#!/usr/bin/env sh
set -eu

log() { echo "[vault-k8s-auth] $*"; }

status_json="$(vault status -format=json || true)"
if [ -z "${status_json}" ]; then
  log "vault status failed; check VAULT_ADDR and VAULT_TOKEN"
  exit 1
fi

if ! printf '%s' "${status_json}" | grep -q '"initialized":[[:space:]]*true'; then
  log "vault not initialized; skipping"
  exit 0
fi

if printf '%s' "${status_json}" | grep -q '"sealed":[[:space:]]*true'; then
  log "vault sealed; skipping"
  exit 0
fi

k8s_host="https://${KUBERNETES_SERVICE_HOST}:443"
k8s_ca="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)"
k8s_token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
role_ttl="${VAULT_K8S_ROLE_TTL:-1h}"

if ! vault auth list -format=json | grep -q '"kubernetes/"'; then
  log "enabling kubernetes auth"
  vault auth enable kubernetes
fi

log "configuring kubernetes auth"
vault write auth/kubernetes/config \
  token_reviewer_jwt="${k8s_token}" \
  kubernetes_host="${k8s_host}" \
  kubernetes_ca_cert="${k8s_ca}"

for namespace in outline planka; do
  policy_name="${namespace}"
  case "${namespace}" in
    outline) service_account="outline-vault" ;;
    planka) service_account="planka-vault" ;;
    *) log "unknown namespace ${namespace}"; exit 1 ;;
  esac

  log "writing policy ${policy_name}"
  vault policy write "${policy_name}" - <<EOF
path "kv/data/atlas/${namespace}/*" {
  capabilities = ["read"]
}
path "kv/metadata/atlas/${namespace}/*" {
  capabilities = ["list"]
}
EOF

  log "writing role ${namespace}"
  vault write "auth/kubernetes/role/${namespace}" \
    bound_service_account_names="${service_account}" \
    bound_service_account_namespaces="${namespace}" \
    policies="${policy_name}" \
    ttl="${role_ttl}"
done