71442a0405
- Migrate all ingress hostnames from *.homelab.local to *.coreworlds.io - Remove broken Traefik certresolver config (cert-manager handles TLS) - Add internal-only IP allowlist middleware for platform services - Add IngressRoutes for ArgoCD, Grafana, Longhorn (LAN-only via middleware) - Seal and add Cloudflare API token for cert-manager DNS-01 challenges - Update cert-manager ClusterIssuers with real email - Update k3s TLS SAN to k3s.coreworlds.io - Rewrite Ubiquiti docs for single-node topology and split-horizon DNS - Fix seal-secret.sh controller name to match Helm release - Add UCG DNS setup script using API key auth
42 lines
1005 B
Bash
Executable File
42 lines
1005 B
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
if ! command -v kubeseal &>/dev/null; then
|
|
echo "Error: kubeseal is not installed"
|
|
echo "Install: brew install kubeseal"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ $# -lt 3 ]]; then
|
|
echo "Usage: $0 <secret-name> <namespace> <key=value> [key=value...]"
|
|
echo ""
|
|
echo "Example:"
|
|
echo " $0 api-secrets apps database-url=postgres://... valkey-url=redis://..."
|
|
exit 1
|
|
fi
|
|
|
|
SECRET_NAME="$1"
|
|
NAMESPACE="$2"
|
|
shift 2
|
|
|
|
LITERAL_ARGS=()
|
|
for pair in "$@"; do
|
|
LITERAL_ARGS+=("--from-literal=$pair")
|
|
done
|
|
|
|
echo "Sealing secret '$SECRET_NAME' in namespace '$NAMESPACE'..."
|
|
|
|
kubectl create secret generic "$SECRET_NAME" \
|
|
--namespace "$NAMESPACE" \
|
|
--dry-run=client \
|
|
-o yaml \
|
|
"${LITERAL_ARGS[@]}" \
|
|
| kubeseal \
|
|
--format yaml \
|
|
--controller-namespace kube-system \
|
|
--controller-name sealed-secrets-helm \
|
|
> "${SECRET_NAME}-sealed.yaml"
|
|
|
|
echo "Sealed secret written to ${SECRET_NAME}-sealed.yaml"
|
|
echo "Move this file to the appropriate k8s directory and commit it."
|