#!/usr/bin/env bash set -e SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" ROOT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)" # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' # No Color usage() { echo "Usage: $0 [ENVIRONMENT] [SECRET_NAME]" echo "" echo "Update Kubernetes secrets from YAML files" echo "" echo "Arguments:" echo " ENVIRONMENT Target environment: dev or prod (default: dev)" echo " SECRET_NAME Specific secret to update (optional, updates all if not specified)" echo "" echo "Available secrets:" echo " ai-secrets - AI backend API keys" echo " postgres-secret - PostgreSQL password" echo " minio-secret - MinIO credentials" echo " ingestor-secrets - Exchange API keys" echo "" echo "Examples:" echo " $0 # Update all dev secrets" echo " $0 dev # Update all dev secrets" echo " $0 dev ai-secrets # Update only ai-secrets in dev" echo " $0 prod # Update all prod secrets" echo " $0 prod minio-secret # Update only minio-secret in prod" exit 1 } # Parse arguments ENV="${1:-dev}" SECRET_NAME="${2:-}" if [[ "$ENV" != "dev" && "$ENV" != "prod" ]]; then echo -e "${RED}Error: Environment must be 'dev' or 'prod'${NC}" usage fi SECRETS_DIR="$ROOT_DIR/deploy/k8s/$ENV/secrets" if [ ! -d "$SECRETS_DIR" ]; then echo -e "${RED}Error: Secrets directory not found: $SECRETS_DIR${NC}" exit 1 fi # Set kubectl command and warn for prod if [[ "$ENV" == "prod" ]]; then KUBECTL="kubectl --context=prod" echo -e "${YELLOW}⚠️ WARNING: Updating PRODUCTION secrets!${NC}" echo -e "${YELLOW}kubectl context: prod${NC}" read -p "Are you sure you want to continue? (yes/no): " confirm if [[ "$confirm" != "yes" ]]; then echo "Aborted." exit 0 fi else KUBECTL="kubectl" fi apply_secret_dev() { local secret_file="$1" local secret_basename=$(basename "$secret_file" .yaml) if [ ! -f "$secret_file" ]; then echo -e "${RED}✗ Secret file not found: $secret_file${NC}" echo -e "${YELLOW} Copy from ${secret_basename}.yaml.example and fill in values${NC}" return 1 fi echo -e "${GREEN}→${NC} Applying $secret_basename..." $KUBECTL apply -f "$secret_file" echo -e "${GREEN}✓${NC} $secret_basename updated" } apply_secret_prod() { local tpl_file="$1" local secret_basename=$(basename "$tpl_file" .tpl.yaml) if [ ! -f "$tpl_file" ]; then echo -e "${RED}✗ Template file not found: $tpl_file${NC}" return 1 fi echo -e "${GREEN}→${NC} Applying $secret_basename (via op inject)..." op inject -i "$tpl_file" | $KUBECTL apply -f - echo -e "${GREEN}✓${NC} $secret_basename updated" } SECRETS=( "ai-secrets" "postgres-secret" "minio-secret" "ingestor-secrets" "flink-secrets" "gateway-secrets" "sandbox-secrets" ) # Update specific secret or all secrets if [ -n "$SECRET_NAME" ]; then if [[ "$ENV" == "prod" ]]; then apply_secret_prod "$SECRETS_DIR/$SECRET_NAME.tpl.yaml" else apply_secret_dev "$SECRETS_DIR/$SECRET_NAME.yaml" fi else echo -e "${GREEN}Updating all $ENV secrets...${NC}" echo "" FAILED=0 for secret in "${SECRETS[@]}"; do if [[ "$ENV" == "prod" ]]; then if ! apply_secret_prod "$SECRETS_DIR/$secret.tpl.yaml"; then FAILED=$((FAILED + 1)) fi else if ! apply_secret_dev "$SECRETS_DIR/$secret.yaml"; then FAILED=$((FAILED + 1)) fi fi done echo "" if [ $FAILED -gt 0 ]; then if [[ "$ENV" == "prod" ]]; then echo -e "${YELLOW}⚠️ $FAILED secret(s) failed to apply${NC}" echo -e "${YELLOW}Ensure 1Password CLI is authenticated: op signin${NC}" echo -e "${YELLOW}Ensure 'AI Prod' vault items exist (see deploy/k8s/prod/secrets/*.tpl.yaml)${NC}" else echo -e "${YELLOW}⚠️ $FAILED secret(s) failed to apply${NC}" echo -e "${YELLOW}Create missing secret files by copying from .example templates:${NC}" echo -e "${YELLOW} cd $SECRETS_DIR${NC}" echo -e "${YELLOW} cp SECRET_NAME.yaml.example SECRET_NAME.yaml${NC}" echo -e "${YELLOW} # Edit SECRET_NAME.yaml with actual values${NC}" fi exit 1 else echo -e "${GREEN}✓ All secrets updated successfully${NC}" fi fi