#!/usr/bin/env bash # Configure Vault Kubernetes auth + KV v2 + policy/role for External Secrets Operator. # Requires: kubectl (cluster access), jq optional (openid issuer); Vault reachable via sts/vault. # # Usage (from repo root): # export KUBECONFIG=talos/kubeconfig # or your path # export VAULT_TOKEN='…' # root or admin token — never commit # ./clusters/noble/apps/vault/configure-kubernetes-auth.sh # # Then: kubectl apply -f clusters/noble/apps/external-secrets/examples/vault-cluster-secret-store.yaml # Verify: kubectl describe clustersecretstore vault set -euo pipefail : "${VAULT_TOKEN:?Set VAULT_TOKEN to your Vault root or admin token}" ISSUER=$(kubectl get --raw /.well-known/openid-configuration | jq -r .issuer) REVIEWER=$(kubectl -n vault create token vault --duration=8760h) CA_B64=$(kubectl config view --raw --minify -o jsonpath='{.clusters[0].cluster.certificate-authority-data}') kubectl -n vault exec -i sts/vault -- env \ VAULT_ADDR=http://127.0.0.1:8200 \ VAULT_TOKEN="$VAULT_TOKEN" \ sh -ec ' set -e vault auth list >/tmp/vauth.txt grep -q "^kubernetes/" /tmp/vauth.txt || vault auth enable kubernetes ' kubectl -n vault exec -i sts/vault -- env \ VAULT_ADDR=http://127.0.0.1:8200 \ VAULT_TOKEN="$VAULT_TOKEN" \ CA_B64="$CA_B64" \ REVIEWER="$REVIEWER" \ ISSUER="$ISSUER" \ sh -ec ' echo "$CA_B64" | base64 -d > /tmp/k8s-ca.crt vault write auth/kubernetes/config \ kubernetes_host="https://kubernetes.default.svc:443" \ kubernetes_ca_cert=@/tmp/k8s-ca.crt \ token_reviewer_jwt="$REVIEWER" \ issuer="$ISSUER" ' kubectl -n vault exec -i sts/vault -- env \ VAULT_ADDR=http://127.0.0.1:8200 \ VAULT_TOKEN="$VAULT_TOKEN" \ sh -ec ' set -e vault secrets list >/tmp/vsec.txt grep -q "^secret/" /tmp/vsec.txt || vault secrets enable -path=secret kv-v2 ' kubectl -n vault exec -i sts/vault -- env \ VAULT_ADDR=http://127.0.0.1:8200 \ VAULT_TOKEN="$VAULT_TOKEN" \ sh -ec ' vault policy write external-secrets - <