titan-iac/services/vault/scripts/vault_k8s_auth_configure.sh

#!/usr/bin/env bash
set -euo pipefail

log() { echo "[vault-k8s-auth] $*"; }

status_json="$(vault status -format=json || true)"
if [[ -z "${status_json}" ]]; then
  log "vault status failed; check VAULT_ADDR and VAULT_TOKEN"
  exit 1
fi

if ! grep -q '"initialized":true' <<<"${status_json}"; then
  log "vault not initialized; skipping"
  exit 0
fi

if grep -q '"sealed":true' <<<"${status_json}"; then
  log "vault sealed; skipping"
  exit 0
fi

k8s_host="https://${KUBERNETES_SERVICE_HOST}:443"
k8s_ca="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)"
k8s_token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
role_ttl="${VAULT_K8S_ROLE_TTL:-1h}"

if ! vault auth list -format=json | grep -q '"kubernetes/"'; then
  log "enabling kubernetes auth"
  vault auth enable kubernetes
fi

log "configuring kubernetes auth"
vault write auth/kubernetes/config \
  token_reviewer_jwt="${k8s_token}" \
  kubernetes_host="${k8s_host}" \
  kubernetes_ca_cert="${k8s_ca}"

declare -A roles
roles[outline]=outline-vault
roles[planka]=planka-vault

for namespace in "${!roles[@]}"; do
  policy_name="${namespace}"
  service_account="${roles[$namespace]}"

  log "writing policy ${policy_name}"
  vault policy write "${policy_name}" - <<EOF
path "kv/data/atlas/${namespace}/*" {
  capabilities = ["read"]
}
path "kv/metadata/atlas/${namespace}/*" {
  capabilities = ["list"]
}
EOF

  log "writing role ${namespace}"
  vault write "auth/kubernetes/role/${namespace}" \
    bound_service_account_names="${service_account}" \
    bound_service_account_namespaces="${namespace}" \
    policies="${policy_name}" \
    ttl="${role_ttl}"
done
feat: start vault consumption for outline and planka 2026-01-14 01:30:41 -03:00			`#!/usr/bin/env bash`
			`set -euo pipefail`

			`log() { echo "[vault-k8s-auth] $*"; }`

			`status_json="$(vault status -format=json \|\| true)"`
			`if [[ -z "${status_json}" ]]; then`
			`log "vault status failed; check VAULT_ADDR and VAULT_TOKEN"`
			`exit 1`
			`fi`

			`if ! grep -q '"initialized":true' <<<"${status_json}"; then`
			`log "vault not initialized; skipping"`
			`exit 0`
			`fi`

			`if grep -q '"sealed":true' <<<"${status_json}"; then`
			`log "vault sealed; skipping"`
			`exit 0`
			`fi`

			`k8s_host="https://${KUBERNETES_SERVICE_HOST}:443"`
			`k8s_ca="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)"`
			`k8s_token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"`
			`role_ttl="${VAULT_K8S_ROLE_TTL:-1h}"`

			`if ! vault auth list -format=json \| grep -q '"kubernetes/"'; then`
			`log "enabling kubernetes auth"`
			`vault auth enable kubernetes`
			`fi`

			`log "configuring kubernetes auth"`
			`vault write auth/kubernetes/config \`
			`token_reviewer_jwt="${k8s_token}" \`
			`kubernetes_host="${k8s_host}" \`
			`kubernetes_ca_cert="${k8s_ca}"`

			`declare -A roles`
			`roles[outline]=outline-vault`
			`roles[planka]=planka-vault`

			`for namespace in "${!roles[@]}"; do`
			`policy_name="${namespace}"`
			`service_account="${roles[$namespace]}"`

			`log "writing policy ${policy_name}"`
			`vault policy write "${policy_name}" - <<EOF`
			`path "kv/data/atlas/${namespace}/*" {`
			`capabilities = ["read"]`
			`}`
			`path "kv/metadata/atlas/${namespace}/*" {`
			`capabilities = ["list"]`
			`}`
			`EOF`

			`log "writing role ${namespace}"`
			`vault write "auth/kubernetes/role/${namespace}" \`
			`bound_service_account_names="${service_account}" \`
			`bound_service_account_namespaces="${namespace}" \`
			`policies="${policy_name}" \`
			`ttl="${role_ttl}"`
			`done`