Adding labels to secrets...${NC}"
|
|
for ns in tekton-pipelines flux-system; do
|
|
for secret in gitea-webhook-secret gitea-registry-credentials gitea-git-credentials gitea-credentials; do
|
|
if $KUBECTL get secret "$secret" -n "$ns" &> /dev/null; then
|
|
create_secret "$KUBECTL label secret $secret -n $ns app.kubernetes.io/name=bakery-ia-cicd --overwrite 2>/dev/null || true"
|
|
fi
|
|
done
|
|
done
|
|
|
|
echo ""
|
|
echo "=========================================="
|
|
echo -e "${GREEN}Secrets created successfully!${NC}"
|
|
echo "=========================================="
|
|
echo ""
|
|
echo -e "${YELLOW}IMPORTANT:${NC} Save this webhook secret for Gitea webhook configuration:"
|
|
echo ""
|
|
echo " Webhook Secret: $WEBHOOK_SECRET"
|
|
echo ""
|
|
echo "Configure this in Gitea:"
|
|
echo " 1. Go to Repository Settings > Webhooks"
|
|
echo " 2. Add webhook with URL: http://el-bakery-ia-listener.tekton-pipelines.svc.cluster.local:8080"
|
|
echo " 3. Set Secret to the webhook secret above"
|
|
echo " 4. Select events: Push"
|
|
echo ""
|
|
|
|
# Save webhook secret to a file for reference (gitignored)
|
|
if [ "$DRY_RUN" = false ]; then
|
|
echo "$WEBHOOK_SECRET" > "$(dirname "$0")/.webhook-secret"
|
|
chmod 600 "$(dirname "$0")/.webhook-secret"
|
|
echo "Webhook secret saved to .webhook-secret (gitignored)"
|
|
fi
|