From 1e9dbc2922dfe1827998aba35b1a812ec8c5a88e Mon Sep 17 00:00:00 2001 From: dvirlabs Date: Wed, 1 Oct 2025 11:31:34 +0300 Subject: [PATCH] Fix jobs for css --- .../internal-users/bootstrap-job.yaml | 69 ++++++++++++------- .../oidc/bootstrap-job.yaml | 69 ++++++++++++------- .../vault-general-secrets/bootstrap-job.yaml | 69 ++++++++++++------- 3 files changed, 138 insertions(+), 69 deletions(-) diff --git a/manifests/cluster-secret-store/internal-users/bootstrap-job.yaml b/manifests/cluster-secret-store/internal-users/bootstrap-job.yaml index a82f29b..6d6bd58 100644 --- a/manifests/cluster-secret-store/internal-users/bootstrap-job.yaml +++ b/manifests/cluster-secret-store/internal-users/bootstrap-job.yaml @@ -22,10 +22,19 @@ spec: - name: vault image: hashicorp/vault:1.16 imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } + capabilities: + drop: + - ALL env: - name: VAULT_ADDR value: "http://vault.dev-tools.svc.cluster.local:8200" @@ -34,40 +43,54 @@ spec: secretKeyRef: name: vault-admin-token key: token - command: ["/bin/sh","-c"] + command: + - /bin/sh + - -c args: - | - set -euo pipefail + set -e + echo "[bootstrap for scope internal-users]" - echo "[internal-users] wait for vault" - i=0; until vault status >/dev/null 2>&1; do - i=$((i+1)); [ "$i" -gt 30 ] && echo "vault not ready" && exit 1 - echo "waiting... ($i/30)"; sleep 2 + i=0 + until vault status >/dev/null 2>&1; do + i=$((i+1)) + if [ "$i" -gt 30 ]; then + echo "Vault is not ready after 30 attempts"; exit 1 + fi + echo "Waiting for Vault... ($i/30)" + sleep 2 done - echo "[internal-users] enable & config k8s auth (idempotent)" - vault auth enable -path="kubernetes" kubernetes 2>/dev/null || true - vault write auth/kubernetes/config \ - token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ - kubernetes_host="https://kubernetes.default.svc:443" \ - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - - echo "[internal-users] ensure KV v2 mount" - vault secrets enable -version=2 -path=internal-users kv 2>/dev/null || true - - echo "[internal-users] policy" - cat >/tmp/p.hcl <<'EOF' + cat >/tmp/policy.hcl <<'EOF' path "internal-users/metadata/*" { capabilities = ["list"] } path "internal-users/data/*" { capabilities = ["read"] } EOF - vault policy write eso-internal-users-read /tmp/p.hcl || true - echo "[internal-users] role eso-internal-users" + vault policy write eso-internal-users-read /tmp/policy.hcl || true + vault write auth/kubernetes/role/eso-internal-users \ bound_service_account_names="external-secrets" \ bound_service_account_namespaces="dev-tools" \ bound_audiences="https://kubernetes.default.svc" \ policies="eso-internal-users-read" \ ttl=1h - - echo "[internal-users] done" +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: vault-internal-users + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + provider: + vault: + server: "http://vault.dev-tools.svc.cluster.local:8200" + path: "internal-users" + version: "v2" + auth: + kubernetes: + mountPath: "kubernetes" + role: "eso-internal-users" + serviceAccountRef: + name: "external-secrets" + namespace: "dev-tools" diff --git a/manifests/cluster-secret-store/oidc/bootstrap-job.yaml b/manifests/cluster-secret-store/oidc/bootstrap-job.yaml index ecb1e16..d424754 100644 --- a/manifests/cluster-secret-store/oidc/bootstrap-job.yaml +++ b/manifests/cluster-secret-store/oidc/bootstrap-job.yaml @@ -22,10 +22,19 @@ spec: - name: vault image: hashicorp/vault:1.16 imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } + capabilities: + drop: + - ALL env: - name: VAULT_ADDR value: "http://vault.dev-tools.svc.cluster.local:8200" @@ -34,40 +43,54 @@ spec: secretKeyRef: name: vault-admin-token key: token - command: ["/bin/sh","-c"] + command: + - /bin/sh + - -c args: - | - set -euo pipefail + set -e + echo "[bootstrap for scope oidc-secrets]" - echo "[oidc-secrets] wait for vault" - i=0; until vault status >/dev/null 2>&1; do - i=$((i+1)); [ "$i" -gt 30 ] && echo "vault not ready" && exit 1 - echo "waiting... ($i/30)"; sleep 2 + i=0 + until vault status >/dev/null 2>&1; do + i=$((i+1)) + if [ "$i" -gt 30 ]; then + echo "Vault is not ready after 30 attempts"; exit 1 + fi + echo "Waiting for Vault... ($i/30)" + sleep 2 done - echo "[oidc-secrets] enable & config k8s auth (idempotent)" - vault auth enable -path="kubernetes" kubernetes 2>/dev/null || true - vault write auth/kubernetes/config \ - token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ - kubernetes_host="https://kubernetes.default.svc:443" \ - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - - echo "[oidc-secrets] ensure KV v2 mount" - vault secrets enable -version=2 -path=oidc-secrets kv 2>/dev/null || true - - echo "[oidc-secrets] policy" - cat >/tmp/p.hcl <<'EOF' + cat >/tmp/policy.hcl <<'EOF' path "oidc-secrets/metadata/*" { capabilities = ["list"] } path "oidc-secrets/data/*" { capabilities = ["read"] } EOF - vault policy write eso-oidc-read /tmp/p.hcl || true - echo "[oidc-secrets] role eso-oidc" + vault policy write eso-oidc-read /tmp/policy.hcl || true + vault write auth/kubernetes/role/eso-oidc \ bound_service_account_names="external-secrets" \ bound_service_account_namespaces="dev-tools" \ bound_audiences="https://kubernetes.default.svc" \ policies="eso-oidc-read" \ ttl=1h - - echo "[oidc-secrets] done" +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: vault-oidc-secrets + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + provider: + vault: + server: "http://vault.dev-tools.svc.cluster.local:8200" + path: "oidc-secrets" + version: "v2" + auth: + kubernetes: + mountPath: "kubernetes" + role: "eso-oidc" + serviceAccountRef: + name: "external-secrets" + namespace: "dev-tools" diff --git a/manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.yaml b/manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.yaml index af43330..4727a28 100644 --- a/manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.yaml +++ b/manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.yaml @@ -22,10 +22,19 @@ spec: - name: vault image: hashicorp/vault:1.16 imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } + capabilities: + drop: + - ALL env: - name: VAULT_ADDR value: "http://vault.dev-tools.svc.cluster.local:8200" @@ -34,40 +43,54 @@ spec: secretKeyRef: name: vault-admin-token key: token - command: ["/bin/sh","-c"] + command: + - /bin/sh + - -c args: - | - set -euo pipefail + set -e + echo "[bootstrap for scope general-secrets]" - echo "[general-secrets] wait for vault" - i=0; until vault status >/dev/null 2>&1; do - i=$((i+1)); [ "$i" -gt 30 ] && echo "vault not ready" && exit 1 - echo "waiting... ($i/30)"; sleep 2 + i=0 + until vault status >/dev/null 2>&1; do + i=$((i+1)) + if [ "$i" -gt 30 ]; then + echo "Vault is not ready after 30 attempts"; exit 1 + fi + echo "Waiting for Vault... ($i/30)" + sleep 2 done - echo "[general-secrets] enable & config k8s auth (idempotent)" - vault auth enable -path="kubernetes" kubernetes 2>/dev/null || true - vault write auth/kubernetes/config \ - token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ - kubernetes_host="https://kubernetes.default.svc:443" \ - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - - echo "[general-secrets] ensure KV v2 mount" - vault secrets enable -version=2 -path=general-secrets kv 2>/dev/null || true - - echo "[general-secrets] policy" - cat >/tmp/p.hcl <<'EOF' + cat >/tmp/policy.hcl <<'EOF' path "general-secrets/metadata/*" { capabilities = ["list"] } path "general-secrets/data/*" { capabilities = ["read"] } EOF - vault policy write eso-general-read /tmp/p.hcl || true - echo "[general-secrets] role eso-general" + vault policy write eso-general-read /tmp/policy.hcl || true + vault write auth/kubernetes/role/eso-general \ bound_service_account_names="external-secrets" \ bound_service_account_namespaces="dev-tools" \ bound_audiences="https://kubernetes.default.svc" \ policies="eso-general-read" \ ttl=1h - - echo "[general-secrets] done" +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: vault-general-secrets + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + provider: + vault: + server: "http://vault.dev-tools.svc.cluster.local:8200" + path: "general-secrets" + version: "v2" + auth: + kubernetes: + mountPath: "kubernetes" + role: "eso-general" + serviceAccountRef: + name: "external-secrets" + namespace: "dev-tools"