Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity
Files
feature/vault-migration
launchpad/scripts/seed-vault-from-cluster.sh
Danijel Simeunovic 73376a0a7d vault migration
2026-04-30 22:38:33 +02:00

86 lines
2.2 KiB
Bash
Raw Permalink Blame History

#!/usr/bin/env bash
# seed-vault-from-cluster.sh — Read existing K8s Secrets and write to Vault KV
#
# Prerequisites:
# - vault CLI authenticated (VAULT_ADDR + VAULT_TOKEN set)
# - kubectl access to the cluster
# - KV v2 engine at kv/
#
# Usage: ./scripts/seed-vault-from-cluster.sh
#
# This reads plaintext values from existing K8s Secrets and writes them
# to Vault KV v2 at kv/{namespace}/{secret-name}.
set -euo pipefail
echo "=== Seeding Vault KV from existing K8s Secrets ==="
echo ""
# Helper: read a K8s secret and write all keys to Vault KV
seed_secret() {
local ns="$1"
local secret_name="$2"
local vault_path="kv/${ns}/${secret_name}"
echo "--- ${ns}/${secret_name}${vault_path} ---"
# Get all keys from the secret
local keys
keys=$(kubectl get secret "${secret_name}" -n "${ns}" -o json 2>/dev/null | \
jq -r '.data // {} | keys[]' 2>/dev/null) || {
echo " SKIP: secret not found in cluster"
echo ""
return
}
if [ -z "${keys}" ]; then
echo " SKIP: no data keys"
echo ""
return
fi
# Build vault kv put arguments
local args=()
for key in ${keys}; do
local value
value=$(kubectl get secret "${secret_name}" -n "${ns}" -o jsonpath="{.data.${key}}" | base64 -d)
args+=("${key}=${value}")
done
vault kv put "${vault_path}" "${args[@]}"
echo " OK: $(echo "${keys}" | wc -w | tr -d ' ') keys written"
echo ""
}
# --- Homepage ---
seed_secret homepage homepage-widget-credentials
# --- Renovate ---
seed_secret renovate renovate-env
# --- Gitea ---
seed_secret gitea gitea-credentials
seed_secret gitea gitea-backup-s3
seed_secret gitea gitea-smtp-secret
seed_secret gitea gitea-runner-token
# --- Keycloak ---
seed_secret keycloak keycloak-credentials
seed_secret keycloak microsoft-idp-credentials
# --- ArgoCD ---
seed_secret argocd forte-helm-repo
seed_secret argocd forte10x-repo-creds
seed_secret argocd mcp10x-repo-creds
seed_secret argocd argocd-notifications-secret
# --- Application secrets ---
seed_secret mcp10x app-credentials
seed_secret ts-mcp ts-mcp-secrets
seed_secret argocd-mcp auth-oidc
seed_secret argocd-mcp argocd-mcp-credentials
seed_secret dot-ai dot-ai-secrets
seed_secret music-man musicman-credentials
echo "=== Done. Verify with: vault kv list kv/{namespace} ==="
Reference in New Issue View Git Blame Copy Permalink