a65b553252
Remove committed talos/kubeconfig (cluster admin credentials). Ignore talos/kubeconfig at repo root. Replace hardcoded LDAP outpost token with AUTHENTIK_LDAP_OUTPOST_TOKEN from .env. Document Sealed Secrets workflow for Newt (kubeseal script + README updates). Clarify Talos secrets use talsecret/SOPS, not Sealed Secrets. Made-with: Cursor
20 lines
897 B
Bash
Executable File
20 lines
897 B
Bash
Executable File
#!/usr/bin/env bash
|
|
# Emit a SealedSecret for newt-pangolin-auth (namespace newt).
|
|
# Prerequisites: sealed-secrets controller running; kubeseal client (same minor as controller).
|
|
# Rotate Pangolin/Newt credentials in the UI first if they were exposed, then set env vars and run:
|
|
#
|
|
# export PANGOLIN_ENDPOINT='https://pangolin.example.com'
|
|
# export NEWT_ID='...'
|
|
# export NEWT_SECRET='...'
|
|
# ./kubeseal-newt-pangolin-auth.sh > newt-pangolin-auth.sealedsecret.yaml
|
|
# kubectl apply -f newt-pangolin-auth.sealedsecret.yaml
|
|
#
|
|
set -euo pipefail
|
|
kubectl apply -f "$(dirname "$0")/../../newt/namespace.yaml" >/dev/null 2>&1 || true
|
|
kubectl -n newt create secret generic newt-pangolin-auth \
|
|
--dry-run=client \
|
|
--from-literal=PANGOLIN_ENDPOINT="${PANGOLIN_ENDPOINT:?}" \
|
|
--from-literal=NEWT_ID="${NEWT_ID:?}" \
|
|
--from-literal=NEWT_SECRET="${NEWT_SECRET:?}" \
|
|
-o yaml | kubeseal -o yaml
|