#!/usr/bin/env bash
set -euo pipefail

log() { echo "[vault-k8s-auth] $*"; }

status_json="$(vault status -format=json || true)"
if [[ -z "${status_json}" ]]; then
  log "vault status failed; check VAULT_ADDR and VAULT_TOKEN"
  exit 1
fi

if ! grep -q '"initialized":true' <<<"${status_json}"; then
  log "vault not initialized; skipping"
  exit 0
fi

if grep -q '"sealed":true' <<<"${status_json}"; then
  log "vault sealed; skipping"
  exit 0
fi

k8s_host="https://${KUBERNETES_SERVICE_HOST}:443"
k8s_ca="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)"
k8s_token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
role_ttl="${VAULT_K8S_ROLE_TTL:-1h}"

if ! vault auth list -format=json | grep -q '"kubernetes/"'; then
  log "enabling kubernetes auth"
  vault auth enable kubernetes
fi

log "configuring kubernetes auth"
vault write auth/kubernetes/config \
  token_reviewer_jwt="${k8s_token}" \
  kubernetes_host="${k8s_host}" \
  kubernetes_ca_cert="${k8s_ca}"

declare -A roles
roles[outline]=outline-vault
roles[planka]=planka-vault

for namespace in "${!roles[@]}"; do
  policy_name="${namespace}"
  service_account="${roles[$namespace]}"

  log "writing policy ${policy_name}"
  vault policy write "${policy_name}" - <<EOF
path "kv/data/atlas/${namespace}/*" {
  capabilities = ["read"]
}
path "kv/metadata/atlas/${namespace}/*" {
  capabilities = ["list"]
}
EOF

  log "writing role ${namespace}"
  vault write "auth/kubernetes/role/${namespace}" \
    bound_service_account_names="${service_account}" \
    bound_service_account_namespaces="${namespace}" \
    policies="${policy_name}" \
    ttl="${role_ttl}"
done