#!/usr/bin/env bash
set -euo pipefail

# Following: https://developer.hashicorp.com/vault/tutorials/kubernetes/vault-secrets-operator

# Install vault
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update

helm search repo hashicorp/vault
helm install vault hashicorp/vault \
    -n vault \
    --create-namespace \
    --values https://raw.githubusercontent.com/hashicorp-education/learn-vault-secrets-operator/refs/heads/main/vault/vault-values.yaml

# Configure vault
kubectl exec --stdin=true --tty=true vault-0 -n vault -- /bin/sh

## Within the pod
cd tmp
vault auth enable -path demo-auth-mount kubernetes
vault write auth/demo-auth-mount/config kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"
vault secrets enable -path=kvv2 kv-v2
tee webapp.json <<EOF
path "kvv2/data/webapp/config" {
   capabilities = ["read", "list"]
}
EOF
vault policy write webapp webapp.json
vault write auth/demo-auth-mount/role/role1 \
    bound_service_account_names=demo-static-app \
    bound_service_account_namespaces=app \
    policies=webapp \
    audience=vault \
    ttl=24h

vault kv put kvv2/webapp/config \
    ca-roots="some-ca-roots-data" \
    ca-intermediates="some-ca-intermediates-data" \
    certificate-email="some-email" \
    certificate-hostname="some-hostname"
# Exit the pod

# Install Vault Secrets Operator
helm install vault-secrets-operator hashicorp/vault-secrets-operator \
    -n vault-secrets-operator-system \
    --create-namespace \
    --values https://raw.githubusercontent.com/hashicorp-education/learn-vault-secrets-operator/refs/heads/main/vault/vault-operator-values.yaml

# Deploy and sync a secret
kubectl create ns app
kubectl apply -f https://raw.githubusercontent.com/hashicorp-education/learn-vault-secrets-operator/refs/heads/main/vault/vault-auth-static.yaml
kubectl apply -f https://raw.githubusercontent.com/hashicorp-education/learn-vault-secrets-operator/refs/heads/main/vault/static-secret.yaml

sleep 3
kubectl get secret secretkv -o yaml