abdennour · April 7, 2025 17:29
diff --git a/vault-auth-k8s-method.sh b/vault-auth-k8s-method.sh
 # $1: vault namespace
 # $2: Vault Token Reviewer Service Account
 vault_namespace=${1:-"vault"}
 token_reviewer_sa=${2:-"vault"}
 if [ -z "${VAULT_TOKEN}" ] || [ -z "${VAULT_ADDR}" ]; then
  echo "ERROR: VAULT_TOKEN and VAULT_ADDR env vars are required"
  exit 404
 fi

 cat <<EOF | kubectl apply -f -
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ${token_reviewer_sa}
  namespace: ${vault_namespace}
  labels:
    role: vault-token-review-for-k8s-auth
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: role-tokenreview-binding
  namespace: ${vault_namespace}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
 subjects:
 - kind: ServiceAccount
  name: ${token_reviewer_sa}
  namespace: ${vault_namespace}
 EOF
 # 1. enabling kube auth already done with Operator
 export VAULT_SA_NAME=$(kubectl -n ${vault_namespace} get sa ${token_reviewer_sa} -o jsonpath="{.secrets[*]['name']}")
 export SA_JWT_TOKEN=$(kubectl -n ${vault_namespace} get secret $VAULT_SA_NAME -o jsonpath="{.data.token}" | base64 --decode; echo)
 export SA_CA_CRT=$(kubectl -n ${vault_namespace} get secret $VAULT_SA_NAME -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo)
 export K8S_HOST=$(kubectl -n default get svc kubernetes -o jsonpath='{.spec.clusterIP}')

 # 2. configure token reviewer for serviceaccount
 vault write auth/kubernetes/config \
    token_reviewer_jwt="$SA_JWT_TOKEN" \
    kubernetes_host="https://$K8S_HOST" \
    kubernetes_ca_cert="$SA_CA_CRT"

 # 3. Add Role in Vault under the kube auth
 #---------> Already done by the Operator

 # 4. Test it - Validation
 ## Go to any pod matches the configuration of the role
 ## then LOGIN
 ###############################
 # role_name=jekins
 # curl --request POST
 # --data '{"jwt": "'$(cat /run/secrets/kubernetes.io/serviceaccount/token;echo)'", "role": "jenkins"}'  
 # --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt
 # http://vault.vault:8200/v1/auth/kubernetes/login

 ### Now try to read/write secrets ####################
 # vault kv get --field=x secret/hello/world
	# $1: vault namespace
	# $2: Vault Token Reviewer Service Account
	vault_namespace=${1:-"vault"}
	token_reviewer_sa=${2:-"vault"}
	if [ -z "${VAULT_TOKEN}" ] \|\| [ -z "${VAULT_ADDR}" ]; then
	echo "ERROR: VAULT_TOKEN and VAULT_ADDR env vars are required"
	exit 404
	fi

	cat <<EOF \| kubectl apply -f -
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: ${token_reviewer_sa}
	namespace: ${vault_namespace}
	labels:
	role: vault-token-review-for-k8s-auth
	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRoleBinding
	metadata:
	name: role-tokenreview-binding
	namespace: ${vault_namespace}
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: system:auth-delegator
	subjects:
	- kind: ServiceAccount
	name: ${token_reviewer_sa}
	namespace: ${vault_namespace}
	EOF
	# 1. enabling kube auth already done with Operator
	export VAULT_SA_NAME=$(kubectl -n ${vault_namespace} get sa ${token_reviewer_sa} -o jsonpath="{.secrets[*]['name']}")
	export SA_JWT_TOKEN=$(kubectl -n ${vault_namespace} get secret $VAULT_SA_NAME -o jsonpath="{.data.token}" \| base64 --decode; echo)
	export SA_CA_CRT=$(kubectl -n ${vault_namespace} get secret $VAULT_SA_NAME -o jsonpath="{.data['ca\.crt']}" \| base64 --decode; echo)
	export K8S_HOST=$(kubectl -n default get svc kubernetes -o jsonpath='{.spec.clusterIP}')

	# 2. configure token reviewer for serviceaccount
	vault write auth/kubernetes/config \
	token_reviewer_jwt="$SA_JWT_TOKEN" \
	kubernetes_host="https://$K8S_HOST" \
	kubernetes_ca_cert="$SA_CA_CRT"

	# 3. Add Role in Vault under the kube auth
	#---------> Already done by the Operator

	# 4. Test it - Validation
	## Go to any pod matches the configuration of the role
	## then LOGIN
	###############################
	# role_name=jekins
	# curl --request POST
	# --data '{"jwt": "'$(cat /run/secrets/kubernetes.io/serviceaccount/token;echo)'", "role": "jenkins"}'
	# --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt
	# http://vault.vault:8200/v1/auth/kubernetes/login

	### Now try to read/write secrets ####################
	# vault kv get --field=x secret/hello/world