vault migration

scripts/seed-vault-from-cluster.sh

@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+# seed-vault-from-cluster.sh — Read existing K8s Secrets and write to Vault KV
+#
+# Prerequisites:
+#   - vault CLI authenticated (VAULT_ADDR + VAULT_TOKEN set)
+#   - kubectl access to the cluster
+#   - KV v2 engine at kv/
+#
+# Usage: ./scripts/seed-vault-from-cluster.sh
+#
+# This reads plaintext values from existing K8s Secrets and writes them
+# to Vault KV v2 at kv/{namespace}/{secret-name}.
+
+set -euo pipefail
+
+echo "=== Seeding Vault KV from existing K8s Secrets ==="
+echo ""
+
+# Helper: read a K8s secret and write all keys to Vault KV
+seed_secret() {
+  local ns="$1"
+  local secret_name="$2"
+  local vault_path="kv/${ns}/${secret_name}"
+
+  echo "--- ${ns}/${secret_name} → ${vault_path} ---"
+
+  # Get all keys from the secret
+  local keys
+  keys=$(kubectl get secret "${secret_name}" -n "${ns}" -o json 2>/dev/null | \
+    jq -r '.data // {} | keys[]' 2>/dev/null) || {
+    echo "  SKIP: secret not found in cluster"
+    echo ""
+    return
+  }
+
+  if [ -z "${keys}" ]; then
+    echo "  SKIP: no data keys"
+    echo ""
+    return
+  fi
+
+  # Build vault kv put arguments
+  local args=()
+  for key in ${keys}; do
+    local value
+    value=$(kubectl get secret "${secret_name}" -n "${ns}" -o jsonpath="{.data.${key}}" | base64 -d)
+    args+=("${key}=${value}")
+  done
+
+  vault kv put "${vault_path}" "${args[@]}"
+  echo "  OK: $(echo "${keys}" | wc -w | tr -d ' ') keys written"
+  echo ""
+}
+
+# --- Homepage ---
+seed_secret homepage homepage-widget-credentials
+
+# --- Renovate ---
+seed_secret renovate renovate-env
+
+# --- Gitea ---
+seed_secret gitea gitea-credentials
+seed_secret gitea gitea-backup-s3
+seed_secret gitea gitea-smtp-secret
+seed_secret gitea gitea-runner-token
+
+# --- Keycloak ---
+seed_secret keycloak keycloak-credentials
+seed_secret keycloak microsoft-idp-credentials
+
+# --- ArgoCD ---
+seed_secret argocd forte-helm-repo
+seed_secret argocd forte10x-repo-creds
+seed_secret argocd mcp10x-repo-creds
+seed_secret argocd argocd-notifications-secret
+
+# --- Application secrets ---
+seed_secret mcp10x app-credentials
+seed_secret ts-mcp ts-mcp-secrets
+seed_secret argocd-mcp auth-oidc
+seed_secret argocd-mcp argocd-mcp-credentials
+seed_secret dot-ai dot-ai-secrets
+seed_secret music-man musicman-credentials
+
+echo "=== Done. Verify with: vault kv list kv/{namespace} ==="