Try new structure for cluster secret store

manifests/cluster-secret-store/vault-cicd.yaml

@@ -1,17 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: vault-cicd
-spec:
-  provider:
-    vault:
-      server: http://vault.dev-tools.svc.cluster.local:8200
-      path: cicd
-      version: v2
-      auth:
-        kubernetes:
-          mountPath: kubernetes          # חייב להתאים ל-bootstrap (auth/kubernetes)
-          role: eso-cicd                 # כפי שהגדרנו ב-bootstrap-config.yaml
-          serviceAccountRef:
-            name: external-secrets       # ה-SA של ה-ESO
-            namespace: dev-tools

manifests/cluster-secret-store/vault-cicd/bootstrap-job.yaml

@@ -0,0 +1,77 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: vault-bootstrap-cicd
+  namespace: dev-tools
+  annotations:
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  backoffLimit: 2
+  ttlSecondsAfterFinished: 60
+  template:
+    spec:
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+        - name: vault
+          image: hashicorp/vault:1.16
+          imagePullPolicy: IfNotPresent
+          resources:
+            requests:
+              cpu: 50m
+              memory: 64Mi
+            limits:
+              cpu: 200m
+              memory: 128Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop: ["ALL"]
+          env:
+            - name: VAULT_ADDR
+              value: "http://vault.dev-tools.svc.cluster.local:8200"
+            - name: VAULT_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: vault-admin-token
+                  key: token
+          command: ["/bin/sh","-c"]
+          args:
+            - |
+              set -e
+              echo "[bootstrap for scope cicd]"
+
+              # המתנה לזמינות Vault
+              i=0
+              until vault status >/dev/null 2>&1; do
+                i=$((i+1))
+                if [ "$i" -gt 30 ]; then
+                  echo "Vault is not ready after 30 attempts"; exit 1
+                fi
+                echo "Waiting for Vault... ($i/30)"
+                sleep 2
+              done
+
+              # אם צריך להפעיל KV (בזהירות, רק אם לטוקן יש הרשאות):
+              # vault secrets enable -version=2 -path=cicd kv 2>/dev/null || true
+
+              # מדיניות קריאה בלבד ל-KV v2
+              cat >/tmp/policy.hcl <<'EOF'
+path "cicd/metadata/*" { capabilities = ["list"] }
+path "cicd/data/*"     { capabilities = ["read"] }
+EOF
+              vault policy write eso-cicd-read /tmp/policy.hcl || true
+
+              vault write auth/kubernetes/role/eso-cicd \
+                bound_service_account_names="external-secrets" \
+                bound_service_account_namespaces="dev-tools" \
+                bound_audiences="https://kubernetes.default.svc" \
+                policies="eso-cicd-read" \
+                ttl=1h

manifests/cluster-secret-store/vault-cicd/vault-cicd.yaml

@@ -0,0 +1,19 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-cicd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  provider:
+    vault:
+      server: "http://vault.dev-tools.svc.cluster.local:8200"
+      path: "cicd"
+      version: "v2"
+      auth:
+        kubernetes:
+          mountPath: "kubernetes"
+          role: "eso-cicd"
+          serviceAccountRef:
+            name: "external-secrets"
+            namespace: "dev-tools"