Version

utils/genProductionKeys.ts

@@ -0,0 +1,62 @@
+import keypair from "keypair";
+import { mkdirSync } from "fs";
+
+const outputDir = "production-keys";
+
+console.log(`
+Generating Production Keys
+-----------------
+This script will generate all RSA key pairs needed for the production deployment.
+Output directory: ${outputDir}/
+-----------------`);
+
+// Ensure output directory exists
+mkdirSync(outputDir, { recursive: true });
+
+const keyFiles = ["accessToken", "refreshToken", "permissions", "secureValues"];
+
+const generatedKeys: Record<string, { private: string; public: string }> = {};
+
+for (const name of keyFiles) {
+  console.log(`Generating '${name}' key pair (4096-bit RSA)...`);
+  const keys = keypair({ bits: 4096 });
+  generatedKeys[name] = keys;
+
+  const privPath = `${outputDir}/${name}.key`;
+  const pubPath = `${outputDir}/${name}.pub`;
+
+  await Bun.write(privPath, keys.private);
+  await Bun.write(pubPath, keys.public);
+
+  console.log(`  ✔ ${privPath}`);
+  console.log(`  ✔ ${pubPath}`);
+}
+
+// Generate Kubernetes Secret YAML
+const toBase64 = (str: string) => Buffer.from(str).toString("base64");
+
+const secretYaml = `apiVersion: v1
+kind: Secret
+metadata:
+  name: ttscm-keys
+type: Opaque
+data:
+  accessToken.key: ${toBase64(generatedKeys["accessToken"].private)}
+  refreshToken.key: ${toBase64(generatedKeys["refreshToken"].private)}
+  permissions.key: ${toBase64(generatedKeys["permissions"].private)}
+  secureValues.key: ${toBase64(generatedKeys["secureValues"].private)}
+  secureValues.pub: ${toBase64(generatedKeys["secureValues"].public)}
+`;
+
+const secretPath = `${outputDir}/ttscm-keys-secret.yaml`;
+await Bun.write(secretPath, secretYaml);
+console.log(`\n  ✔ ${secretPath}`);
+
+console.log(`
+-----------------
+All production keys and K8s Secret manifest generated in '${outputDir}/'.
+
+⚠️  Delete the '${outputDir}/' directory after applying to your cluster.
+    Do NOT commit these keys to version control.
+-----------------
+`);