#!/usr/bin/env bash
# Generate a short-lived kubeconfig from Vault K8s secrets engine.
# Requires: vault login -method=oidc (or VAULT_TOKEN set)
set -euo pipefail

TOKEN=$(vault write -format=json kubernetes/creds/local-admin kubernetes_namespace=default | jq -r .data.service_account_token)
kubectl config set-credentials vault-admin --token="$TOKEN"
kubectl config set-context vault --cluster=kubernetes --user=vault-admin
kubectl config use-context vault
echo "Kubeconfig set with 1h token"