From dc7f1cc42b70e9cc321bc2b71dd7fcd73e9ee13d Mon Sep 17 00:00:00 2001 From: Lumpiasty Date: Mon, 21 Apr 2025 22:09:13 +0200 Subject: [PATCH] synchronize kubernetes auth method in recoincile script --- utils/synchronize-vault.py | 13 +++++++++++++ vault/kubernetes-config.yaml | 1 + 2 files changed, 14 insertions(+) create mode 100644 vault/kubernetes-config.yaml diff --git a/utils/synchronize-vault.py b/utils/synchronize-vault.py index 8478813..517de38 100755 --- a/utils/synchronize-vault.py +++ b/utils/synchronize-vault.py @@ -1,5 +1,8 @@ #!/usr/bin/env python +from hvac.api.auth_methods.kubernetes import Kubernetes + + import argparse import os from hvac.api.system_backend import mount @@ -30,6 +33,13 @@ def synchronize_policies(client: hvac.Client): print(f'Updating policy: {policy_name}') client.sys.create_or_update_acl_policy(policy_name, policy_content) +# Read vault/kubernetes-config.yaml and write it to kubernetes auth method config +def synchronize_auth_kubernetes_config(client: hvac.Client): + config_file = os.path.join(os.path.dirname(__file__), '../vault/kubernetes-config.yaml') + with open(config_file, 'r') as f: + config = yaml.safe_load(f.read()) + client.write_data('/auth/kubernetes/config', data=config) + # Read vault/kubernetes-roles dir then write what is there and delete missing def synchronize_kubernetes_roles(client: hvac.Client): kubernetes = Kubernetes(client.adapter) @@ -71,5 +81,8 @@ if __name__ == '__main__': print('Synchronizing policies') synchronize_policies(client) + print('Synchronizing kubernetes config') + synchronize_auth_kubernetes_config(client) + print('Synchronizing kubernetes roles') synchronize_kubernetes_roles(client) diff --git a/vault/kubernetes-config.yaml b/vault/kubernetes-config.yaml new file mode 100644 index 0000000..e10ffcb --- /dev/null +++ b/vault/kubernetes-config.yaml @@ -0,0 +1 @@ +kubernetes_host: https://10.43.0.1:443