101 lines
2.5 KiB
Bash
101 lines
2.5 KiB
Bash
#!/usr/bin/env sh
|
|
set -eu
|
|
|
|
log() { echo "[vault-k8s-auth] $*"; }
|
|
|
|
status_json="$(vault status -format=json || true)"
|
|
if [ -z "${status_json}" ]; then
|
|
log "vault status failed; check VAULT_ADDR and VAULT_TOKEN"
|
|
exit 1
|
|
fi
|
|
|
|
if ! printf '%s' "${status_json}" | grep -q '"initialized":[[:space:]]*true'; then
|
|
log "vault not initialized; skipping"
|
|
exit 0
|
|
fi
|
|
|
|
if printf '%s' "${status_json}" | grep -q '"sealed":[[:space:]]*true'; then
|
|
log "vault sealed; skipping"
|
|
exit 0
|
|
fi
|
|
|
|
k8s_host="https://${KUBERNETES_SERVICE_HOST}:443"
|
|
k8s_ca="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)"
|
|
k8s_token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
|
|
role_ttl="${VAULT_K8S_ROLE_TTL:-1h}"
|
|
|
|
if ! vault auth list -format=json | grep -q '"kubernetes/"'; then
|
|
log "enabling kubernetes auth"
|
|
vault auth enable kubernetes
|
|
fi
|
|
|
|
log "configuring kubernetes auth"
|
|
vault write auth/kubernetes/config \
|
|
token_reviewer_jwt="${k8s_token}" \
|
|
kubernetes_host="${k8s_host}" \
|
|
kubernetes_ca_cert="${k8s_ca}"
|
|
|
|
for namespace in outline planka bstein-dev-home gitea vaultwarden sso; do
|
|
policy_name="${namespace}"
|
|
service_account=""
|
|
shared_paths=""
|
|
|
|
case "${namespace}" in
|
|
outline)
|
|
service_account="outline-vault"
|
|
;;
|
|
planka)
|
|
service_account="planka-vault"
|
|
;;
|
|
bstein-dev-home)
|
|
service_account="bstein-dev-home"
|
|
shared_paths="shared/chat-ai-keys-runtime shared/portal-e2e-client"
|
|
;;
|
|
gitea)
|
|
service_account="gitea-vault"
|
|
;;
|
|
vaultwarden)
|
|
service_account="vaultwarden-vault"
|
|
;;
|
|
sso)
|
|
service_account="sso-vault,mas-secrets-ensure"
|
|
shared_paths="shared/keycloak-admin shared/portal-e2e-client"
|
|
;;
|
|
*)
|
|
log "unknown namespace ${namespace}"
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
policy_body="$(cat <<EOF
|
|
path "kv/data/atlas/${namespace}/*" {
|
|
capabilities = ["read"]
|
|
}
|
|
path "kv/metadata/atlas/${namespace}/*" {
|
|
capabilities = ["list"]
|
|
}
|
|
EOF
|
|
)"
|
|
|
|
for shared in ${shared_paths}; do
|
|
policy_body="${policy_body}
|
|
path \"kv/data/atlas/${shared}\" {
|
|
capabilities = [\"read\"]
|
|
}
|
|
path \"kv/metadata/atlas/${shared}\" {
|
|
capabilities = [\"list\"]
|
|
}
|
|
"
|
|
done
|
|
|
|
log "writing policy ${policy_name}"
|
|
printf '%s\n' "${policy_body}" | vault policy write "${policy_name}" -
|
|
|
|
log "writing role ${namespace}"
|
|
vault write "auth/kubernetes/role/${namespace}" \
|
|
bound_service_account_names="${service_account}" \
|
|
bound_service_account_namespaces="${namespace}" \
|
|
policies="${policy_name}" \
|
|
ttl="${role_ttl}"
|
|
done
|