#kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh
vault secrets enable pki 

vault secrets tune -max-lease-ttl=8760h pki

vault write pki/root/generate/internal common_name=dev.localhost ttl=8760h

vault write pki/config/urls issuing_certificates="http://vault.default:8200/v1/pki/ca"  crl_distribution_points="http://vault.default:8200/v1/pki/crl"

vault write pki/roles/dev-dot-localhost  allowed_domains=dev.localhost  allow_subdomains=true  max_ttl=72h

vault policy write pki - <<EOF
path "pki*"                        { capabilities = ["read", "list"] }
path "pki/roles/dev-dot-localhost"   { capabilities = ["create", "update"] }
path "pki/sign/dev-dot-localhost"    { capabilities = ["create", "update"] }
path "pki/issue/dev-dot-localhost"   { capabilities = ["create"] }
EOF