89 lines
3.1 KiB
YAML
89 lines
3.1 KiB
YAML
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: vault-bootstrap
|
|
namespace: dev-tools
|
|
annotations:
|
|
argocd.argoproj.io/hook: PostSync
|
|
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
|
|
argocd.argoproj.io/sync-wave: "1"
|
|
spec:
|
|
template:
|
|
spec:
|
|
serviceAccountName: vault-auth
|
|
restartPolicy: OnFailure
|
|
containers:
|
|
- name: bootstrap
|
|
image: hashicorp/vault:1.15
|
|
envFrom:
|
|
- secretRef:
|
|
name: vault-admin # מספק VAULT_ADDR + VAULT_TOKEN (אדמין)
|
|
volumeMounts:
|
|
- name: bootstrap-config
|
|
mountPath: /config # מכיל mounts + roles
|
|
- name: policies
|
|
mountPath: /policies # כל *.hcl יהפוך ל-policy
|
|
command: ["/bin/sh","-c"]
|
|
args:
|
|
- |
|
|
set -eu
|
|
|
|
echo "== Ensure mounts =="
|
|
while IFS= read -r line; do
|
|
[ -z "$line" ] && continue
|
|
PATH_NAME="${line%%:*}"
|
|
TYPE="${line##*:}"
|
|
if vault secrets list -format=json | grep -q "\"${PATH_NAME}/\""; then
|
|
echo "Mount exists: ${PATH_NAME}/"
|
|
continue
|
|
fi
|
|
case "$TYPE" in
|
|
kv2) vault secrets enable -path="${PATH_NAME}" -version=2 kv ;;
|
|
kv1) vault secrets enable -path="${PATH_NAME}" kv ;;
|
|
*) echo "Unknown type '$TYPE' for ${PATH_NAME}"; exit 1 ;;
|
|
esac
|
|
done < /config/mounts
|
|
|
|
echo "== Write/Update policies =="
|
|
for f in /policies/*.hcl; do
|
|
[ -f "$f" ] || continue
|
|
NAME="$(basename "$f" .hcl)"
|
|
vault policy write "$NAME" "$f"
|
|
done
|
|
|
|
echo "== Enable & configure kubernetes auth =="
|
|
if ! vault auth list -format=json | grep -q '"kubernetes/"'; then
|
|
vault auth enable -path=kubernetes kubernetes
|
|
fi
|
|
TOKEN_REVIEWER_JWT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
|
|
KUBE_HOST="https://${KUBERNETES_PORT_443_TCP_ADDR}:443"
|
|
CA_CERT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
|
|
vault write auth/kubernetes/config \
|
|
token_reviewer_jwt="$TOKEN_REVIEWER_JWT" \
|
|
kubernetes_host="$KUBE_HOST" \
|
|
kubernetes_ca_cert=@"$CA_CERT"
|
|
|
|
echo "== Create/Update roles =="
|
|
while IFS= read -r line; do
|
|
[ -z "$line" ] && continue
|
|
ROLENAME="${line%%:*}"; REST="${line#*:}"
|
|
SA="${REST%%:*}"; REST="${REST#*:}"
|
|
NS="${REST%%:*}"; REST="${REST#*:}"
|
|
POLICIES="${REST%%:*}"; TTL="${REST#*:}"
|
|
vault write "auth/kubernetes/role/${ROLENAME}" \
|
|
bound_service_account_names="$SA" \
|
|
bound_service_account_namespaces="$NS" \
|
|
policies="$POLICIES" \
|
|
ttl="$TTL"
|
|
done < /config/roles
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 100
|
|
volumes:
|
|
- name: bootstrap-config
|
|
configMap:
|
|
name: vault-bootstrap-config
|
|
- name: policies
|
|
configMap:
|
|
name: vault-policies
|