#!/usr/bin/env bash
# vault-setup-policies.sh — Create Vault policies + Kubernetes auth roles for VSO
#
# Prerequisites:
#   - vault CLI authenticated (VAULT_ADDR + VAULT_TOKEN set)
#   - Kubernetes auth method enabled at auth/kubernetes/
#   - KV v2 secrets engine at kv/
#
# Usage: ./scripts/vault-setup-policies.sh

set -euo pipefail

echo "=== Vault Secrets Operator — Policy & Auth Role Setup ==="
echo ""

# All namespaces that have secrets to migrate
NAMESPACES=(
  argocd
  gitea
  keycloak
  renovate
  homepage
  argocd-mcp
  mcp10x
  ts-mcp
  dot-ai
  music-man
  vault-secrets-operator-system
)

# --- Per-namespace policies and auth roles ---

for NS in "${NAMESPACES[@]}"; do
  echo "--- Namespace: ${NS} ---"

  # Create read-only policy for this namespace's secrets
  echo "  Creating policy: ns-${NS}"
  vault policy write "ns-${NS}" - <<EOF
path "kv/data/${NS}/*" {
  capabilities = ["read"]
}
path "kv/metadata/${NS}/*" {
  capabilities = ["read", "list"]
}
EOF

  # Create Kubernetes auth role bound to namespace-specific ServiceAccount
  echo "  Creating auth role: ns-${NS}"
  vault write "auth/kubernetes/role/ns-${NS}" \
    bound_service_account_names="vault-auth-${NS}" \
    bound_service_account_namespaces="${NS}" \
    policies="ns-${NS}" \
    audience="vault" \
    ttl="1h"

  echo ""
done

# --- VSO operator role (broad read for default auth method) ---

echo "--- VSO Operator Role ---"
echo "  Creating policy: vso-operator"
vault policy write vso-operator - <<EOF
path "kv/data/*" {
  capabilities = ["read"]
}
path "kv/metadata/*" {
  capabilities = ["read", "list"]
}
EOF

echo "  Creating auth role: vso-operator"
vault write auth/kubernetes/role/vso-operator \
  bound_service_account_names="vault-secrets-operator" \
  bound_service_account_namespaces="vault-secrets-operator-system" \
  policies="vso-operator" \
  audience="vault" \
  ttl="1h"

echo ""
echo "=== Done. All ${#NAMESPACES[@]} namespace policies + auth roles created. ==="