From 5a739e62e0e9ffc377c3bb25cecde5ddec5ff093 Mon Sep 17 00:00:00 2001
From: Amarpreet Minhas <amarpreet@minhas.io>
Date: Tue, 11 Jul 2023 17:38:32 +0000
Subject: [PATCH] add vault scripts back

---
 scripts/chartmuseum-vault.sh           | 20 +++++++++++++++++
 scripts/miniflux-vault.sh              | 20 +++++++++++++++++
 scripts/nextcloud-vault.sh             | 19 ++++++++++++++++
 scripts/photoprism-vault.sh            | 20 +++++++++++++++++
 scripts/pihole-vault.sh                | 18 ++++++++++++++++
 scripts/vault-config-operator-vault.sh | 30 ++++++++++++++++++++++++++
 scripts/wallabag-vault.sh              | 20 +++++++++++++++++
 7 files changed, 147 insertions(+)
 create mode 100755 scripts/chartmuseum-vault.sh
 create mode 100755 scripts/miniflux-vault.sh
 create mode 100755 scripts/nextcloud-vault.sh
 create mode 100755 scripts/photoprism-vault.sh
 create mode 100755 scripts/pihole-vault.sh
 create mode 100755 scripts/vault-config-operator-vault.sh
 create mode 100755 scripts/wallabag-vault.sh

diff --git a/scripts/chartmuseum-vault.sh b/scripts/chartmuseum-vault.sh
new file mode 100755
index 0000000..b28044c
--- /dev/null
+++ b/scripts/chartmuseum-vault.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+cat << EOH > chartmuseum.hcl
+path "kv/data/chartmuseum" {
+  capabilities = ["read"]
+}
+EOH
+vault policy write chartmuseum chartmuseum.hcl
+rm chartmuseum.hcl
+
+HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
+TOKEN="$(kubectl get secret serviceaccounttoken -n chartmuseum -o go-template='{{ .data.token }}' | base64 -d)"
+
+vault write auth/${VAULT_AUTH_NAMESPACE}/role/chartmuseum \
+    bound_service_account_names=chartmuseum \
+    bound_service_account_namespaces=chartmuseum \
+    policies=chartmuseum \
+    ttl=24h
+
+vault write auth/${VAULT_AUTH_NAMESPACE}/login role=chartmuseum jwt=${TOKEN} iss=https://${HOST_IP}:6443
+
diff --git a/scripts/miniflux-vault.sh b/scripts/miniflux-vault.sh
new file mode 100755
index 0000000..c81a431
--- /dev/null
+++ b/scripts/miniflux-vault.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+cat << EOH > miniflux.hcl
+path "kv/data/miniflux" {
+  capabilities = ["read"]
+}
+EOH
+vault policy write miniflux miniflux.hcl
+rm miniflux.hcl
+
+HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
+TOKEN="$(kubectl get secret serviceaccounttoken -n miniflux -o go-template='{{ .data.token }}' | base64 -d)"
+
+vault write auth/${VAULT_AUTH_NAMESPACE}/role/miniflux \
+    bound_service_account_names=miniflux \
+    bound_service_account_namespaces=miniflux \
+    policies=miniflux \
+    ttl=24h
+
+vault write auth/${VAULT_AUTH_NAMESPACE}/login role=miniflux jwt=${TOKEN} iss=https://${HOST_IP}:6443
+
diff --git a/scripts/nextcloud-vault.sh b/scripts/nextcloud-vault.sh
new file mode 100755
index 0000000..e285093
--- /dev/null
+++ b/scripts/nextcloud-vault.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+cat << EOH > nextcloud.hcl
+path "kv/data/nextcloud" {
+  capabilities = ["read"]
+}
+EOH
+vault policy write nextcloud nextcloud.hcl
+rm nextcloud.hcl
+HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
+TOKEN="$(kubectl get secret serviceaccounttoken -n nextcloud -o go-template='{{ .data.token }}' | base64 -d)"
+
+vault write auth/${VAULT_AUTH_NAMESPACE}/role/nextcloud \
+    bound_service_account_names=nextcloud \
+    bound_service_account_namespaces=nextcloud \
+    policies=nextcloud \
+    ttl=24h
+
+vault write auth/${VAULT_AUTH_NAMESPACE}/login role=nextcloud jwt=${TOKEN} iss=https://${HOST_IP}:6443
