From 9a711544300899ac6270f2577a1109494b182a43 Mon Sep 17 00:00:00 2001
From: Mads Hennings Thyssen <hrthyssen@gmail.com>
Date: Mon, 17 May 2021 11:33:52 +0200
Subject: [PATCH] copying a vault pr
 https://github.com/hashicorp/vault-helm/pull/252

---
 vault/files/vault-config.sh | 45 ++++++++++++++++++++++++++++
 vault/templates/cm-job.yaml |  8 +++++
 vault/templates/job.yaml    | 58 ++++++++++++++-----------------------
 vault/templates/secret.yaml | 15 ----------
 vault/values.yaml           | 30 +++++++++++++++----
 5 files changed, 99 insertions(+), 57 deletions(-)
 create mode 100644 vault/files/vault-config.sh
 create mode 100644 vault/templates/cm-job.yaml
 delete mode 100644 vault/templates/secret.yaml

diff --git a/vault/files/vault-config.sh b/vault/files/vault-config.sh
new file mode 100644
index 0000000..cc5c42a
--- /dev/null
+++ b/vault/files/vault-config.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+set +x
+while ! nslookup vault </dev/null || ! nc -w1 vault 8200 </dev/null; do
+    echo "Waiting for Vault to Come up!"
+    sleep 0.1
+done
+sleep 10
+
+echo "Vault Up, Will be initlising the it"
+
+export VAULT_ADDR=http://$VAULT_SERVICE_HOST:$VAULT_SERVICE_PORT_HTTP
+echo "vault address is: $VAULT_ADDR"
+
+echo "Initialising the vault"
+vault operator init -n 1 -t 1 > /tmp/stdout
+cat /tmp/stdout | head -n 1 | awk '{print $4}' > /tmp/key
+cat /tmp/stdout | grep -i "Root" |awk '{print $4}' > /tmp/token
+export KEY=$(cat /tmp/key)
+export VAULT_TOKEN=$(cat /tmp/token)
+
+echo "vault key is : $KEY"
+echo "vault token is : $VAULT_TOKEN"
+
+echo "Unsealing the vault"
+vault operator unseal $KEY
+vault status
+
+if [ "{{.Values.initvault.ldapauth.enabled}}" == "true" ]; then
+    echo "Enabling the LDAP auth"
+    export ldap_url="{{.Values.initvault.ldapauth.ldap_url}}"
+    export userattr="{{.Values.initvault.ldapauth.userattr}}"
+    export userdn="{{.Values.initvault.ldapauth.userdn}}"
+    export groupdn="{{.Values.initvault.ldapauth.groupdn}}"
+    export upndomain="{{.Values.initvault.ldapauth.upndomain}}"
+    vault auth enable ldap
+    vault login $VAULT_TOKEN
+    vault write auth/ldap/config \
+        url="${ldap_url}" \
+        userattr="${userattr}" \
+        userdn="${userdn}" \
+        groupdn="${groupdn}" \
+        upndomain="${upndomain}" \
+        insecure_tls=true starttls=true \
+        tls_min_version=tls10
+fi 
\ No newline at end of file
diff --git a/vault/templates/cm-job.yaml b/vault/templates/cm-job.yaml
new file mode 100644
index 0000000..44f2b0b
--- /dev/null
+++ b/vault/templates/cm-job.yaml
@@ -0,0 +1,8 @@
+{{- if .Values.initvault.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vault-config-sh
+data:
+{{ (tpl (.Files.Glob "files/vault-config.sh").AsConfig . ) | indent 4 }}
+{{- end }} 
\ No newline at end of file
diff --git a/vault/templates/job.yaml b/vault/templates/job.yaml
index 2efef62..63b246a 100644
--- a/vault/templates/job.yaml
+++ b/vault/templates/job.yaml
@@ -1,46 +1,30 @@
-{{- if .Values.autoconfig.enabled}}
+{{- if .Values.initvault.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: {{ template "vault.fullname" . }}-config-job
-  labels:
-    app: {{ include "vault.name" . }}-config-job
-    chart: {{ .Chart.Name }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+  name: vault-config-job
   annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+    "helm.sh/hook": "post-install"
 spec:
   template:
-    metadata:
-      labels:
-        app: {{ .Release.Name }}-config-job
-        release: {{ .Release.Name }}
-{{- if .Values.autoconfig.job.podLabels }}
-{{ toYaml .Values.autoconfig.job.podLabels | indent 8 }}
-{{- end }}
-{{- if .Values.autoconfig.job.podAnnotations }}
-      annotations:
-{{ toYaml .Values.autoconfig.job.podAnnotations | indent 8 }}
-{{- end }}
     spec:
-      restartPolicy: OnFailure
-      volumes:
-        - name: init-secrets
-          secret:
-            secretName: {{ template "vault.fullname" . }}-job-secret
       containers:
-      - name: vault-init-job
-        image: hashicorp/vault
-        command:
-          - "/bin/sh"
-          - "-c"
-        args:
-          - >
-            echo "this is a job!"
-            while true do; sleep 100; done;
+      - name: vault-config-install
+        image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
+        imagePullPolicy: IfNotPresent
+        command: ["sh", "/tmp/vault-config.sh"]
         volumeMounts:
-          - name: init-secrets
-            mountPath: /secrets
-{{- end }}
\ No newline at end of file
+        - name: vault-config-sh
+          mountPath: /tmp/vault-config.sh
+          subPath: vault-config.sh
+      restartPolicy: OnFailure
+      terminationGracePeriodSeconds: 0
+      volumes:
+      - name: vault-config-sh
+        configMap:
+          name: vault-config-sh
+          defaultMode: 0777
+  backoffLimit: 5
+  completions: 1
+  parallelism: 1
+  {{- end }} 
\ No newline at end of file
diff --git a/vault/templates/secret.yaml b/vault/templates/secret.yaml
deleted file mode 100644
index 1c455c3..0000000
--- a/vault/templates/secret.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-
-{{- if .Values.autoconfig.enabled}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ template "vault.fullname" . }}-job-secret
-  labels:
-    app: {{ include "vault.name" . }}-job-secret
-    chart: {{ .Chart.Name }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-stringData:
-  test: hello
-
-{{- end }}
\ No newline at end of file
diff --git a/vault/values.yaml b/vault/values.yaml
index b97989e..69aaed3 100644
--- a/vault/values.yaml
+++ b/vault/values.yaml
@@ -1,10 +1,30 @@
-autoconfig:
-  enabled: true
+# This will run helm post-install hook to init the vault
+initvault:
+  enabled: false
 
-  job:
-    podLabels:
+# The ldap auth related params
+  ldapauth:
+    enabled: false
+    ldap_url: "ldap://"
+    userattr: ""
+    userdn: ""
+    groupdn: ""
+    upndomain: ""
+
+# The GitHub auth related params
+  githubauth:
+    enabled: false
+    organization: ""
+
+# The Kubernetes auth related params
+  k8sauth:
+    enabled: false
+    token_reviewer_jwt: ""
+    kubernetes_host: ""
+    kubernetes_ca_cert: ""
+
+# More Auth can be added here as per reqiurement
 
-    podAnnotations:
 
 vault:
   # Available parameters and their default values for the Vault chart.