dvirlabs/dev-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix jobs for css

Browse Source
This commit is contained in:
dvirlabs 2025-10-01 11:31:34 +03:00
parent b17cd30ad8
commit 1e9dbc2922
3 changed files with 138 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
manifests/cluster-secret-store/internal-users/bootstrap-job.yaml
View File

@ -22,10 +22,19 @@ spec:
- name: vault - name: vault
image: hashicorp/vault:1.16 image: hashicorp/vault:1.16
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] } capabilities:
drop:
- ALL
env: env:
- name: VAULT_ADDR - name: VAULT_ADDR
value: "http://vault.dev-tools.svc.cluster.local:8200" value: "http://vault.dev-tools.svc.cluster.local:8200"
@ -34,40 +43,54 @@ spec:
secretKeyRef: secretKeyRef:
name: vault-admin-token name: vault-admin-token
key: token key: token
command: ["/bin/sh","-c"] command:
- /bin/sh
- -c
args: args:
- | - |
set -euo pipefail set -e
echo "[bootstrap for scope internal-users]"
echo "[internal-users] wait for vault" i=0
i=0; until vault status >/dev/null 2>&1; do until vault status >/dev/null 2>&1; do
i=$((i+1)); [ "$i" -gt 30 ] && echo "vault not ready" && exit 1 i=$((i+1))
echo "waiting... ($i/30)"; sleep 2 if [ "$i" -gt 30 ]; then
echo "Vault is not ready after 30 attempts"; exit 1
fi
echo "Waiting for Vault... ($i/30)"
sleep 2
done done
echo "[internal-users] enable & config k8s auth (idempotent)" cat >/tmp/policy.hcl <<'EOF'
vault auth enable -path="kubernetes" kubernetes 2>/dev/null || true
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://kubernetes.default.svc:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
echo "[internal-users] ensure KV v2 mount"
vault secrets enable -version=2 -path=internal-users kv 2>/dev/null || true
echo "[internal-users] policy"
cat >/tmp/p.hcl <<'EOF'
path "internal-users/metadata/*" { capabilities = ["list"] } path "internal-users/metadata/*" { capabilities = ["list"] }
path "internal-users/data/*" { capabilities = ["read"] } path "internal-users/data/*" { capabilities = ["read"] }
EOF EOF
vault policy write eso-internal-users-read /tmp/p.hcl || true
echo "[internal-users] role eso-internal-users" vault policy write eso-internal-users-read /tmp/policy.hcl || true
vault write auth/kubernetes/role/eso-internal-users \ vault write auth/kubernetes/role/eso-internal-users \
bound_service_account_names="external-secrets" \ bound_service_account_names="external-secrets" \
bound_service_account_namespaces="dev-tools" \ bound_service_account_namespaces="dev-tools" \
bound_audiences="https://kubernetes.default.svc" \ bound_audiences="https://kubernetes.default.svc" \
policies="eso-internal-users-read" \ policies="eso-internal-users-read" \
ttl=1h ttl=1h
---
echo "[internal-users] done" apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault-internal-users
annotations:
argocd.argoproj.io/sync-wave: "0"
spec:
provider:
vault:
server: "http://vault.dev-tools.svc.cluster.local:8200"
path: "internal-users"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "eso-internal-users"
serviceAccountRef:
name: "external-secrets"
namespace: "dev-tools"

