Created
December 31, 2021 14:04
-
-
Save ncrmro/a2095f396b74cdd1e52bf087aec0fda3 to your computer and use it in GitHub Desktop.
Generate the required secrets and init script for using postgraphile in kubernetes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NAMESPACE=jtx-staging | |
| DATABASE_NAME=jtx | |
| DATABASE_ROOT_PASSWORD=$(openssl rand -hex 32) | |
| DATABASE_OWNER=${DATABASE_NAME}_owner | |
| DATABASE_OWNER_PASSWORD=$(openssl rand -hex 32) | |
| DATABASE_AUTHENTICATOR=${DATABASE_NAME}_authenticator | |
| DATABASE_AUTHENTICATOR_PASSWORD=$(openssl rand -hex 32) | |
| DATABASE_VISITOR=${DATABASE_NAME}_visitor | |
| OUTPUT_FILE=pg-secrets | |
| kubectl --namespace ${NAMESPACE} create secret generic postgres-root-credentials \ | |
| --from-literal=postgresql-password=${DATABASE_ROOT_PASSWORD} \ | |
| --from-literal=databaseURI=postgres://postgres:${DATABASE_ROOT_PASSWORD}@postgres-postgresql/${DATABASE_NAME} \ | |
| --dry-run=client \ | |
| -o yaml >${OUTPUT_FILE}.yaml | |
| kubeseal --format=yaml --cert=pub-sealed-secrets.pem \ | |
| <${OUTPUT_FILE}.yaml > ${OUTPUT_FILE}-sealed.yaml | |
| echo "---" >>${OUTPUT_FILE}-sealed.yaml | |
| kubectl --namespace ${NAMESPACE} create secret generic postgres-owner-credentials \ | |
| --from-literal=username=${DATABASE_OWNER} \ | |
| --from-literal=password=${DATABASE_OWNER_PASSWORD} \ | |
| --from-literal=databaseURI=postgres://${DATABASE_OWNER}:${DATABASE_OWNER_PASSWORD}@postgres-postgresql/${DATABASE_NAME} \ | |
| --dry-run=client \ | |
| -o yaml > ${OUTPUT_FILE}.yaml | |
| kubeseal --format=yaml --cert=pub-sealed-secrets.pem \ | |
| <${OUTPUT_FILE}.yaml >> ${OUTPUT_FILE}-sealed.yaml | |
| echo "---" >>${OUTPUT_FILE}-sealed.yaml | |
| kubectl --namespace ${NAMESPACE} create secret generic postgres-authenticator-credentials \ | |
| --from-literal=username=${DATABASE_AUTHENTICATOR} \ | |
| --from-literal=password=${DATABASE_AUTHENTICATOR_PASSWORD} \ | |
| --from-literal=databaseURI=postgres://${DATABASE_AUTHENTICATOR}:${DATABASE_AUTHENTICATOR_PASSWORD}@postgres-postgresql/${DATABASE_NAME} \ | |
| --dry-run=client \ | |
| -o yaml > ${OUTPUT_FILE}.yaml | |
| kubeseal --format=yaml --cert=pub-sealed-secrets.pem \ | |
| <${OUTPUT_FILE}.yaml >> ${OUTPUT_FILE}-sealed.yaml | |
| echo "---" >>${OUTPUT_FILE}-sealed.yaml | |
| kubectl --namespace ${NAMESPACE} create secret generic postgres-visitor-credentials \ | |
| --from-literal=username=${DATABASE_VISITOR} \ | |
| --dry-run=client \ | |
| -o yaml > ${OUTPUT_FILE}.yaml | |
| kubeseal --format=yaml --cert=pub-sealed-secrets.pem \ | |
| <${OUTPUT_FILE}.yaml >> ${OUTPUT_FILE}-sealed.yaml | |
| echo "---" >> ${OUTPUT_FILE}-sealed.yaml | |
| echo 'psql postgres://postgres:'${DATABASE_ROOT_PASSWORD}'@localhost:5432/postgres -c " | |
| CREATE USER '${DATABASE_OWNER}' WITH PASSWORD '\'${DATABASE_OWNER_PASSWORD}\''; | |
| CREATE USER '${DATABASE_AUTHENTICATOR}' WITH PASSWORD '\'${DATABASE_AUTHENTICATOR_PASSWORD}\''; | |
| CREATE USER '${DATABASE_VISITOR}'; | |
| ALTER DATABASE '${DATABASE_NAME}' OWNER TO '${DATABASE_OWNER}'; | |
| ALTER SCHEMA public OWNER TO '${DATABASE_OWNER}'; | |
| GRANT '${DATABASE_VISITOR}' TO '${DATABASE_AUTHENTICATOR}'; | |
| "' > init.sh | |
| kubectl --namespace ${NAMESPACE} create secret generic postgres-init-scripts \ | |
| --from-file=init.sh=init.sh \ | |
| --dry-run=client \ | |
| -o yaml > ${OUTPUT_FILE}.yaml | |
| rm init.sh | |
| kubeseal --format=yaml --cert=pub-sealed-secrets.pem \ | |
| <${OUTPUT_FILE}.yaml >> ${OUTPUT_FILE}-sealed.yaml | |
| rm ${OUTPUT_FILE}.yaml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment