-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathibm-cloud-sm-setup.sh
executable file
·57 lines (46 loc) · 3.07 KB
/
ibm-cloud-sm-setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/bin/sh
# IBM Cloud Secrets Manager preparation and configuration
#
# Prepare usage of IBM Cloud Secrets Manager with Kubernetes-External-Secrets
# - ServiceID, API and Secrets
# - Installs/Update kubernetes-external-secrets
# create Service ID and API Key
echo "ServiceID..."
export SERVICE_ID=`ibmcloud iam service-id kubernetes-secrets-demo --output json | jq -r ".[].id"`
if [ -z "${SERVICE_ID}" ]; then
export SERVICE_ID=`ibmcloud iam service-id-create kubernetes-secrets-demo --description "A service ID for testing Secrets Manager and Kubernetes Service." --output json | jq -r ".id"`; echo "ServiceID: $SERVICE_ID"
ibmcloud iam service-policy-create $SERVICE_ID --roles "SecretsReader" --service-name secrets-manager
else
echo "...found: ServiceID: $SERVICE_ID"
fi
echo "API Key..."
export IBM_CLOUD_API_KEY=`ibmcloud iam service-api-key-create kubernetes-secrets-demo $SERVICE_ID --description "An API key for testing Secrets Manager." --output json | jq -r ".apikey"`
# Prepare Secrets Manager with secret group and dummy secret
echo "SecretsManagerUrl..."
export SECRETS_MANAGER_URL=`ibmcloud resource service-instance poc-devsecops-secretsmanager --output json | jq -r '.[].dashboard_url | .[0:-3]'`; echo "SecretsManagerUrl: $SECRETS_MANAGER_URL"
echo "SecretGroup..."
export SECRET_GROUP_ID=`ibmcloud secrets-manager secret-groups --output json | jq '.resources[] | select(.name=="sg-demo") | .id'`
if [ -z "${SECRET_GROUP_ID}" ]; then
export SECRET_GROUP_ID=`ibmcloud secrets-manager secret-group-create --resources '[{"name":"sg-demo","description":"Demo App and Secrets."}]' --output json | jq -r ".resources[].id"`; echo "SecretGroupId: $SECRET_GROUP_ID"
else
echo "...found: SecretGroupId: $SECRET_GROUP_ID"
fi
echo "Secret..."
export SECRET_ID=`ibmcloud secrets-manager secrets --secret-type username_password --output json | jq '.resources[] | select(.name=="demo-creds-01") | .id'`
if [ -z "${SECRET_ID}" ]; then
export SECRET_ID=`ibmcloud secrets-manager secret-create --secret-type username_password --resources '[{"name":"demo-creds-01","description":"Demo Credential - 01.","secret_group_id":"'"$SECRET_GROUP_ID"'","username":"aUser03","password":"mega-important-2009-sunny-day","labels":["env:nonprod","stage:demo"]}]' --output json | jq -r ".resources[].id"`; echo "SecretId: $SECRET_ID"
else
echo "...found: SecretId: $SECRET_ID"
fi
echo $SECRETS_MANAGER_URL
echo $IBM_CLOUD_API_KEY
exit 0;
# Create Secret with API Key, URL and type
kubectl -n default delete secret ibmcloud-credentials
kubectl -n default create secret generic ibmcloud-credentials --from-literal=apikey=$IBM_CLOUD_API_KEY \
--from-literal=endpoint=$SECRETS_MANAGER_URL \
--from-literal=authtype=iam
# Install Kubernetes-External-Secrets
helm3 repo add external-secrets https://external-secrets.github.io/kubernetes-external-secrets/
#helm3 install kubernetes-external-secrets external-secrets/kubernetes-external-secrets -f kes-ibm-cloud-sm-values.yaml -n default
helm3 upgrade --install kubernetes-external-secrets external-secrets/kubernetes-external-secrets -f kes-ibm-cloud-sm-values.yaml -n default