69
manifests/cluster-secret-store/oidc/bootstrap-job.yaml
View File

@ -22,10 +22,19 @@ spec:
- name: vault - name: vault
image: hashicorp/vault:1.16 image: hashicorp/vault:1.16
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] } capabilities:
drop:
- ALL
env: env:
- name: VAULT_ADDR - name: VAULT_ADDR
value: "http://vault.dev-tools.svc.cluster.local:8200" value: "http://vault.dev-tools.svc.cluster.local:8200"
@ -34,40 +43,54 @@ spec:
secretKeyRef: secretKeyRef:
name: vault-admin-token name: vault-admin-token
key: token key: token
command: ["/bin/sh","-c"] command:
- /bin/sh
- -c
args: args:
- | - |
set -euo pipefail set -e
echo "[bootstrap for scope oidc-secrets]"
echo "[oidc-secrets] wait for vault" i=0
i=0; until vault status >/dev/null 2>&1; do until vault status >/dev/null 2>&1; do
i=$((i+1)); [ "$i" -gt 30 ] && echo "vault not ready" && exit 1 i=$((i+1))
echo "waiting... ($i/30)"; sleep 2 if [ "$i" -gt 30 ]; then
echo "Vault is not ready after 30 attempts"; exit 1
fi
echo "Waiting for Vault... ($i/30)"
sleep 2
done done
echo "[oidc-secrets] enable & config k8s auth (idempotent)" cat >/tmp/policy.hcl <<'EOF'
vault auth enable -path="kubernetes" kubernetes 2>/dev/null || true
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://kubernetes.default.svc:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
echo "[oidc-secrets] ensure KV v2 mount"
vault secrets enable -version=2 -path=oidc-secrets kv 2>/dev/null || true
echo "[oidc-secrets] policy"
cat >/tmp/p.hcl <<'EOF'
path "oidc-secrets/metadata/*" { capabilities = ["list"] } path "oidc-secrets/metadata/*" { capabilities = ["list"] }
path "oidc-secrets/data/*" { capabilities = ["read"] } path "oidc-secrets/data/*" { capabilities = ["read"] }
EOF EOF
vault policy write eso-oidc-read /tmp/p.hcl || true
echo "[oidc-secrets] role eso-oidc" vault policy write eso-oidc-read /tmp/policy.hcl || true
vault write auth/kubernetes/role/eso-oidc \ vault write auth/kubernetes/role/eso-oidc \
bound_service_account_names="external-secrets" \ bound_service_account_names="external-secrets" \
bound_service_account_namespaces="dev-tools" \ bound_service_account_namespaces="dev-tools" \
bound_audiences="https://kubernetes.default.svc" \ bound_audiences="https://kubernetes.default.svc" \
policies="eso-oidc-read" \ policies="eso-oidc-read" \
ttl=1h ttl=1h
---
echo "[oidc-secrets] done" apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault-oidc-secrets
annotations:
argocd.argoproj.io/sync-wave: "0"
spec:
provider:
vault:
server: "http://vault.dev-tools.svc.cluster.local:8200"
path: "oidc-secrets"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "eso-oidc"
serviceAccountRef:
name: "external-secrets"
namespace: "dev-tools"

69
manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.yaml
View File

@ -22,10 +22,19 @@ spec:
- name: vault - name: vault
image: hashicorp/vault:1.16 image: hashicorp/vault:1.16
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] } capabilities:
drop:
- ALL
env: env:
- name: VAULT_ADDR - name: VAULT_ADDR
value: "http://vault.dev-tools.svc.cluster.local:8200" value: "http://vault.dev-tools.svc.cluster.local:8200"
@ -34,40 +43,54 @@ spec:
secretKeyRef: secretKeyRef:
name: vault-admin-token name: vault-admin-token
key: token key: token
command: ["/bin/sh","-c"] command:
- /bin/sh
- -c
args: args:
- | - |
set -euo pipefail set -e
echo "[bootstrap for scope general-secrets]"
echo "[general-secrets] wait for vault" i=0
i=0; until vault status >/dev/null 2>&1; do until vault status >/dev/null 2>&1; do
i=$((i+1)); [ "$i" -gt 30 ] && echo "vault not ready" && exit 1 i=$((i+1))
echo "waiting... ($i/30)"; sleep 2 if [ "$i" -gt 30 ]; then
echo "Vault is not ready after 30 attempts"; exit 1
fi
echo "Waiting for Vault... ($i/30)"
sleep 2
done done
echo "[general-secrets] enable & config k8s auth (idempotent)" cat >/tmp/policy.hcl <<'EOF'
vault auth enable -path="kubernetes" kubernetes 2>/dev/null || true
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://kubernetes.default.svc:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
echo "[general-secrets] ensure KV v2 mount"
vault secrets enable -version=2 -path=general-secrets kv 2>/dev/null || true
echo "[general-secrets] policy"
cat >/tmp/p.hcl <<'EOF'
path "general-secrets/metadata/*" { capabilities = ["list"] } path "general-secrets/metadata/*" { capabilities = ["list"] }
path "general-secrets/data/*" { capabilities = ["read"] } path "general-secrets/data/*" { capabilities = ["read"] }
EOF EOF
vault policy write eso-general-read /tmp/p.hcl || true
echo "[general-secrets] role eso-general" vault policy write eso-general-read /tmp/policy.hcl || true
vault write auth/kubernetes/role/eso-general \ vault write auth/kubernetes/role/eso-general \
bound_service_account_names="external-secrets" \ bound_service_account_names="external-secrets" \
bound_service_account_namespaces="dev-tools" \ bound_service_account_namespaces="dev-tools" \
bound_audiences="https://kubernetes.default.svc" \ bound_audiences="https://kubernetes.default.svc" \
policies="eso-general-read" \ policies="eso-general-read" \
ttl=1h ttl=1h
---
echo "[general-secrets] done" apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault-general-secrets
annotations:
argocd.argoproj.io/sync-wave: "0"
spec:
provider:
vault:
server: "http://vault.dev-tools.svc.cluster.local:8200"
path: "general-secrets"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "eso-general"
serviceAccountRef:
name: "external-secrets"
namespace: "dev-tools"