#!/bin/bash
VAULT_AUTH_NAMESPACE="k8s-teapot"
cat << EOH > longhorn.hcl
path "kv/data/longhorn" {
  capabilities = ["read"]
}
EOH
vault policy write longhorn longhorn.hcl
rm longhorn.hcl
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n longhorn-system -o go-template='{{ .data.token }}' | base64 -d)"

vault write auth/${VAULT_AUTH_NAMESPACE}/role/longhorn \
    bound_service_account_names=longhorn \
    bound_service_account_namespaces=longhorn-system \
    policies=longhorn \
    ttl=24h

vault write auth/${VAULT_AUTH_NAMESPACE}/login role=longhorn jwt=${TOKEN} iss=https://${HOST_IP}:6443