(no commit message)

diff --git a/posts/2023-11-04-k3s-setup-plain-rootless.mdwn b/posts/2023-11-04-k3s-setup-plain-rootless.mdwn
index bc1d110d5e7ca36559bfb63dfa1483930c893081..a58cf172a177a87202c164f530deb5afbdc7da03 100644 (file)
--- a/posts/2023-11-04-k3s-setup-plain-rootless.mdwn
+++ b/posts/2023-11-04-k3s-setup-plain-rootless.mdwn
@@ -1,5 +1,6 @@
 https://docs.k3s.io/advanced#known-issues-with-rootless-mode
 https://github.com/k3s-io/k3s/issues/6488#issuecomment-1339946080
+https://bank-vaults.dev/docs/installing/
 
 
 ```
@@ -74,5 +75,70 @@ export KUBECONFIG=~/.kube/k3s.yaml
 
 # kubectl version should now work.
 
+   54  wget https://get.helm.sh/helm-v3.13.1-linux-amd64.tar.gz
+   55  tar xfvz helm-v3.13.1-linux-amd64.tar.gz
+   56  mv linux-amd64/helm bin/
+   57  chmod +x bin/helm
+
+
+helm upgrade --install --wait vault-operator oci://ghcr.io/bank-vaults/helm-charts/vault-operator
+kubectl kustomize https://github.com/bank-vaults/vault-operator/deploy/rbac | kubectl apply -f -
+kubectl apply -f https://raw.githubusercontent.com/bank-vaults/vault-operator/v1.21.0/deploy/examples/cr-raft.yaml
+
+
+kubectl edit vault
+add disable_mlock: true to config # or figure out how to allow mlock in rootless k3s
+
+  104  wget https://github.com/bank-vaults/bank-vaults/releases/download/1.20.4/bank-vaults-linux-amd64.tar.gz
+  105  tar xfvz bank-vaults-linux-amd64.tar.gz
+  106  mv bank-vaults bin/
+  107  chmod +x bin/bank-vaults
+
+  109  wget https://releases.hashicorp.com/vault/1.15.1/vault_1.15.1_linux_amd64.zip
+  110  unzip vault_1.15.1_linux_amd64.zip
+  111  mv vault bin/
+  112  chmod +x bin/vault
+
+
+kubectl create namespace vault-infra
+kubectl label namespace vault-infra name=vault-infra
+
+helm upgrade --install --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --namespace vault-infra
+
+
+
+kubectl apply -f - <<EOF
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vault-test
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vault
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: vault
+      annotations:
+        vault.security.banzaicloud.io/vault-addr: "https://vault:8200" # optional, the address of the Vault service, default values is https://vault:8200
+        vault.security.banzaicloud.io/vault-role: "default" # optional, the default value is the name of the ServiceAccount the Pod runs in, in case of Secrets and ConfigMaps it is "default"
+        vault.security.banzaicloud.io/vault-skip-verify: "false" # optional, skip TLS verification of the Vault server certificate
+        vault.security.banzaicloud.io/vault-tls-secret: "vault-tls" # optional, the name of the Secret where the Vault CA cert is, if not defined it is not mounted
+        vault.security.banzaicloud.io/vault-agent: "false" # optional, if true, a Vault Agent will be started to do Vault authentication, by default not needed and vault-env will do Kubernetes Service Account based Vault authentication
+        vault.security.banzaicloud.io/vault-path: "kubernetes" # optional, the Kubernetes Auth mount path in Vault the default value is "kubernetes"
+    spec:
+      serviceAccountName: default
+      containers:
+      - name: alpine
+        image: alpine
+        command: ["sh", "-c", "echo \$AWS_SECRET_ACCESS_KEY && echo going to sleep... && sleep 10000"]
+        env:
+        - name: AWS_SECRET_ACCESS_KEY
+          value: vault:secret/data/demosecret/aws#AWS_SECRET_ACCESS_KEY
+EOF
+
+
 ```