From f1a5b4f599a0df296a8b37e492fe3ed431233edd Mon Sep 17 00:00:00 2001
From: Bot <bot@undefined.com>
Date: Mon, 28 Apr 2025 09:44:33 +0200
Subject: [PATCH] Initial upload

---
 .../factory.c-one-infra.de/stacks/core/argocd.yaml |  3 +++
 .../stacks/ref-implementation/openbao.yaml         |  3 +++
 .../ref-implementation/openbao/manifests/role.yaml |  9 +++++++++
 .../openbao/manifests/rolebinding.yaml             | 13 +++++++++++++
 .../stacks/ref-implementation/openbao/values.yaml  | 14 ++++++++++++++
 5 files changed, 42 insertions(+)
 create mode 100644 rire/factory.c-one-infra.de/stacks/ref-implementation/openbao/manifests/role.yaml
 create mode 100644 rire/factory.c-one-infra.de/stacks/ref-implementation/openbao/manifests/rolebinding.yaml

diff --git a/rire/factory.c-one-infra.de/stacks/core/argocd.yaml b/rire/factory.c-one-infra.de/stacks/core/argocd.yaml
index a3f7fd0..b47a51a 100644
--- a/rire/factory.c-one-infra.de/stacks/core/argocd.yaml
+++ b/rire/factory.c-one-infra.de/stacks/core/argocd.yaml
@@ -28,3 +28,6 @@ spec:
     - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/stacks-instances
       targetRevision: HEAD
       ref: values
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      path: "rire/factory.c-one-infra.de/stacks/core/argocd/manifests"
diff --git a/rire/factory.c-one-infra.de/stacks/ref-implementation/openbao.yaml b/rire/factory.c-one-infra.de/stacks/ref-implementation/openbao.yaml
index a1c2ad7..5131e0d 100644
--- a/rire/factory.c-one-infra.de/stacks/ref-implementation/openbao.yaml
+++ b/rire/factory.c-one-infra.de/stacks/ref-implementation/openbao.yaml
@@ -27,6 +27,9 @@ spec:
     - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/stacks-instances
       targetRevision: HEAD
       ref: values
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/stacks-instances
+      targetRevision: HEAD
+      path: "rire/factory.c-one-infra.de/stacks/ref-implementation/openbao/manifests"
   ignoreDifferences:
     - group: admissionregistration.k8s.io
       kind: MutatingWebhookConfiguration
diff --git a/rire/factory.c-one-infra.de/stacks/ref-implementation/openbao/manifests/role.yaml b/rire/factory.c-one-infra.de/stacks/ref-implementation/openbao/manifests/role.yaml
new file mode 100644
index 0000000..d2f66a9
--- /dev/null
+++ b/rire/factory.c-one-infra.de/stacks/ref-implementation/openbao/manifests/role.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vault-token-role
+  namespace: openbao
+rules:
+  - apiGroups: [""] # "" indicates the core API group
+    resources: ["secrets"]
+    verbs: ["create"]
diff --git a/rire/factory.c-one-infra.de/stacks/ref-implementation/openbao/manifests/rolebinding.yaml b/rire/factory.c-one-infra.de/stacks/ref-implementation/openbao/manifests/rolebinding.yaml
new file mode 100644
index 0000000..625acd8
--- /dev/null
+++ b/rire/factory.c-one-infra.de/stacks/ref-implementation/openbao/manifests/rolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vault-token-rolebinding
+  namespace: openbao
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: vault-token-role
+subjects:
+  - kind: ServiceAccount
+    name: openbao
+    namespace: openbao
diff --git a/rire/factory.c-one-infra.de/stacks/ref-implementation/openbao/values.yaml b/rire/factory.c-one-infra.de/stacks/ref-implementation/openbao/values.yaml
index 0ff72cf..96434e8 100644
--- a/rire/factory.c-one-infra.de/stacks/ref-implementation/openbao/values.yaml
+++ b/rire/factory.c-one-infra.de/stacks/ref-implementation/openbao/values.yaml
@@ -3,6 +3,8 @@ server:
     - sh
     - -c
     - |
+      set -e
+
       sleep 10
       bao operator init >> /tmp/init.txt
       cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {}
@@ -13,5 +15,17 @@ server:
       echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt
       echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt
       rm /tmp/init.txt
+
+      if [[ "$(uname -m)" == "x86_64" ]]; then
+        wget "https://dl.k8s.io/release/$(wget https://dl.k8s.io/release/stable.txt -q -O -)/bin/linux/amd64/kubectl" -O /tmp/kubectl_eso
+      else
+        wget "https://dl.k8s.io/release/$(wget https://dl.k8s.io/release/stable.txt -q -O -)/bin/linux/arm64/kubectl" -O /tmp/kubectl_eso
+      fi
+      chmod +x /tmp/kubectl_eso
+
+      kubectl create secret generic vault-token --from-literal=token="$(cat /openbao/data/initial_token.txt)" -n openbao
+
+      rm /tmp/kubectl_eso
+
 ui:
   enabled: true