vault migration
This commit is contained in:
85
scripts/seed-vault-from-cluster.sh
Normal file
85
scripts/seed-vault-from-cluster.sh
Normal file
@@ -0,0 +1,85 @@
|
||||
#!/usr/bin/env bash
|
||||
# seed-vault-from-cluster.sh — Read existing K8s Secrets and write to Vault KV
|
||||
#
|
||||
# Prerequisites:
|
||||
# - vault CLI authenticated (VAULT_ADDR + VAULT_TOKEN set)
|
||||
# - kubectl access to the cluster
|
||||
# - KV v2 engine at kv/
|
||||
#
|
||||
# Usage: ./scripts/seed-vault-from-cluster.sh
|
||||
#
|
||||
# This reads plaintext values from existing K8s Secrets and writes them
|
||||
# to Vault KV v2 at kv/{namespace}/{secret-name}.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
echo "=== Seeding Vault KV from existing K8s Secrets ==="
|
||||
echo ""
|
||||
|
||||
# Helper: read a K8s secret and write all keys to Vault KV
|
||||
seed_secret() {
|
||||
local ns="$1"
|
||||
local secret_name="$2"
|
||||
local vault_path="kv/${ns}/${secret_name}"
|
||||
|
||||
echo "--- ${ns}/${secret_name} → ${vault_path} ---"
|
||||
|
||||
# Get all keys from the secret
|
||||
local keys
|
||||
keys=$(kubectl get secret "${secret_name}" -n "${ns}" -o json 2>/dev/null | \
|
||||
jq -r '.data // {} | keys[]' 2>/dev/null) || {
|
||||
echo " SKIP: secret not found in cluster"
|
||||
echo ""
|
||||
return
|
||||
}
|
||||
|
||||
if [ -z "${keys}" ]; then
|
||||
echo " SKIP: no data keys"
|
||||
echo ""
|
||||
return
|
||||
fi
|
||||
|
||||
# Build vault kv put arguments
|
||||
local args=()
|
||||
for key in ${keys}; do
|
||||
local value
|
||||
value=$(kubectl get secret "${secret_name}" -n "${ns}" -o jsonpath="{.data.${key}}" | base64 -d)
|
||||
args+=("${key}=${value}")
|
||||
done
|
||||
|
||||
vault kv put "${vault_path}" "${args[@]}"
|
||||
echo " OK: $(echo "${keys}" | wc -w | tr -d ' ') keys written"
|
||||
echo ""
|
||||
}
|
||||
|
||||
# --- Homepage ---
|
||||
seed_secret homepage homepage-widget-credentials
|
||||
|
||||
# --- Renovate ---
|
||||
seed_secret renovate renovate-env
|
||||
|
||||
# --- Gitea ---
|
||||
seed_secret gitea gitea-credentials
|
||||
seed_secret gitea gitea-backup-s3
|
||||
seed_secret gitea gitea-smtp-secret
|
||||
seed_secret gitea gitea-runner-token
|
||||
|
||||
# --- Keycloak ---
|
||||
seed_secret keycloak keycloak-credentials
|
||||
seed_secret keycloak microsoft-idp-credentials
|
||||
|
||||
# --- ArgoCD ---
|
||||
seed_secret argocd forte-helm-repo
|
||||
seed_secret argocd forte10x-repo-creds
|
||||
seed_secret argocd mcp10x-repo-creds
|
||||
seed_secret argocd argocd-notifications-secret
|
||||
|
||||
# --- Application secrets ---
|
||||
seed_secret mcp10x app-credentials
|
||||
seed_secret ts-mcp ts-mcp-secrets
|
||||
seed_secret argocd-mcp auth-oidc
|
||||
seed_secret argocd-mcp argocd-mcp-credentials
|
||||
seed_secret dot-ai dot-ai-secrets
|
||||
seed_secret music-man musicman-credentials
|
||||
|
||||
echo "=== Done. Verify with: vault kv list kv/{namespace} ==="
|
||||
81
scripts/vault-setup-policies.sh
Normal file
81
scripts/vault-setup-policies.sh
Normal file
@@ -0,0 +1,81 @@
|
||||
#!/usr/bin/env bash
|
||||
# vault-setup-policies.sh — Create Vault policies + Kubernetes auth roles for VSO
|
||||
#
|
||||
# Prerequisites:
|
||||
# - vault CLI authenticated (VAULT_ADDR + VAULT_TOKEN set)
|
||||
# - Kubernetes auth method enabled at auth/kubernetes/
|
||||
# - KV v2 secrets engine at kv/
|
||||
#
|
||||
# Usage: ./scripts/vault-setup-policies.sh
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
echo "=== Vault Secrets Operator — Policy & Auth Role Setup ==="
|
||||
echo ""
|
||||
|
||||
# All namespaces that have secrets to migrate
|
||||
NAMESPACES=(
|
||||
argocd
|
||||
gitea
|
||||
keycloak
|
||||
renovate
|
||||
homepage
|
||||
argocd-mcp
|
||||
mcp10x
|
||||
ts-mcp
|
||||
dot-ai
|
||||
music-man
|
||||
vault-secrets-operator-system
|
||||
)
|
||||
|
||||
# --- Per-namespace policies and auth roles ---
|
||||
|
||||
for NS in "${NAMESPACES[@]}"; do
|
||||
echo "--- Namespace: ${NS} ---"
|
||||
|
||||
# Create read-only policy for this namespace's secrets
|
||||
echo " Creating policy: ns-${NS}"
|
||||
vault policy write "ns-${NS}" - <<EOF
|
||||
path "kv/data/${NS}/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
path "kv/metadata/${NS}/*" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
EOF
|
||||
|
||||
# Create Kubernetes auth role bound to namespace-specific ServiceAccount
|
||||
echo " Creating auth role: ns-${NS}"
|
||||
vault write "auth/kubernetes/role/ns-${NS}" \
|
||||
bound_service_account_names="vault-auth-${NS}" \
|
||||
bound_service_account_namespaces="${NS}" \
|
||||
policies="ns-${NS}" \
|
||||
audience="vault" \
|
||||
ttl="1h"
|
||||
|
||||
echo ""
|
||||
done
|
||||
|
||||
# --- VSO operator role (broad read for default auth method) ---
|
||||
|
||||
echo "--- VSO Operator Role ---"
|
||||
echo " Creating policy: vso-operator"
|
||||
vault policy write vso-operator - <<EOF
|
||||
path "kv/data/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
path "kv/metadata/*" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
EOF
|
||||
|
||||
echo " Creating auth role: vso-operator"
|
||||
vault write auth/kubernetes/role/vso-operator \
|
||||
bound_service_account_names="vault-secrets-operator" \
|
||||
bound_service_account_namespaces="vault-secrets-operator-system" \
|
||||
policies="vso-operator" \
|
||||
audience="vault" \
|
||||
ttl="1h"
|
||||
|
||||
echo ""
|
||||
echo "=== Done. All ${#NAMESPACES[@]} namespace policies + auth roles created. ==="
|
||||
Reference in New Issue
Block a user