#!/usr/bin/env bash set -euo pipefail K01_DIR="$(cd "$(dirname "$0")" && pwd)" cd "$K01_DIR" if [ ! -f .env ]; then echo ".env not found, copy from .env.example and fill in" >&2 exit 1 fi set -a . ./.env set +a mkdir -p secrets chmod 700 secrets write_secret() { local name="$1" value="$2" printf '%s\n' "$value" > "secrets/$name" chmod 600 "secrets/$name" } JWT_SECRET_KEY="${JWT_SECRET_KEY:-$(openssl rand -hex 32)}" ADMIN_PASSWORD="${ADMIN_PASSWORD:-$(openssl rand -hex 16)}" write_secret jwt-secret "$JWT_SECRET_KEY" write_secret admin-password "$ADMIN_PASSWORD" export KUBECONFIG=/etc/rancher/k3s/k3s.yaml kubectl -n juwan create secret docker-registry registry-creds \ --docker-server="${REGISTRY_HOST}" \ --docker-username="${REGISTRY_USERNAME}" \ --docker-password="${REGISTRY_PASSWORD}" \ --dry-run=client -o yaml | kubectl apply -f - kubectl -n juwan create secret generic jwt-secret \ --from-literal=secret-key="$JWT_SECRET_KEY" \ --dry-run=client -o yaml | kubectl apply -f - kubectl -n juwan create secret generic admin-bootstrap \ --from-literal=username="${ADMIN_USERNAME}" \ --from-literal=password="$ADMIN_PASSWORD" \ --from-literal=email="${ADMIN_EMAIL}" \ --dry-run=client -o yaml | kubectl apply -f - kubectl -n juwan create secret generic email-smtp \ --from-literal=host="${EMAIL_SMTP_HOST}" \ --from-literal=port="${EMAIL_SMTP_PORT}" \ --from-literal=username="${EMAIL_SMTP_USERNAME}" \ --from-literal=password="${EMAIL_SMTP_PASSWORD}" \ --from-literal=from-address="${EMAIL_FROM_ADDRESS}" \ --from-literal=from-name="${EMAIL_FROM_NAME}" \ --from-literal=reply-to="${EMAIL_REPLY_TO:-}" \ --dry-run=client -o yaml | kubectl apply -f - kubectl -n juwan create secret generic objectstory-s3 \ --from-literal=endpoint="${S3_ENDPOINT}" \ --from-literal=access-key="${S3_ACCESS_KEY}" \ --from-literal=secret-key="${S3_SECRET_KEY}" \ --from-literal=bucket="${S3_BUCKET_NAME}" \ --from-literal=region="${S3_REGION}" \ --dry-run=client -o yaml | kubectl apply -f - DEV_CERTS="$(cd "$K01_DIR/../dev/certs" && pwd)" kubectl -n juwan create secret tls chat-wt-tls \ --cert="${DEV_CERTS}/tls.crt" \ --key="${DEV_CERTS}/tls.key" \ --dry-run=client -o yaml | kubectl apply -f - DOMAINS=() while IFS= read -r name; do DOMAINS+=("${name%-redis}") done < <(grep -E '^ name: [a-z-]+-redis$' "$K01_DIR/infra/redis.yaml" | awk '{print $2}') for d in "${DOMAINS[@]}"; do pwd_val="$(openssl rand -hex 16)" write_secret "redis-${d}-password" "$pwd_val" kubectl -n juwan create secret generic "${d}-redis" \ --from-literal=password="$pwd_val" \ --dry-run=client -o yaml | kubectl apply -f - done MONGO_PASSWORD="${MONGO_PASSWORD:-$(openssl rand -hex 16)}" write_secret mongo-password "$MONGO_PASSWORD" kubectl -n juwan create secret generic chat-mongodb-app-user-password \ --from-literal=password="$MONGO_PASSWORD" \ --dry-run=client -o yaml | kubectl apply -f - echo echo "secrets/ written, k8s Secrets applied to namespace juwan" echo "admin password: $ADMIN_PASSWORD"