diff --git a/manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.yaml b/manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.yaml new file mode 100644 index 0000000..30fb90f --- /dev/null +++ b/manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.yaml @@ -0,0 +1,76 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: vault-bootstrap-general-secrets + namespace: dev-tools + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded + argocd.argoproj.io/sync-wave: "1" +spec: + backoffLimit: 2 + ttlSecondsAfterFinished: 60 + template: + spec: + restartPolicy: OnFailure + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: vault + image: hashicorp/vault:1.16 + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + env: + - name: VAULT_ADDR + value: "http://vault.dev-tools.svc.cluster.local:8200" + - name: VAULT_TOKEN + valueFrom: + secretKeyRef: + name: vault-admin-token + key: token + command: + - /bin/sh + - -c + args: + - | + set -e + echo "[bootstrap for scope cicd]" + + i=0 + until vault status >/dev/null 2>&1; do + i=$((i+1)) + if [ "$i" -gt 30 ]; then + echo "Vault is not ready after 30 attempts"; exit 1 + fi + echo "Waiting for Vault... ($i/30)" + sleep 2 + done + + cat >/tmp/policy.hcl <<'EOF' + path "general-secrets { capabilities = ["list"] } + path "general-secrets/data/*" { capabilities = ["read"] } + EOF + + vault policy write eso-general-secrets-read /tmp/policy.hcl || true + + vault write auth/kubernetes/role/eso-general-secrets \ + bound_service_account_names="external-secrets" \ + bound_service_account_namespaces="dev-tools" \ + bound_audiences="https://kubernetes.default.svc" \ + policies="eso-general-secrets-read" \ + ttl=1h