63 lines
1.7 KiB
Bash
63 lines
1.7 KiB
Bash
#!/usr/bin/env sh
|
|
set -eu
|
|
|
|
log() { echo "[vault-k8s-auth] $*"; }
|
|
|
|
status_json="$(vault status -format=json || true)"
|
|
if [ -z "${status_json}" ]; then
|
|
log "vault status failed; check VAULT_ADDR and VAULT_TOKEN"
|
|
exit 1
|
|
fi
|
|
|
|
if ! printf '%s' "${status_json}" | grep -q '"initialized":true'; then
|
|
log "vault not initialized; skipping"
|
|
exit 0
|
|
fi
|
|
|
|
if printf '%s' "${status_json}" | grep -q '"sealed":true'; then
|
|
log "vault sealed; skipping"
|
|
exit 0
|
|
fi
|
|
|
|
k8s_host="https://${KUBERNETES_SERVICE_HOST}:443"
|
|
k8s_ca="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)"
|
|
k8s_token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
|
|
role_ttl="${VAULT_K8S_ROLE_TTL:-1h}"
|
|
|
|
if ! vault auth list -format=json | grep -q '"kubernetes/"'; then
|
|
log "enabling kubernetes auth"
|
|
vault auth enable kubernetes
|
|
fi
|
|
|
|
log "configuring kubernetes auth"
|
|
vault write auth/kubernetes/config \
|
|
token_reviewer_jwt="${k8s_token}" \
|
|
kubernetes_host="${k8s_host}" \
|
|
kubernetes_ca_cert="${k8s_ca}"
|
|
|
|
for namespace in outline planka; do
|
|
policy_name="${namespace}"
|
|
case "${namespace}" in
|
|
outline) service_account="outline-vault" ;;
|
|
planka) service_account="planka-vault" ;;
|
|
*) log "unknown namespace ${namespace}"; exit 1 ;;
|
|
esac
|
|
|
|
log "writing policy ${policy_name}"
|
|
vault policy write "${policy_name}" - <<EOF
|
|
path "kv/data/atlas/${namespace}/*" {
|
|
capabilities = ["read"]
|
|
}
|
|
path "kv/metadata/atlas/${namespace}/*" {
|
|
capabilities = ["list"]
|
|
}
|
|
EOF
|
|
|
|
log "writing role ${namespace}"
|
|
vault write "auth/kubernetes/role/${namespace}" \
|
|
bound_service_account_names="${service_account}" \
|
|
bound_service_account_namespaces="${namespace}" \
|
|
policies="${policy_name}" \
|
|
ttl="${role_ttl}"
|
|
done
|