vault migration
This commit is contained in:
81
scripts/vault-setup-policies.sh
Normal file
81
scripts/vault-setup-policies.sh
Normal file
@@ -0,0 +1,81 @@
|
||||
#!/usr/bin/env bash
|
||||
# vault-setup-policies.sh — Create Vault policies + Kubernetes auth roles for VSO
|
||||
#
|
||||
# Prerequisites:
|
||||
# - vault CLI authenticated (VAULT_ADDR + VAULT_TOKEN set)
|
||||
# - Kubernetes auth method enabled at auth/kubernetes/
|
||||
# - KV v2 secrets engine at kv/
|
||||
#
|
||||
# Usage: ./scripts/vault-setup-policies.sh
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
echo "=== Vault Secrets Operator — Policy & Auth Role Setup ==="
|
||||
echo ""
|
||||
|
||||
# All namespaces that have secrets to migrate
|
||||
NAMESPACES=(
|
||||
argocd
|
||||
gitea
|
||||
keycloak
|
||||
renovate
|
||||
homepage
|
||||
argocd-mcp
|
||||
mcp10x
|
||||
ts-mcp
|
||||
dot-ai
|
||||
music-man
|
||||
vault-secrets-operator-system
|
||||
)
|
||||
|
||||
# --- Per-namespace policies and auth roles ---
|
||||
|
||||
for NS in "${NAMESPACES[@]}"; do
|
||||
echo "--- Namespace: ${NS} ---"
|
||||
|
||||
# Create read-only policy for this namespace's secrets
|
||||
echo " Creating policy: ns-${NS}"
|
||||
vault policy write "ns-${NS}" - <<EOF
|
||||
path "kv/data/${NS}/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
path "kv/metadata/${NS}/*" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
EOF
|
||||
|
||||
# Create Kubernetes auth role bound to namespace-specific ServiceAccount
|
||||
echo " Creating auth role: ns-${NS}"
|
||||
vault write "auth/kubernetes/role/ns-${NS}" \
|
||||
bound_service_account_names="vault-auth-${NS}" \
|
||||
bound_service_account_namespaces="${NS}" \
|
||||
policies="ns-${NS}" \
|
||||
audience="vault" \
|
||||
ttl="1h"
|
||||
|
||||
echo ""
|
||||
done
|
||||
|
||||
# --- VSO operator role (broad read for default auth method) ---
|
||||
|
||||
echo "--- VSO Operator Role ---"
|
||||
echo " Creating policy: vso-operator"
|
||||
vault policy write vso-operator - <<EOF
|
||||
path "kv/data/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
path "kv/metadata/*" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
EOF
|
||||
|
||||
echo " Creating auth role: vso-operator"
|
||||
vault write auth/kubernetes/role/vso-operator \
|
||||
bound_service_account_names="vault-secrets-operator" \
|
||||
bound_service_account_namespaces="vault-secrets-operator-system" \
|
||||
policies="vso-operator" \
|
||||
audience="vault" \
|
||||
ttl="1h"
|
||||
|
||||
echo ""
|
||||
echo "=== Done. All ${#NAMESPACES[@]} namespace policies + auth roles created. ==="
|
||||
Reference in New Issue
Block a user