#!/usr/bin/env bash source ~/.bash_profile export VAULT_NS="vault" export VAULT_ADDR="vault.${VAULT_NS}.svc.cluster.local:8200" export VAULT_TOKEN=$(aws secretsmanager get-secret-value \ --secret-id VAULT_ROOT_TOKEN_${RANDOM_STRING} \ --region ${AWS_REGION} \ --query SecretString \ | xargs) export VAULT_POD=$(kubectl -n ${VAULT_NS} get pods \ --selector='app.kubernetes.io/name=vault' \ -o jsonpath='{.items[0].metadata.name}') TENANTS="tenantc tenantd" for TENANT in $TENANTS do export TENANT export APPLICATION_NS=${TENANT} export VAULT_AGENT_ROLE=${TENANT} kubectl -n ${VAULT_NS} exec -it ${VAULT_POD} -c vault \ -- env VAULT_TOKEN=$VAULT_TOKEN \ RANDOM_STRING=$RANDOM_STRING \ ACCOUNT_ID=${ACCOUNT_ID} \ AWS_REGION=${AWS_REGION} \ /bin/sh -c \ "echo \"Creating Vault Role for ${TENANT}\" echo \"=================================\" vault write aws/roles/${TENANT} \ role_arns=arn:aws:iam::${ACCOUNT_ID}:role/vault-role-${RANDOM_STRING} \ credential_type=assumed_role \ policy_document=-< ../config/pool/${TENANT}/template/${PROFILE}.ctmpl aws s3 cp ../config/pool/${TENANT}/template/${PROFILE}.ctmpl \ s3://${VAULT_AGENT_TEMPLATES_BUCKET}/${TENANT}/${PROFILE}.ctmpl envsubst < vault-agent-configmap.yaml > ../config/pool/${TENANT}/${TENANT}.cm kubectl -n ${APPLICATION_NS} apply -f ../config/pool/${TENANT}/${TENANT}.cm # Deploy Vault Agent Example Pod export VAULT_REPO_NAME=${EKS_CLUSTER_NAME}-repo-${RANDOM_STRING}-vault export VAULT_IMAGE_TAG=$( aws ecr describe-images \ --repository-name ${VAULT_REPO_NAME} \ --query 'imageDetails[?imageTags[0]==`latest`].imageDigest' \ --output text | awk -F 'sha256:' '{print $2}' ) export AWSCLI_REPO_NAME=${EKS_CLUSTER_NAME}-repo-${RANDOM_STRING}-aws-cli export AWSCLI_IMAGE_TAG=$( aws ecr describe-images \ --repository-name ${AWSCLI_REPO_NAME} \ --query 'imageDetails[?imageTags[0]==`latest`].imageDigest' \ --output text | awk -F 'sha256:' '{print $2}' ) export DOLLAR='$' envsubst < vault-agent-example.yaml \ | kubectl -n ${APPLICATION_NS} apply -f - kubectl -n ${APPLICATION_NS} get all done