+
diff --git a/scripts/photoprism-vault.sh b/scripts/photoprism-vault.sh
new file mode 100755
index 0000000..91d2811
--- /dev/null
+++ b/scripts/photoprism-vault.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+cat << EOH > photos.hcl
+path "kv/data/photoview" {
+  capabilities = ["read"]
+}
+EOH
+vault policy write photos photos.hcl
+rm photos.hcl
+
+HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
+TOKEN="$(kubectl get secret serviceaccounttoken -n photos -o go-template='{{ .data.token }}' | base64 -d)"
+
+vault write auth/${VAULT_AUTH_NAMESPACE}/role/photos \
+    bound_service_account_names=photos \
+    bound_service_account_namespaces=photos \
+    policies=photos \
+    ttl=24h
+
+vault write auth/${VAULT_AUTH_NAMESPACE}/login role=photos jwt=${TOKEN} iss=https://${HOST_IP}:6443
+
diff --git a/scripts/pihole-vault.sh b/scripts/pihole-vault.sh
new file mode 100755
index 0000000..048393d
--- /dev/null
+++ b/scripts/pihole-vault.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+cat << EOH > pihole.hcl
+path "kv/data/pihole" {
+  capabilities = ["read"]
+}
+EOH
+vault policy write pihole pihole.hcl
+rm pihole.hcl
+
+HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
+TOKEN="$(kubectl get secret serviceaccounttoken -n external-dns -o go-template='{{ .data.token }}' | base64 -d)"
+
+vault write auth/${VAULT_AUTH_NAMESPACE}/role/external-dns \
+    bound_service_account_names=default,external-dns \
+    bound_service_account_namespaces=external-dns \
+    policies=external-dns \
+    ttl=24h
+
diff --git a/scripts/vault-config-operator-vault.sh b/scripts/vault-config-operator-vault.sh
new file mode 100755
index 0000000..86280f6
--- /dev/null
+++ b/scripts/vault-config-operator-vault.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+cat << EOH > vault-config-operator.hcl
+path "kv/data/vault-config-operator" {
+  capabilities = ["read"]
+}
+
+# List existing policies
+path "sys/policy"
+{
+  capabilities = ["list"]
+}
+path "sys/policy/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+EOH
+vault policy write vault-config-operator vault-config-operator.hcl
+rm vault-config-operator.hcl
+
+HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
+TOKEN="$(kubectl get secret serviceaccounttoken -n ${NAMESPACE} -o go-template='{{ .data.token }}' | base64 -d)"
+
+vault write auth/${VAULT_AUTH_NAMESPACE}/role/vault-config-operator \
+    bound_service_account_names=vault-config-operator,controller-manager,default \
+    bound_service_account_namespaces=${NAMESPACE} \
+    policies=vault-config-operator \
+    ttl=24h
+
+vault write auth/${VAULT_AUTH_NAMESPACE}/login role=vault-config-operator jwt=${TOKEN} iss=https://${HOST_IP}:6443
+
diff --git a/scripts/wallabag-vault.sh b/scripts/wallabag-vault.sh
new file mode 100755
index 0000000..b50ee75
--- /dev/null
+++ b/scripts/wallabag-vault.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+cat << EOH > wallabag.hcl
+path "kv/data/wallabag" {
+  capabilities = ["read"]
+}
+EOH
+vault policy write wallabag wallabag.hcl
+rm wallabag.hcl
+
+HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
+TOKEN="$(kubectl get secret serviceaccounttoken -n wallabag -o go-template='{{ .data.token }}' | base64 -d)"
+
+vault write auth/${VAULT_AUTH_NAMESPACE}/role/wallabag \
+    bound_service_account_names=wallabag \
+    bound_service_account_namespaces=wallabag \
+    policies=wallabag \
+    ttl=24h
+
+vault write auth/${VAULT_AUTH_NAMESPACE}/login role=wallabag jwt=${TOKEN} iss=https://${HOST_IP}:6443
+