From 8f0c395c651523ab84d4b1effef7a064e8443232 Mon Sep 17 00:00:00 2001 From: dvirlabs Date: Fri, 29 Aug 2025 17:38:57 +0300 Subject: [PATCH] Try new structure for cluster secret store --- .../cluster-secret-store/vault-cicd.yaml | 17 ---- .../vault-cicd/bootstrap-job.yaml | 77 +++++++++++++++++++ .../vault-cicd/vault-cicd.yaml | 19 +++++ .../vault-general-secrets.yaml | 0 .../vault-internal-users.yaml | 0 .../{ => vault-oidc}/vault-oidc-secrets.yaml | 0 6 files changed, 96 insertions(+), 17 deletions(-) delete mode 100644 manifests/cluster-secret-store/vault-cicd.yaml create mode 100644 manifests/cluster-secret-store/vault-cicd/bootstrap-job.yaml create mode 100644 manifests/cluster-secret-store/vault-cicd/vault-cicd.yaml rename manifests/cluster-secret-store/{ => vault-general-secrets}/vault-general-secrets.yaml (100%) rename manifests/cluster-secret-store/{ => vault-internal-users}/vault-internal-users.yaml (100%) rename manifests/cluster-secret-store/{ => vault-oidc}/vault-oidc-secrets.yaml (100%) diff --git a/manifests/cluster-secret-store/vault-cicd.yaml b/manifests/cluster-secret-store/vault-cicd.yaml deleted file mode 100644 index 9f4e58e..0000000 --- a/manifests/cluster-secret-store/vault-cicd.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-cicd -spec: - provider: - vault: - server: http://vault.dev-tools.svc.cluster.local:8200 - path: cicd - version: v2 - auth: - kubernetes: - mountPath: kubernetes # חייב להתאים ל-bootstrap (auth/kubernetes) - role: eso-cicd # כפי שהגדרנו ב-bootstrap-config.yaml - serviceAccountRef: - name: external-secrets # ה-SA של ה-ESO - namespace: dev-tools diff --git a/manifests/cluster-secret-store/vault-cicd/bootstrap-job.yaml b/manifests/cluster-secret-store/vault-cicd/bootstrap-job.yaml new file mode 100644 index 0000000..7eaa876 --- /dev/null +++ b/manifests/cluster-secret-store/vault-cicd/bootstrap-job.yaml @@ -0,0 +1,77 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: vault-bootstrap-cicd + namespace: dev-tools + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded + argocd.argoproj.io/sync-wave: "1" +spec: + backoffLimit: 2 + ttlSecondsAfterFinished: 60 + template: + spec: + restartPolicy: OnFailure + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: vault + image: hashicorp/vault:1.16 + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + env: + - name: VAULT_ADDR + value: "http://vault.dev-tools.svc.cluster.local:8200" + - name: VAULT_TOKEN + valueFrom: + secretKeyRef: + name: vault-admin-token + key: token + command: ["/bin/sh","-c"] + args: + - | + set -e + echo "[bootstrap for scope cicd]" + + # המתנה לזמינות Vault + i=0 + until vault status >/dev/null 2>&1; do + i=$((i+1)) + if [ "$i" -gt 30 ]; then + echo "Vault is not ready after 30 attempts"; exit 1 + fi + echo "Waiting for Vault... ($i/30)" + sleep 2 + done + + # אם צריך להפעיל KV (בזהירות, רק אם לטוקן יש הרשאות): + # vault secrets enable -version=2 -path=cicd kv 2>/dev/null || true + + # מדיניות קריאה בלבד ל-KV v2 + cat >/tmp/policy.hcl <<'EOF' +path "cicd/metadata/*" { capabilities = ["list"] } +path "cicd/data/*" { capabilities = ["read"] } +EOF + vault policy write eso-cicd-read /tmp/policy.hcl || true + + vault write auth/kubernetes/role/eso-cicd \ + bound_service_account_names="external-secrets" \ + bound_service_account_namespaces="dev-tools" \ + bound_audiences="https://kubernetes.default.svc" \ + policies="eso-cicd-read" \ + ttl=1h diff --git a/manifests/cluster-secret-store/vault-cicd/vault-cicd.yaml b/manifests/cluster-secret-store/vault-cicd/vault-cicd.yaml new file mode 100644 index 0000000..3070cef --- /dev/null +++ b/manifests/cluster-secret-store/vault-cicd/vault-cicd.yaml @@ -0,0 +1,19 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: vault-cicd + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + provider: + vault: + server: "http://vault.dev-tools.svc.cluster.local:8200" + path: "cicd" + version: "v2" + auth: + kubernetes: + mountPath: "kubernetes" + role: "eso-cicd" + serviceAccountRef: + name: "external-secrets" + namespace: "dev-tools" diff --git a/manifests/cluster-secret-store/vault-general-secrets.yaml b/manifests/cluster-secret-store/vault-general-secrets/vault-general-secrets.yaml similarity index 100% rename from manifests/cluster-secret-store/vault-general-secrets.yaml rename to manifests/cluster-secret-store/vault-general-secrets/vault-general-secrets.yaml diff --git a/manifests/cluster-secret-store/vault-internal-users.yaml b/manifests/cluster-secret-store/vault-internal-users/vault-internal-users.yaml similarity index 100% rename from manifests/cluster-secret-store/vault-internal-users.yaml rename to manifests/cluster-secret-store/vault-internal-users/vault-internal-users.yaml diff --git a/manifests/cluster-secret-store/vault-oidc-secrets.yaml b/manifests/cluster-secret-store/vault-oidc/vault-oidc-secrets.yaml similarity index 100% rename from manifests/cluster-secret-store/vault-oidc-secrets.yaml rename to manifests/cluster-secret-store/vault-oidc/vault-oidc-secrets.yaml