Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: f2dd729e55
Branches Tags
helm-externa...
/
e2e
/
k8s
/
vault-config
/
configure-vault.sh

configure-vault.sh 2.3 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485 
  1. #!/bin/sh
    2. 

  2. set -euxo pipefail;
    3. 

  3. 

  4. export VAULT_TOKEN=${1}
    5. 

  5. 

  6. # ------------------
    7. 

  7. #   SECRET BACKENDS
    8. 

  8. # ------------------
    9. 

  9. vault secrets enable -path=secret -version=2 kv
    10. 

  10. vault secrets enable -path=secret_v1 -version=1 kv
    11. 

  11. 

  12. # ------------------
    13. 

  13. #   CERT AUTH
    14. 

  14. #   https://www.vaultproject.io/docs/auth/cert
    15. 

  15. # ------------------
    16. 

  16. vault auth enable cert
    17. 

  17. vault policy write \
    18. 

  18.     external-secrets-operator \
    19. 

  19.     /etc/vault-config/vault-policy-es.hcl
    20. 

  20. 

  21. vault write auth/cert/certs/external-secrets-operator \
    22. 

  22.     display_name=external-secrets-operator \
    23. 

  23.     policies=external-secrets-operator \
    24. 

  24.     certificate=@/etc/vault-config/es-client.pem \
    25. 

  25.     ttl=3600
    26. 

  26. 

  27. # test certificate login
    28. 

  28. unset VAULT_TOKEN
    29. 

  29. vault login \
    30. 

  30.     -client-cert=/etc/vault-config/es-client.pem \
    31. 

  31.     -client-key=/etc/vault-config/es-client-key.pem \
    32. 

  32.     -method=cert \
    33. 

  33.     name=external-secrets-operator
    34. 

  34. 

  35. vault kv put secret/foo/bar baz=bang
    36. 

  36. vault kv get secret/foo/bar
    37. 

  37. 

  38. # ------------------
    39. 

  39. #   App Role AUTH
    40. 

  40. #   https://www.vaultproject.io/docs/auth/approle
    41. 

  41. # ------------------
    42. 

  42. export VAULT_TOKEN=${1}
    43. 

  43. vault auth enable -path=myapprole approle
    44. 

  44. 

  45. vault write auth/myapprole/role/eso-e2e-role \
    46. 

  46.     secret_id_ttl=10m \
    47. 

  47.     token_num_uses=10 \
    48. 

  48.     token_policies=external-secrets-operator \
    49. 

  49.     token_ttl=1h \
    50. 

  50.     token_max_ttl=4h \
    51. 

  51.     secret_id_num_uses=40
    52. 

  52. 

  53. # ------------------
    54. 

  54. #   App Role AUTH
    55. 

  55. #   https://www.vaultproject.io/docs/auth/jwt
    56. 

  56. # ------------------
    57. 

  57. vault auth enable jwt
    58. 

  58. 

  59. vault write auth/jwt/config \
    60. 

  60.    jwt_validation_pubkeys=@/etc/vault-config/jwt-pubkey.pem \
    61. 

  61.    bound_issuer="example.iss" \
    62. 

  62.    default_role="external-secrets-operator"
    63. 

  63. 

  64. vault write auth/jwt/role/external-secrets-operator \
    65. 

  65.     role_type="jwt" \
    66. 

  66.     bound_subject="vault@example" \
    67. 

  67.     bound_audiences="vault.client" \
    68. 

  68.     user_claim="user" \
    69. 

  69.     policies=external-secrets-operator \
    70. 

  70.     ttl=1h
    71. 

  71. 

  72. # ------------------
    73. 

  73. #   Kubernetes AUTH
    74. 

  74. #   https://www.vaultproject.io/docs/auth/kubernetes
    75. 

  75. # ------------------
    76. 

  76. vault auth enable -path=mykubernetes kubernetes
    77. 

  77. vault write auth/mykubernetes/config \
    78. 

  78.     kubernetes_host=https://kubernetes.default.svc.cluster.local \
    79. 

  79.     kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
    80. 

  80. 

  81. vault write auth/mykubernetes/role/external-secrets-operator \
    82. 

  82.     bound_service_account_names=* \
    83. 

  83.     bound_service_account_namespaces=* \
    84. 

  84.     policies=external-secrets-operator \
    85. 

  85.     ttl=1h
    86.