From d23b858b7bde7ffac5a63db9062226c9abe29a9a Mon Sep 17 00:00:00 2001 From: dvirlabs <114520947+dvirlabs@users.noreply.github.com> Date: Sun, 28 Sep 2025 22:36:12 +0300 Subject: [PATCH] Add jobs for oidc and internal-users --- .../internal-users/bootstrap-job.yaml | 63 +++++++++++++++++++ .../internal-users/clustersecretstore.yaml | 11 ++-- .../oidc/bootstrap-job.yaml | 63 +++++++++++++++++++ .../oidc/clustersecretstore.yaml | 12 ++-- 4 files changed, 139 insertions(+), 10 deletions(-) create mode 100644 manifests/cluster-secret-store/internal-users/bootstrap-job.yaml create mode 100644 manifests/cluster-secret-store/oidc/bootstrap-job.yaml diff --git a/manifests/cluster-secret-store/internal-users/bootstrap-job.yaml b/manifests/cluster-secret-store/internal-users/bootstrap-job.yaml new file mode 100644 index 0000000..223ddce --- /dev/null +++ b/manifests/cluster-secret-store/internal-users/bootstrap-job.yaml @@ -0,0 +1,63 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: vault-bootstrap-internal-users + namespace: dev-tools + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded + argocd.argoproj.io/sync-wave: "1" +spec: + backoffLimit: 2 + ttlSecondsAfterFinished: 60 + template: + spec: + restartPolicy: OnFailure + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: vault + image: hashicorp/vault:1.16 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + env: + - name: VAULT_ADDR + value: "http://vault.dev-tools.svc.cluster.local:8200" + - name: VAULT_TOKEN + valueFrom: + secretKeyRef: + name: vault-admin-token + key: token + command: ["/bin/sh","-c"] + args: + - | + set -e + echo "[bootstrap for scope internal-users]" + + i=0 + until vault status >/dev/null 2>&1; do + i=$((i+1)) + [ "$i" -gt 30 ] && echo "Vault not ready" && exit 1 + echo "Waiting for Vault... ($i/30)"; sleep 2 + done + + # vault secrets enable -version=2 -path=internal-users kv 2>/dev/null || true + + cat >/tmp/policy.hcl <<'EOF' + path "internal-users/metadata/*" { capabilities = ["list"] } + path "internal-users/data/*" { capabilities = ["read"] } + EOF + vault policy write eso-internal-users-read /tmp/policy.hcl || true + + vault write auth/kubernetes/role/eso-internal-users \ + bound_service_account_names="external-secrets" \ + bound_service_account_namespaces="dev-tools" \ + bound_audiences="https://kubernetes.default.svc" \ + policies="eso-internal-users-read" \ + ttl=1h diff --git a/manifests/cluster-secret-store/internal-users/clustersecretstore.yaml b/manifests/cluster-secret-store/internal-users/clustersecretstore.yaml index 8e56ca0..1b1c02b 100644 --- a/manifests/cluster-secret-store/internal-users/clustersecretstore.yaml +++ b/manifests/cluster-secret-store/internal-users/clustersecretstore.yaml @@ -2,16 +2,17 @@ apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: name: vault-internal-users + annotations: + argocd.argoproj.io/sync-wave: "2" spec: provider: vault: - server: http://vault.dev-tools.svc.cluster.local:8200 - path: internal-users - version: v2 + server: "http://vault.dev-tools.svc.cluster.local:8200" + path: "internal-users" auth: kubernetes: - mountPath: kubernetes - role: eso-internal-users + mountPath: "auth/kubernetes" + role: "eso-internal-users" serviceAccountRef: name: external-secrets namespace: dev-tools diff --git a/manifests/cluster-secret-store/oidc/bootstrap-job.yaml b/manifests/cluster-secret-store/oidc/bootstrap-job.yaml new file mode 100644 index 0000000..3ffd287 --- /dev/null +++ b/manifests/cluster-secret-store/oidc/bootstrap-job.yaml @@ -0,0 +1,63 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: vault-bootstrap-oidc + namespace: dev-tools + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded + argocd.argoproj.io/sync-wave: "1" +spec: + backoffLimit: 2 + ttlSecondsAfterFinished: 60 + template: + spec: + restartPolicy: OnFailure + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: vault + image: hashicorp/vault:1.16 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + env: + - name: VAULT_ADDR + value: "http://vault.dev-tools.svc.cluster.local:8200" + - name: VAULT_TOKEN + valueFrom: + secretKeyRef: + name: vault-admin-token + key: token + command: ["/bin/sh","-c"] + args: + - | + set -e + echo "[bootstrap for scope oidc-secrets]" + + i=0 + until vault status >/dev/null 2>&1; do + i=$((i+1)) + [ "$i" -gt 30 ] && echo "Vault not ready" && exit 1 + echo "Waiting for Vault... ($i/30)"; sleep 2 + done + + # vault secrets enable -version=2 -path=oidc-secrets kv 2>/dev/null || true + + cat >/tmp/policy.hcl <<'EOF' + path "oidc-secrets/metadata/*" { capabilities = ["list"] } + path "oidc-secrets/data/*" { capabilities = ["read"] } + EOF + vault policy write eso-oidc-read /tmp/policy.hcl || true + + vault write auth/kubernetes/role/eso-oidc \ + bound_service_account_names="external-secrets" \ + bound_service_account_namespaces="dev-tools" \ + bound_audiences="https://kubernetes.default.svc" \ + policies="eso-oidc-read" \ + ttl=1h diff --git a/manifests/cluster-secret-store/oidc/clustersecretstore.yaml b/manifests/cluster-secret-store/oidc/clustersecretstore.yaml index 6f997d2..88b872f 100644 --- a/manifests/cluster-secret-store/oidc/clustersecretstore.yaml +++ b/manifests/cluster-secret-store/oidc/clustersecretstore.yaml @@ -2,16 +2,18 @@ apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: name: vault-oidc-secrets + annotations: + argocd.argoproj.io/sync-wave: "2" spec: provider: vault: - server: http://vault.dev-tools.svc.cluster.local:8200 - path: oidc-secrets - version: v2 + server: "http://vault.dev-tools.svc.cluster.local:8200" + path: "oidc-secrets" + version: "v2" auth: kubernetes: - mountPath: kubernetes - role: eso-oidc + mountPath: "auth/kubernetes" + role: "eso-oidc" serviceAccountRef: name: external-secrets namespace: dev-tools