init

data/helpers/admin-policy.hcl

@@ -1,56 +0,0 @@
-path "sys/health"
-{
-	capabilities = ["read", "sudo"]
-}
-path "sys/policies/acl"
-{
-	capabilities = ["list"]
-}
-path "sys/policies/acl/*"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "auth/*"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "sys/auth/*"
-{
-	capabilities = ["create", "update", "delete", "sudo"]
-}
-path "sys/auth"
-{
-	capabilities = ["read"]
-}
-path "kv/*"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "secret/*"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "identity/entity-alias"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "identity/entity-alias/*"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "identity/entity"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "identity/entity/*"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "sys/mounts/*"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "sys/mounts"
-{
-	capabilities = ["read"]
-}

data/helpers/init.sh

@@ -1,29 +1,28 @@
 apk add jq curl
+
 export VAULT_ADDR=http://localhost:8200
+
 root_token=$(cat /helpers/keys.json | jq -r '.root_token')
+
 unseal_vault() {
-export VAULT_TOKEN=$root_token
-vault operator unseal -address=${VAULT_ADDR} $(cat /helpers/keys.json | jq -r '.keys[0]')
-vault login token=$VAULT_TOKEN
+	export VAULT_TOKEN=$root_token
+	vault operator unseal -address=${VAULT_ADDR} $(cat /helpers/keys.json | jq -r '.keys[0]')
+	vault login token=$VAULT_TOKEN
 }
+
 if [[ -n "$root_token" ]]
 then
   echo "Vault already initialized"
   unseal_vault
 else
   echo "Vault not initialized"
-  curl --request POST --data '{"secret_shares": 1, "secret_threshold": 1}' http://127.0.0.1:8200/v1/sys/init > /helpers/keys.json
+  curl -s --request POST --data '{"secret_shares": 1, "secret_threshold": 1}' http://${VAULT_ADDR}/v1/sys/init > /helpers/keys.json
   root_token=$(cat /helpers/keys.json | jq -r '.root_token')
 
   unseal_vault
 
   vault secrets enable -version=2 kv
-  vault auth enable approle
-  vault policy write admin-policy /helpers/admin-policy.hcl
-  vault write auth/approle/role/dev-role token_policies="admin-policy"
-  vault read -format=json auth/approle/role/dev-role/role-id \
-    | jq -r '.data.role_id' > /helpers/role_id
-  vault write -format=json -f auth/approle/role/dev-role/secret-id \
-    | jq -r '.data.secret_id' > /helpers/secret_id
+	vault auth enable kubernetes
 fi
+
 printf "\n\nVAULT_TOKEN=%s\n\n" $VAULT_TOKEN

data/helpers/vault-agent.hcl

@@ -1,33 +0,0 @@
-pid_file = "./pidfile"
-
-vault {
-	address = "http://vault:8200"
-	retry {
-		num_retries = 5
-	}
-}
-
-auto_auth {
-	method {
-		type = "approle"
-		config = {
-			role_id_file_path = "/helpers/role_id"
-			secret_id_file_path = "/helpers/secret_id"
-			remove_secret_id_file_after_reading = false
-		}
-	}
-	sink "file" {
-		config = {
-			path = "/helpers/sink_file"
-		}
-	}
-}
-
-cache {
-	use_auto_auth_token = true
-}
-
-listener "tcp" {
-	address = "0.0.0.0:8200"
-	tls_disable = true
-}