Refactor create-secrets.ssh to append missing secrets instead of failing if kubesecrets exists (#1431)

Author: kstev

bin/create-secrets.sh

@@ -36,6 +36,14 @@ generate_password() {
     < /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32}
 }
 
+backup_suffix="$(date +%Y%m%d%H%M%S)"
+for ssh_key_file in nova_ssh_key nova_ssh_key.pub manila_ssh_key manila_ssh_key.pub; do
+    if [[ -f "${ssh_key_file}" ]]; then
+        mv "${ssh_key_file}" "${ssh_key_file}.bak.${backup_suffix}"
+        echo "Moved existing ${ssh_key_file} to ${ssh_key_file}.bak.${backup_suffix}"
+    fi
+done
+
 mariadb_root_password=$(generate_password 32)
 mariadb_password=$(generate_password 32)
 keystone_rabbitmq_password=$(generate_password 64)
@@ -129,16 +137,23 @@ zaqar_admin_password=$(generate_password 32)
 zaqar_keystone_test_password=$(generate_password 32)
 
 OUTPUT_FILE="/etc/genestack/kubesecrets.yaml"
+GENERATED_FILE=$(mktemp)
+EXISTING_NAMES_FILE=$(mktemp)
+MISSING_SECRETS_FILE=$(mktemp)
 
-if [[ -f ${OUTPUT_FILE} ]]; then
-    echo "Error: ${OUTPUT_FILE} already exists. Please remove it before running this script."
-    echo "       This will replace an existing file and will lead to mass rotation, which is"
-    echo "       likely not what you want to do. If you really want to break your system, please"
-    echo "       make sure you know what you're doing."
-    exit 99
+if [[ -f "${OUTPUT_FILE}" ]]; then
+    cp "${OUTPUT_FILE}" "${OUTPUT_FILE}.bak.${backup_suffix}"
+    echo "Backed up existing ${OUTPUT_FILE} to ${OUTPUT_FILE}.bak.${backup_suffix}"
 fi
 
-cat <<EOF > $OUTPUT_FILE
+cleanup() {
+    rm -f nova_ssh_key nova_ssh_key.pub
+    rm -f manila_ssh_key manila_ssh_key.pub
+    rm -f "${GENERATED_FILE}" "${EXISTING_NAMES_FILE}" "${MISSING_SECRETS_FILE}"
+}
+trap cleanup EXIT
+
+cat <<EOF > "${GENERATED_FILE}"
 ---
 apiVersion: v1
 kind: Secret
@@ -997,7 +1012,7 @@ EOF
 SKYLINE_SECRETS_FILE="/etc/genestack/skylinesecrets.yaml"
 if [[ -f ${SKYLINE_SECRETS_FILE} ]]; then
     echo "Found existing ${SKYLINE_SECRETS_FILE}, appending skyline secrets..."
-    cat ${SKYLINE_SECRETS_FILE} >> ${OUTPUT_FILE}
+    cat ${SKYLINE_SECRETS_FILE} >> "${GENERATED_FILE}"
     echo "Skyline secrets appended from ${SKYLINE_SECRETS_FILE}"
 else
     echo "Note: ${SKYLINE_SECRETS_FILE} not found. Run create-skyline-secrets.sh to add skyline secrets."
@@ -1006,7 +1021,7 @@ fi
 # Check if kube-ovn-tls secret exists, and copy to openstack namespace if it does
 if kubectl -n kube-system get secret kube-ovn-tls >/dev/null 2>&1
 then
-    cat <<EOF >> $OUTPUT_FILE
+    cat <<EOF >> "${GENERATED_FILE}"
 ---
 apiVersion: v1
 kind: Secret
@@ -1021,8 +1036,52 @@ data:
 EOF
 fi
 
-rm nova_ssh_key nova_ssh_key.pub
-rm manila_ssh_key manila_ssh_key.pub
-chmod 0640 ${OUTPUT_FILE}
+if [[ -f "${OUTPUT_FILE}" ]]; then
+    awk '/ name:/ {print $2}' "${OUTPUT_FILE}" | sort -u > "${EXISTING_NAMES_FILE}"
+
+    awk '
+    BEGIN {
+        while ((getline < ARGV[1]) > 0) {
+            existing[$1] = 1
+        }
+        ARGV[1] = ""
+    }
+    /^---$/ {
+        if (doc != "") {
+            if (name == "" || !(name in existing)) {
+                printf "%s", doc
+            }
+        }
+        doc = $0 ORS
+        name = ""
+        next
+    }
+    {
+        doc = doc $0 ORS
+    }
+    $1 == "name:" {
+        name = $2
+    }
+    END {
+        if (doc != "") {
+            if (name == "" || !(name in existing)) {
+                printf "%s", doc
+            }
+        }
+    }
+    ' "${EXISTING_NAMES_FILE}" "${GENERATED_FILE}" > "${MISSING_SECRETS_FILE}"
+
+    if [[ -s "${MISSING_SECRETS_FILE}" ]]; then
+        cat "${MISSING_SECRETS_FILE}" >> "${OUTPUT_FILE}"
+        echo "Appended missing secrets to existing ${OUTPUT_FILE}"
+    else
+        echo "No missing secrets found. ${OUTPUT_FILE} unchanged."
+    fi
+else
+    mv "${GENERATED_FILE}" "${OUTPUT_FILE}"
+    echo "Created new secrets YAML file as ${OUTPUT_FILE}"
+fi
+
+chmod 0640 "${OUTPUT_FILE}"
 echo ""
-echo "Secrets YAML file created as ${OUTPUT_FILE}"
+echo "Secrets YAML file is ready at ${OUTPUT_FILE}"