Add vault-secrets app

argocd-apps/vault-secrets.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault-secrets
+  namespace: argocd
+spec:
+  project: dev-tools
+  source:
+    repoURL: https://git.dvirlabs.com/dvirlabs/dev-tools.git
+    targetRevision: HEAD
+    path: manifests/secret-seeding
+    directory:
+      recurse: true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: dev-tools
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

manifests/external-secrets/clustersecretstore.yaml

@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-backend
+spec:
+  provider:
+    vault:
+      server: "http://vault.dev-tools.svc.cluster.local:8200"
+      path: "secret"
+      version: "v2"
+      auth:
+        tokenSecretRef:
+          name: vault-init
+          key: root-token
+          namespace: dev-tools

manifests/secret-seeding/grafana.yaml

@@ -0,0 +1,26 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: vault-seed-grafana-oidc
+  namespace: dev-tools
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: seed
+          image: vault:1.15.5
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200
+              export VAULT_TOKEN=$(cat /vault/secrets/root-token)
+              vault kv put secret/grafana-oidc client_secret=6mfAtg8ZrioiCZMsbMi4dbZyJk205nRi
+          volumeMounts:
+            - name: vault-token
+              mountPath: /vault/secrets
+              readOnly: true
+      volumes:
+        - name: vault-token
+          secret:
+            secretName: vault-init