add vault scripts back
This commit is contained in:
parent
1dd80c317a
commit
5a739e62e0
7 changed files with 147 additions and 0 deletions
20
scripts/chartmuseum-vault.sh
Executable file
20
scripts/chartmuseum-vault.sh
Executable file
|
@ -0,0 +1,20 @@
|
||||||
|
#!/bin/bash
|
||||||
|
cat << EOH > chartmuseum.hcl
|
||||||
|
path "kv/data/chartmuseum" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
vault policy write chartmuseum chartmuseum.hcl
|
||||||
|
rm chartmuseum.hcl
|
||||||
|
|
||||||
|
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
|
||||||
|
TOKEN="$(kubectl get secret serviceaccounttoken -n chartmuseum -o go-template='{{ .data.token }}' | base64 -d)"
|
||||||
|
|
||||||
|
vault write auth/${VAULT_AUTH_NAMESPACE}/role/chartmuseum \
|
||||||
|
bound_service_account_names=chartmuseum \
|
||||||
|
bound_service_account_namespaces=chartmuseum \
|
||||||
|
policies=chartmuseum \
|
||||||
|
ttl=24h
|
||||||
|
|
||||||
|
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=chartmuseum jwt=${TOKEN} iss=https://${HOST_IP}:6443
|
||||||
|
|
20
scripts/miniflux-vault.sh
Executable file
20
scripts/miniflux-vault.sh
Executable file
|
@ -0,0 +1,20 @@
|
||||||
|
#!/bin/bash
|
||||||
|
cat << EOH > miniflux.hcl
|
||||||
|
path "kv/data/miniflux" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
vault policy write miniflux miniflux.hcl
|
||||||
|
rm miniflux.hcl
|
||||||
|
|
||||||
|
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
|
||||||
|
TOKEN="$(kubectl get secret serviceaccounttoken -n miniflux -o go-template='{{ .data.token }}' | base64 -d)"
|
||||||
|
|
||||||
|
vault write auth/${VAULT_AUTH_NAMESPACE}/role/miniflux \
|
||||||
|
bound_service_account_names=miniflux \
|
||||||
|
bound_service_account_namespaces=miniflux \
|
||||||
|
policies=miniflux \
|
||||||
|
ttl=24h
|
||||||
|
|
||||||
|
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=miniflux jwt=${TOKEN} iss=https://${HOST_IP}:6443
|
||||||
|
|
19
scripts/nextcloud-vault.sh
Executable file
19
scripts/nextcloud-vault.sh
Executable file
|
@ -0,0 +1,19 @@
|
||||||
|
#!/bin/bash
|
||||||
|
cat << EOH > nextcloud.hcl
|
||||||
|
path "kv/data/nextcloud" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
vault policy write nextcloud nextcloud.hcl
|
||||||
|
rm nextcloud.hcl
|
||||||
|
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
|
||||||
|
TOKEN="$(kubectl get secret serviceaccounttoken -n nextcloud -o go-template='{{ .data.token }}' | base64 -d)"
|
||||||
|
|
||||||
|
vault write auth/${VAULT_AUTH_NAMESPACE}/role/nextcloud \
|
||||||
|
bound_service_account_names=nextcloud \
|
||||||
|
bound_service_account_namespaces=nextcloud \
|
||||||
|
policies=nextcloud \
|
||||||
|
ttl=24h
|
||||||
|
|
||||||
|
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=nextcloud jwt=${TOKEN} iss=https://${HOST_IP}:6443
|
||||||
|
|
20
scripts/photoprism-vault.sh
Executable file
20
scripts/photoprism-vault.sh
Executable file
|
@ -0,0 +1,20 @@
|
||||||
|
#!/bin/bash
|
||||||
|
cat << EOH > photos.hcl
|
||||||
|
path "kv/data/photoview" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
vault policy write photos photos.hcl
|
||||||
|
rm photos.hcl
|
||||||
|
|
||||||
|
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
|
||||||
|
TOKEN="$(kubectl get secret serviceaccounttoken -n photos -o go-template='{{ .data.token }}' | base64 -d)"
|
||||||
|
|
||||||
|
