diff --git a/manifests/cluster-secret-store/internal-users/bootstrap-job.yaml b/manifests/cluster-secret-store/internal-users/bootstrap-job.yaml index 223ddce..a82f29b 100644 --- a/manifests/cluster-secret-store/internal-users/bootstrap-job.yaml +++ b/manifests/cluster-secret-store/internal-users/bootstrap-job.yaml @@ -37,27 +37,37 @@ spec: command: ["/bin/sh","-c"] args: - | - set -e - echo "[bootstrap for scope internal-users]" + set -euo pipefail - i=0 - until vault status >/dev/null 2>&1; do - i=$((i+1)) - [ "$i" -gt 30 ] && echo "Vault not ready" && exit 1 - echo "Waiting for Vault... ($i/30)"; sleep 2 + echo "[internal-users] wait for vault" + i=0; until vault status >/dev/null 2>&1; do + i=$((i+1)); [ "$i" -gt 30 ] && echo "vault not ready" && exit 1 + echo "waiting... ($i/30)"; sleep 2 done - # vault secrets enable -version=2 -path=internal-users kv 2>/dev/null || true + echo "[internal-users] enable & config k8s auth (idempotent)" + vault auth enable -path="kubernetes" kubernetes 2>/dev/null || true + vault write auth/kubernetes/config \ + token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ + kubernetes_host="https://kubernetes.default.svc:443" \ + kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - cat >/tmp/policy.hcl <<'EOF' + echo "[internal-users] ensure KV v2 mount" + vault secrets enable -version=2 -path=internal-users kv 2>/dev/null || true + + echo "[internal-users] policy" + cat >/tmp/p.hcl <<'EOF' path "internal-users/metadata/*" { capabilities = ["list"] } path "internal-users/data/*" { capabilities = ["read"] } EOF - vault policy write eso-internal-users-read /tmp/policy.hcl || true + vault policy write eso-internal-users-read /tmp/p.hcl || true + echo "[internal-users] role eso-internal-users" vault write auth/kubernetes/role/eso-internal-users \ bound_service_account_names="external-secrets" \ bound_service_account_namespaces="dev-tools" \ bound_audiences="https://kubernetes.default.svc" \ policies="eso-internal-users-read" \ ttl=1h + + echo "[internal-users] done" diff --git a/manifests/cluster-secret-store/internal-users/clustersecretstore.yaml b/manifests/cluster-secret-store/internal-users/clustersecretstore.yaml index 1b1c02b..41da4f4 100644 --- a/manifests/cluster-secret-store/internal-users/clustersecretstore.yaml +++ b/manifests/cluster-secret-store/internal-users/clustersecretstore.yaml @@ -9,6 +9,7 @@ spec: vault: server: "http://vault.dev-tools.svc.cluster.local:8200" path: "internal-users" + version: "v2" auth: kubernetes: mountPath: "auth/kubernetes" diff --git a/manifests/cluster-secret-store/oidc/bootstrap-job.yaml b/manifests/cluster-secret-store/oidc/bootstrap-job.yaml index 3ffd287..ecb1e16 100644 --- a/manifests/cluster-secret-store/oidc/bootstrap-job.yaml +++ b/manifests/cluster-secret-store/oidc/bootstrap-job.yaml @@ -37,27 +37,37 @@ spec: command: ["/bin/sh","-c"] args: - | - set -e - echo "[bootstrap for scope oidc-secrets]" + set -euo pipefail - i=0 - until vault status >/dev/null 2>&1; do - i=$((i+1)) - [ "$i" -gt 30 ] && echo "Vault not ready" && exit 1 - echo "Waiting for Vault... ($i/30)"; sleep 2 + echo "[oidc-secrets] wait for vault" + i=0; until vault status >/dev/null 2>&1; do + i=$((i+1)); [ "$i" -gt 30 ] && echo "vault not ready" && exit 1 + echo "waiting... ($i/30)"; sleep 2 done - # vault secrets enable -version=2 -path=oidc-secrets kv 2>/dev/null || true + echo "[oidc-secrets] enable & config k8s auth (idempotent)" + vault auth enable -path="kubernetes" kubernetes 2>/dev/null || true + vault write auth/kubernetes/config \ + token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ + kubernetes_host="https://kubernetes.default.svc:443" \ + kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - cat >/tmp/policy.hcl <<'EOF' + echo "[oidc-secrets] ensure KV v2 mount" + vault secrets enable -version=2 -path=oidc-secrets kv 2>/dev/null || true + + echo "[oidc-secrets] policy" + cat >/tmp/p.hcl <<'EOF' path "oidc-secrets/metadata/*" { capabilities = ["list"] } path "oidc-secrets/data/*" { capabilities = ["read"] } EOF - vault policy write eso-oidc-read /tmp/policy.hcl || true + vault policy write eso-oidc-read /tmp/p.hcl || true + echo "[oidc-secrets] role eso-oidc" vault write auth/kubernetes/role/eso-oidc \ bound_service_account_names="external-secrets" \ bound_service_account_namespaces="dev-tools" \ bound_audiences="https://kubernetes.default.svc" \ policies="eso-oidc-read" \ ttl=1h + + echo "[oidc-secrets] done" diff --git a/manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.yaml b/manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.yaml index 30fb90f..af43330 100644 --- a/manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.yaml +++ b/manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.yaml @@ -1,7 +1,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: vault-bootstrap-general-secrets + name: vault-bootstrap-general namespace: dev-tools annotations: argocd.argoproj.io/hook: Sync @@ -22,19 +22,10 @@ spec: - name: vault image: hashicorp/vault:1.16 imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - capabilities: - drop: - - ALL + capabilities: { drop: ["ALL"] } env: - name: VAULT_ADDR value: "http://vault.dev-tools.svc.cluster.local:8200" @@ -43,34 +34,40 @@ spec: secretKeyRef: name: vault-admin-token key: token - command: - - /bin/sh - - -c + command: ["/bin/sh","-c"] args: - | - set -e - echo "[bootstrap for scope cicd]" + set -euo pipefail - i=0 - until vault status >/dev/null 2>&1; do - i=$((i+1)) - if [ "$i" -gt 30 ]; then - echo "Vault is not ready after 30 attempts"; exit 1 - fi - echo "Waiting for Vault... ($i/30)" - sleep 2 + echo "[general-secrets] wait for vault" + i=0; until vault status >/dev/null 2>&1; do + i=$((i+1)); [ "$i" -gt 30 ] && echo "vault not ready" && exit 1 + echo "waiting... ($i/30)"; sleep 2 done - cat >/tmp/policy.hcl <<'EOF' - path "general-secrets { capabilities = ["list"] } + echo "[general-secrets] enable & config k8s auth (idempotent)" + vault auth enable -path="kubernetes" kubernetes 2>/dev/null || true + vault write auth/kubernetes/config \ + token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ + kubernetes_host="https://kubernetes.default.svc:443" \ + kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + + echo "[general-secrets] ensure KV v2 mount" + vault secrets enable -version=2 -path=general-secrets kv 2>/dev/null || true + + echo "[general-secrets] policy" + cat >/tmp/p.hcl <<'EOF' + path "general-secrets/metadata/*" { capabilities = ["list"] } path "general-secrets/data/*" { capabilities = ["read"] } EOF + vault policy write eso-general-read /tmp/p.hcl || true - vault policy write eso-general-secrets-read /tmp/policy.hcl || true - - vault write auth/kubernetes/role/eso-general-secrets \ + echo "[general-secrets] role eso-general" + vault write auth/kubernetes/role/eso-general \ bound_service_account_names="external-secrets" \ bound_service_account_namespaces="dev-tools" \ bound_audiences="https://kubernetes.default.svc" \ - policies="eso-general-secrets-read" \ + policies="eso-general-read" \ ttl=1h + + echo "[general-secrets] done" diff --git a/manifests/cluster-secret-store/vault-general-secrets/clustersecretstore.yaml b/manifests/cluster-secret-store/vault-general-secrets/clustersecretstore.yaml index 894c20d..8ccb40c 100644 --- a/manifests/cluster-secret-store/vault-general-secrets/clustersecretstore.yaml +++ b/manifests/cluster-secret-store/vault-general-secrets/clustersecretstore.yaml @@ -2,16 +2,18 @@ apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: name: vault-general-secrets + annotations: + argocd.argoproj.io/sync-wave: "2" spec: provider: vault: - server: http://vault.dev-tools.svc.cluster.local:8200 - path: general-secrets - version: v2 + server: "http://vault.dev-tools.svc.cluster.local:8200" + path: "general-secrets" + version: "v2" auth: kubernetes: - mountPath: kubernetes - role: eso-general + mountPath: "auth/kubernetes" + role: "eso-general" serviceAccountRef: name: external-secrets namespace: dev-tools