Fix jobs for css

manifests/cluster-secret-store/internal-users/bootstrap-job.yaml

@@ -37,27 +37,37 @@ spec:
           command: ["/bin/sh","-c"]
           args:
             - |
-              set -e
+              set -euo pipefail
-              echo "[bootstrap for scope internal-users]"
 
-              i=0
+              echo "[internal-users] wait for vault"
-              until vault status >/dev/null 2>&1; do
+              i=0; until vault status >/dev/null 2>&1; do
-                i=$((i+1))
+                i=$((i+1)); [ "$i" -gt 30 ] && echo "vault not ready" && exit 1
-                [ "$i" -gt 30 ] && echo "Vault not ready" && exit 1
+                echo "waiting... ($i/30)"; sleep 2
-                echo "Waiting for Vault... ($i/30)"; sleep 2
               done
 
-              # vault secrets enable -version=2 -path=internal-users kv 2>/dev/null || true
+              echo "[internal-users] enable & config k8s auth (idempotent)"
+              vault auth enable -path="kubernetes" kubernetes 2>/dev/null || true
+              vault write auth/kubernetes/config \
+                token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+                kubernetes_host="https://kubernetes.default.svc:443" \
+                kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
 
-              cat >/tmp/policy.hcl <<'EOF'
+              echo "[internal-users] ensure KV v2 mount"
+              vault secrets enable -version=2 -path=internal-users kv 2>/dev/null || true
+
+              echo "[internal-users] policy"
+              cat >/tmp/p.hcl <<'EOF'
               path "internal-users/metadata/*" { capabilities = ["list"] }
               path "internal-users/data/*"     { capabilities = ["read"] }
               EOF
-              vault policy write eso-internal-users-read /tmp/policy.hcl || true
+              vault policy write eso-internal-users-read /tmp/p.hcl || true
 
+              echo "[internal-users] role eso-internal-users"
               vault write auth/kubernetes/role/eso-internal-users \
                 bound_service_account_names="external-secrets" \
                 bound_service_account_namespaces="dev-tools" \
                 bound_audiences="https://kubernetes.default.svc" \
                 policies="eso-internal-users-read" \
                 ttl=1h
+
+              echo "[internal-users] done"

manifests/cluster-secret-store/internal-users/clustersecretstore.yaml

@@ -9,6 +9,7 @@ spec:
     vault:
       server: "http://vault.dev-tools.svc.cluster.local:8200"
       path: "internal-users"
+      version: "v2"
       auth:
         kubernetes:
           mountPath: "auth/kubernetes"

manifests/cluster-secret-store/oidc/bootstrap-job.yaml

@@ -37,27 +37,37 @@ spec:
           command: ["/bin/sh","-c"]
           args:
             - |
-              set -e
+              set -euo pipefail
-              echo "[bootstrap for scope oidc-secrets]"
 
-              i=0
+              echo "[oidc-secrets] wait for vault"
-              until vault status >/dev/null 2>&1; do
+              i=0; until vault status >/dev/null 2>&1; do
-                i=$((i+1))
+                i=$((i+1)); [ "$i" -gt 30 ] && echo "vault not ready" && exit 1
-                [ "$i" -gt 30 ] && echo "Vault not ready" && exit 1
+                echo "waiting... ($i/30)"; sleep 2
-                echo "Waiting for Vault... ($i/30)"; sleep 2
               done
 
-              # vault secrets enable -version=2 -path=oidc-secrets kv 2>/dev/null || true
+              echo "[oidc-secrets] enable & config k8s auth (idempotent)"
+              vault auth enable -path="kubernetes" kubernetes 2>/dev/null || true
+              vault write auth/kubernetes/config \
+                token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+                kubernetes_host="https://kubernetes.default.svc:443" \
+                kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
 
-              cat >/tmp/policy.hcl <<'EOF'
+              echo "[oidc-secrets] ensure KV v2 mount"
+              vault secrets enable -version=2 -path=oidc-secrets kv 2>/dev/null || true
+
+              echo "[oidc-secrets] policy"
+              cat >/tmp/p.hcl <<'EOF'
               path "oidc-secrets/metadata/*" { capabilities = ["list"] }
               path "oidc-secrets/data/*"     { capabilities = ["read"] }
               EOF
-              vault policy write eso-oidc-read /tmp/policy.hcl || true
+              vault policy write eso-oidc-read /tmp/p.hcl || true
 