vault write auth/${VAULT_AUTH_NAMESPACE}/role/photos \
|
||||||
|
bound_service_account_names=photos \
|
||||||
|
bound_service_account_namespaces=photos \
|
||||||
|
policies=photos \
|
||||||
|
ttl=24h
|
||||||
|
|
||||||
|
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=photos jwt=${TOKEN} iss=https://${HOST_IP}:6443
|
||||||
|
|
18
scripts/pihole-vault.sh
Executable file
18
scripts/pihole-vault.sh
Executable file
|
@ -0,0 +1,18 @@
|
||||||
|
#!/bin/bash
|
||||||
|
cat << EOH > pihole.hcl
|
||||||
|
path "kv/data/pihole" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
vault policy write pihole pihole.hcl
|
||||||
|
rm pihole.hcl
|
||||||
|
|
||||||
|
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
|
||||||
|
TOKEN="$(kubectl get secret serviceaccounttoken -n external-dns -o go-template='{{ .data.token }}' | base64 -d)"
|
||||||
|
|
||||||
|
vault write auth/${VAULT_AUTH_NAMESPACE}/role/external-dns \
|
||||||
|
bound_service_account_names=default,external-dns \
|
||||||
|
bound_service_account_namespaces=external-dns \
|
||||||
|
policies=external-dns \
|
||||||
|
ttl=24h
|
||||||
|
|
30
scripts/vault-config-operator-vault.sh
Executable file
30
scripts/vault-config-operator-vault.sh
Executable file
|
@ -0,0 +1,30 @@
|
||||||
|
#!/bin/bash
|
||||||
|
cat << EOH > vault-config-operator.hcl
|
||||||
|
path "kv/data/vault-config-operator" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# List existing policies
|
||||||
|
path "sys/policy"
|
||||||
|
{
|
||||||
|
capabilities = ["list"]
|
||||||
|
}
|
||||||
|
path "sys/policy/*"
|
||||||
|
{
|
||||||
|
capabilities = ["create", "read", "update", "delete", "list"]
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
vault policy write vault-config-operator vault-config-operator.hcl
|
||||||
|
rm vault-config-operator.hcl
|
||||||
|
|
||||||
|
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
|
||||||
|
TOKEN="$(kubectl get secret serviceaccounttoken -n ${NAMESPACE} -o go-template='{{ .data.token }}' | base64 -d)"
|
||||||
|
|
||||||
|
vault write auth/${VAULT_AUTH_NAMESPACE}/role/vault-config-operator \
|
||||||
|
bound_service_account_names=vault-config-operator,controller-manager,default \
|
||||||
|
bound_service_account_namespaces=${NAMESPACE} \
|
||||||
|
policies=vault-config-operator \
|
||||||
|
ttl=24h
|
||||||
|
|
||||||
|
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=vault-config-operator jwt=${TOKEN} iss=https://${HOST_IP}:6443
|
||||||
|
|
20
scripts/wallabag-vault.sh
Executable file
20
scripts/wallabag-vault.sh
Executable file
|
@ -0,0 +1,20 @@
|
||||||
|
#!/bin/bash
|
||||||
|
cat << EOH > wallabag.hcl
|
||||||
|
path "kv/data/wallabag" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
vault policy write wallabag wallabag.hcl
|
||||||
|
rm wallabag.hcl
|
||||||
|
|
||||||
|
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
|
||||||
|
TOKEN="$(kubectl get secret serviceaccounttoken -n wallabag -o go-template='{{ .data.token }}' | base64 -d)"
|
||||||
|
|
||||||
|
vault write auth/${VAULT_AUTH_NAMESPACE}/role/wallabag \
|
||||||
|
bound_service_account_names=wallabag \
|
||||||
|
bound_service_account_namespaces=wallabag \
|
||||||
|
policies=wallabag \
|
||||||
|
ttl=24h
|
||||||
|
|
||||||
|
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=wallabag jwt=${TOKEN} iss=https://${HOST_IP}:6443
|
||||||
|
|
Loading…
Reference in a new issue