njackson/okd_firezone
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
okd_firezone/secret-generator.sh
Nate J 91d252ae0a first commit
2025-02-05 15:14:20 -08:00

61 lines
2.1 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
# Script: gen-firezone-secrets.sh
# Purpose: Generate all Firezone-required secrets as random hex values,
# and store them in an OpenShift secret.
# Configures Gmail as SMTP relay in OUTBOUND_EMAIL_ADAPTER_OPTS.
set -euo pipefail
# Change to your desired namespace (project name):
NAMESPACE="firezone"
SECRET_NAME="firezone-secrets"
# Random hex strings for Firezone secrets (adjust byte sizes as needed).
SECRET_KEY_BASE="$(openssl rand -hex 32)"
LIVE_VIEW_SIGNING_SALT="$(openssl rand -hex 8)"
COOKIE_SIGNING_SALT="$(openssl rand -hex 8)"
COOKIE_ENCRYPTION_SALT="$(openssl rand -hex 8)"
TOKENS_KEY_BASE="$(openssl rand -hex 32)"
TOKENS_SALT="$(openssl rand -hex 8)"
RELEASE_COOKIE="$(openssl rand -hex 16)"
# Database credentials (example)
DB_USERNAME="firezone_db_user"
DB_PASSWORD="firezone_db_pass"
# Gmail SMTP configuration
# Replace these with your actual Gmail username & app password
GMAIL_USERNAME="mcnugit@gmail.com"
GMAIL_APP_PASSWORD="ugmu unau dtwn fppg"
# We'll embed these in a JSON object that Swoosh can parse:
OUTBOUND_EMAIL_ADAPTER_OPTS="$(cat <<EOF
{
"relay": "smtp.gmail.com",
"username": "${GMAIL_USERNAME}",
"password": "${GMAIL_APP_PASSWORD}",
"port": 587,
"ssl": false,
"tls": "always",
"auth": "always"
}
EOF
)"
echo "Creating/updating Secret '$SECRET_NAME' in namespace '$NAMESPACE'..."
oc -n "$NAMESPACE" create secret generic "$SECRET_NAME" \
--from-literal=SECRET_KEY_BASE="$SECRET_KEY_BASE" \
--from-literal=LIVE_VIEW_SIGNING_SALT="$LIVE_VIEW_SIGNING_SALT" \
--from-literal=COOKIE_SIGNING_SALT="$COOKIE_SIGNING_SALT" \
--from-literal=COOKIE_ENCRYPTION_SALT="$COOKIE_ENCRYPTION_SALT" \
--from-literal=TOKENS_KEY_BASE="$TOKENS_KEY_BASE" \
--from-literal=TOKENS_SALT="$TOKENS_SALT" \
--from-literal=RELEASE_COOKIE="$RELEASE_COOKIE" \
--from-literal=username="$DB_USERNAME" \
--from-literal=password="$DB_PASSWORD" \
--from-literal=OUTBOUND_EMAIL_ADAPTER_OPTS="$OUTBOUND_EMAIL_ADAPTER_OPTS" \
--dry-run=client -o yaml | oc apply -f -
echo "Done! Your Firezone secrets have been created/updated."
Reference in a new issue View git blame Copy permalink