Asara/k8s
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

add vault scripts back

Browse source
This commit is contained in:
Amarpreet Minhas 2023-07-11 17:38:32 +00:00
parent 1dd80c317a
commit 5a739e62e0
7 changed files with 147 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
scripts/chartmuseum-vault.sh Executable file
View file

@ -0,0 +1,20 @@
#!/bin/bash
cat << EOH > chartmuseum.hcl
path "kv/data/chartmuseum" {
capabilities = ["read"]
}
EOH
vault policy write chartmuseum chartmuseum.hcl
rm chartmuseum.hcl
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n chartmuseum -o go-template='{{ .data.token }}' | base64 -d)"
vault write auth/${VAULT_AUTH_NAMESPACE}/role/chartmuseum \
bound_service_account_names=chartmuseum \
bound_service_account_namespaces=chartmuseum \
policies=chartmuseum \
ttl=24h
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=chartmuseum jwt=${TOKEN} iss=https://${HOST_IP}:6443

20
scripts/miniflux-vault.sh Executable file
View file

@ -0,0 +1,20 @@
#!/bin/bash
cat << EOH > miniflux.hcl
path "kv/data/miniflux" {
capabilities = ["read"]
}
EOH
vault policy write miniflux miniflux.hcl
rm miniflux.hcl
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n miniflux -o go-template='{{ .data.token }}' | base64 -d)"
vault write auth/${VAULT_AUTH_NAMESPACE}/role/miniflux \
bound_service_account_names=miniflux \
bound_service_account_namespaces=miniflux \
policies=miniflux \
ttl=24h
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=miniflux jwt=${TOKEN} iss=https://${HOST_IP}:6443

19
scripts/nextcloud-vault.sh Executable file
View file

@ -0,0 +1,19 @@
#!/bin/bash
cat << EOH > nextcloud.hcl
path "kv/data/nextcloud" {
capabilities = ["read"]
}
EOH
vault policy write nextcloud nextcloud.hcl
rm nextcloud.hcl
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n nextcloud -o go-template='{{ .data.token }}' | base64 -d)"
vault write auth/${VAULT_AUTH_NAMESPACE}/role/nextcloud \
bound_service_account_names=nextcloud \
bound_service_account_namespaces=nextcloud \
policies=nextcloud \
ttl=24h
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=nextcloud jwt=${TOKEN} iss=https://${HOST_IP}:6443

20
scripts/photoprism-vault.sh Executable file
View file

@ -0,0 +1,20 @@
#!/bin/bash
cat << EOH > photos.hcl
path "kv/data/photoview" {
capabilities = ["read"]
}
EOH
vault policy write photos photos.hcl
rm photos.hcl
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n photos -o go-template='{{ .data.token }}' | base64 -d)"
vault write auth/${VAULT_AUTH_NAMESPACE}/role/photos \
bound_service_account_names=photos \
bound_service_account_namespaces=photos \
policies=photos \
ttl=24h
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=photos jwt=${TOKEN} iss=https://${HOST_IP}:6443

18
scripts/pihole-vault.sh Executable file
View file

@ -0,0 +1,18 @@
#!/bin/bash
cat << EOH > pihole.hcl
path "kv/data/pihole" {
capabilities = ["read"]
}
EOH
vault policy write pihole pihole.hcl
rm pihole.hcl
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n external-dns -o go-template='{{ .data.token }}' | base64 -d)"
vault write auth/${VAULT_AUTH_NAMESPACE}/role/external-dns \
bound_service_account_names=default,external-dns \
bound_service_account_namespaces=external-dns \
policies=external-dns \
ttl=24h

30
scripts/vault-config-operator-vault.sh Executable file
View file

@ -0,0 +1,30 @@
#!/bin/bash
cat << EOH > vault-config-operator.hcl
path "kv/data/vault-config-operator" {
capabilities = ["read"]
}
# List existing policies
path "sys/policy"
{
capabilities = ["list"]
}
path "sys/policy/*"
{
capabilities = ["create", "read", "update", "delete", "list"]
}
EOH
vault policy write vault-config-operator vault-config-operator.hcl
rm vault-config-operator.hcl
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n ${NAMESPACE} -o go-template='{{ .data.token }}' | base64 -d)"
vault write auth/${VAULT_AUTH_NAMESPACE}/role/vault-config-operator \
bound_service_account_names=vault-config-operator,controller-manager,default \
bound_service_account_namespaces=${NAMESPACE} \
policies=vault-config-operator \
ttl=24h
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=vault-config-operator jwt=${TOKEN} iss=https://${HOST_IP}:6443

20
scripts/wallabag-vault.sh Executable file
View file

@ -0,0 +1,20 @@
#!/bin/bash
cat << EOH > wallabag.hcl
path "kv/data/wallabag" {
capabilities = ["read"]
}
EOH
vault policy write wallabag wallabag.hcl
rm wallabag.hcl
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n wallabag -o go-template='{{ .data.token }}' | base64 -d)"
vault write auth/${VAULT_AUTH_NAMESPACE}/role/wallabag \
bound_service_account_names=wallabag \
bound_service_account_namespaces=wallabag \
policies=wallabag \
ttl=24h
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=wallabag jwt=${TOKEN} iss=https://${HOST_IP}:6443