+              echo "[oidc-secrets] role eso-oidc"
               vault write auth/kubernetes/role/eso-oidc \
                 bound_service_account_names="external-secrets" \
                 bound_service_account_namespaces="dev-tools" \
                 bound_audiences="https://kubernetes.default.svc" \
                 policies="eso-oidc-read" \
                 ttl=1h
+
+              echo "[oidc-secrets] done"

manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.yaml

@@ -1,7 +1,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: vault-bootstrap-general-secrets
+  name: vault-bootstrap-general
   namespace: dev-tools
   annotations:
     argocd.argoproj.io/hook: Sync
@@ -22,19 +22,10 @@ spec:
         - name: vault
           image: hashicorp/vault:1.16
           imagePullPolicy: IfNotPresent
-          resources:
-            requests:
-              cpu: 50m
-              memory: 64Mi
-            limits:
-              cpu: 200m
-              memory: 128Mi
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
-            capabilities:
+            capabilities: { drop: ["ALL"] }
-              drop:
-                - ALL
           env:
             - name: VAULT_ADDR
               value: "http://vault.dev-tools.svc.cluster.local:8200"
@@ -43,34 +34,40 @@ spec:
                 secretKeyRef:
                   name: vault-admin-token
                   key: token
-          command:
+          command: ["/bin/sh","-c"]
-            - /bin/sh
-            - -c
           args:
             - |
-              set -e
+              set -euo pipefail
-              echo "[bootstrap for scope cicd]"
 
-              i=0
+              echo "[general-secrets] wait for vault"
-              until vault status >/dev/null 2>&1; do
+              i=0; until vault status >/dev/null 2>&1; do
-                i=$((i+1))
+                i=$((i+1)); [ "$i" -gt 30 ] && echo "vault not ready" && exit 1
-                if [ "$i" -gt 30 ]; then
+                echo "waiting... ($i/30)"; sleep 2
-                  echo "Vault is not ready after 30 attempts"; exit 1
-                fi
-                echo "Waiting for Vault... ($i/30)"
-                sleep 2
               done
 
-              cat >/tmp/policy.hcl <<'EOF'
+              echo "[general-secrets] enable & config k8s auth (idempotent)"
-              path "general-secrets { capabilities = ["list"] }
+              vault auth enable -path="kubernetes" kubernetes 2>/dev/null || true
+              vault write auth/kubernetes/config \
+                token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+                kubernetes_host="https://kubernetes.default.svc:443" \
+                kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+
+              echo "[general-secrets] ensure KV v2 mount"
+              vault secrets enable -version=2 -path=general-secrets kv 2>/dev/null || true
+
+              echo "[general-secrets] policy"
+              cat >/tmp/p.hcl <<'EOF'
+              path "general-secrets/metadata/*" { capabilities = ["list"] }
               path "general-secrets/data/*"     { capabilities = ["read"] }
               EOF
+              vault policy write eso-general-read /tmp/p.hcl || true
 
-              vault policy write eso-general-secrets-read /tmp/policy.hcl || true
+              echo "[general-secrets] role eso-general"
-
+              vault write auth/kubernetes/role/eso-general \
-              vault write auth/kubernetes/role/eso-general-secrets \
                 bound_service_account_names="external-secrets" \
                 bound_service_account_namespaces="dev-tools" \
                 bound_audiences="https://kubernetes.default.svc" \
-                policies="eso-general-secrets-read" \
+                policies="eso-general-read" \
                 ttl=1h
+
+              echo "[general-secrets] done"

manifests/cluster-secret-store/vault-general-secrets/clustersecretstore.yaml

@@ -2,16 +2,18 @@ apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
 metadata:
   name: vault-general-secrets
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
 spec:
   provider:
     vault:
-      server: http://vault.dev-tools.svc.cluster.local:8200
+      server: "http://vault.dev-tools.svc.cluster.local:8200"
-      path: general-secrets
+      path: "general-secrets"
-      version: v2
+      version: "v2"
       auth:
         kubernetes:
-          mountPath: kubernetes
+          mountPath: "auth/kubernetes"
-          role: eso-general
+          role: "eso-general"
           serviceAccountRef:
             name: external-secrets
             namespace: dev-tools