k8s/scripts/vault-config-operator-vault.sh

#!/bin/bash
cat << EOH > vault-config-operator.hcl
path "kv/data/vault-config-operator" {
  capabilities = ["read"]
}

# List existing policies
path "sys/policy"
{
  capabilities = ["list"]
}
path "sys/policy/*"
{
  capabilities = ["create", "read", "update", "delete", "list"]
}
EOH
vault policy write vault-config-operator vault-config-operator.hcl
rm vault-config-operator.hcl

HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n ${NAMESPACE} -o go-template='{{ .data.token }}' | base64 -d)"

vault write auth/${VAULT_AUTH_NAMESPACE}/role/vault-config-operator \
    bound_service_account_names=vault-config-operator,controller-manager,default \
    bound_service_account_namespaces=${NAMESPACE} \
    policies=vault-config-operator \
    ttl=24h

vault write auth/${VAULT_AUTH_NAMESPACE}/login role=vault-config-operator jwt=${TOKEN} iss=https://${HOST_IP}:6443
add vault scripts back 2023-07-11 17:38:32 +00:00			`#!/bin/bash`
			`cat << EOH > vault-config-operator.hcl`
			`path "kv/data/vault-config-operator" {`
			`capabilities = ["read"]`
			`}`

			`# List existing policies`
			`path "sys/policy"`
			`{`
			`capabilities = ["list"]`
			`}`
			`path "sys/policy/*"`
			`{`
			`capabilities = ["create", "read", "update", "delete", "list"]`
			`}`
			`EOH`
			`vault policy write vault-config-operator vault-config-operator.hcl`
			`rm vault-config-operator.hcl`

			`HOST_IP=$(ip addr show eth0 \| grep -Po 'inet \K[\d.]+')`
			`TOKEN="$(kubectl get secret serviceaccounttoken -n ${NAMESPACE} -o go-template='{{ .data.token }}' \| base64 -d)"`

			`vault write auth/${VAULT_AUTH_NAMESPACE}/role/vault-config-operator \`
			`bound_service_account_names=vault-config-operator,controller-manager,default \`
			`bound_service_account_namespaces=${NAMESPACE} \`
			`policies=vault-config-operator \`
			`ttl=24h`

			`vault write auth/${VAULT_AUTH_NAMESPACE}/login role=vault-config-operator jwt=${TOKEN} iss=https://${HOST_IP}:6443`