# HashiCorp Vault configuration for minikube
# This is not part of ceph-csi project, used only
# for e2e testing of integration with such KMS
---
apiVersion: v1
kind: Service
metadata:
  name: vault
  labels:
    app: vault-api
spec:
  ports:
    - name: vault-api
      port: 8200
  clusterIP: None
  selector:
    app: vault
    role: server

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vault
  labels:
    app: vault
    role: server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: vault
      role: server
  template:
    metadata:
      labels:
        app: vault
        role: server
    spec:
      containers:
        - name: vault
          image: docker.io/library/vault:1.8.5
          imagePullPolicy: "IfNotPresent"
          securityContext:
            runAsUser: 100
          env:
            - name: VAULT_DEV_ROOT_TOKEN_ID
              value: sample_root_token_id
            - name: SKIP_SETCAP
              value: any
            - name: HOME
              value: /home
          livenessProbe:
            exec:
              command:
                - pidof
                - vault
            initialDelaySeconds: 5
            timeoutSeconds: 2
          ports:
            - containerPort: 8200
              name: vault-api
          volumeMounts:
            - name: home
              mountPath: /home
        - name: monitor
          image: docker.io/library/vault:1.8.5
          imagePullPolicy: "IfNotPresent"
          securityContext:
            runAsUser: 100
          env:
            - name: VAULT_ADDR
              value: http://localhost:8200
            - name: HOME
              value: /home
          command:
            - vault
            - monitor
          volumeMounts:
            - name: home
              mountPath: /home
      volumes:
        - name: home
          emptyDir: {}
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: init-scripts
data:
  init-vault.sh: |
    set -x -e

    timeout 300 sh -c 'until vault status; do sleep 5; done'

    # login into vault to retrieve token
    vault login ${VAULT_DEV_ROOT_TOKEN_ID}

    # enable kubernetes auth method under specific path:
    vault auth enable -path="/${CLUSTER_IDENTIFIER}" kubernetes

    # write configuration to use your cluster
    vault write auth/${CLUSTER_IDENTIFIER}/config \
      token_reviewer_jwt=@${SERVICE_ACCOUNT_TOKEN_PATH}/token \
      kubernetes_host="${K8S_HOST}" \
      kubernetes_ca_cert=@${SERVICE_ACCOUNT_TOKEN_PATH}/ca.crt

    # create policy to use keys related to the cluster
    vault policy write "${CLUSTER_IDENTIFIER}" - << EOS
    path "secret/data/ceph-csi/*" {
      capabilities = ["create", "update", "delete", "read", "list"]
    }

    path "secret/metadata/ceph-csi/*" {
      capabilities = ["read", "delete", "list"]
    }

    path "sys/mounts" {
      capabilities = ["read"]
    }
    EOS

    # create a role
    vault write "auth/${CLUSTER_IDENTIFIER}/role/${PLUGIN_ROLE}" \
        bound_service_account_names="${SERVICE_ACCOUNTS}" \
        bound_service_account_namespaces="${SERVICE_ACCOUNTS_NAMESPACE}" \
        policies="${CLUSTER_IDENTIFIER}"

    # disable iss validation
    # from: external-secrets/kubernetes-external-secrets#721
    vault write auth/${CLUSTER_IDENTIFIER}/config \
      token_reviewer_jwt=@${SERVICE_ACCOUNT_TOKEN_PATH}/token \
      kubernetes_host="${K8S_HOST}" \
      disable_iss_validation=true
---
apiVersion: batch/v1
kind: Job
metadata:
  name: vault-init-job
spec:
  parallelism: 1
  completions: 1
  template:
    metadata:
      name: vault-init-job
    spec:
      serviceAccountName: rbd-csi-vault-token-review
      volumes:
        - name: init-scripts-volume
          configMap:
            name: init-scripts
      containers:
        - name: vault-init-job
          image: docker.io/library/vault:1.8.5
          securityContext:
            runAsUser: 100
          volumeMounts:
            - mountPath: /init-scripts
              name: init-scripts-volume
          env:
            - name: HOME
              value: /tmp
            - name: CLUSTER_IDENTIFIER
              value: kubernetes
            - name: SERVICE_ACCOUNT_TOKEN_PATH
              value: /var/run/secrets/kubernetes.io/serviceaccount
            - name: K8S_HOST
              value: https://kubernetes.default.svc.cluster.local
            - name: PLUGIN_ROLE
              value: csi-kubernetes
            - name: SERVICE_ACCOUNTS
              value: rbd-csi-nodeplugin,rbd-csi-provisioner,csi-rbdplugin,csi-rbdplugin-provisioner
            - name: SERVICE_ACCOUNTS_NAMESPACE
              value: default
            - name: VAULT_ADDR
              value: http://vault.default.svc.cluster.local:8200/
            - name: VAULT_DEV_ROOT_TOKEN_ID
              value: sample_root_token_id
          command:
            - /bin/sh
            - /init-scripts/init-vault.sh
          imagePullPolicy: "IfNotPresent"
      restartPolicy: Never