apiVersion: batch/v1 kind: Job metadata: name: vault-bootstrap-general-secrets namespace: dev-tools annotations: argocd.argoproj.io/hook: Sync argocd.argoproj.io/hook-delete-policy: HookSucceeded argocd.argoproj.io/sync-wave: "1" spec: backoffLimit: 2 ttlSecondsAfterFinished: 60 template: spec: restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 containers: - name: vault image: hashicorp/vault:1.16 imagePullPolicy: IfNotPresent resources: requests: cpu: 50m memory: 64Mi limits: cpu: 200m memory: 128Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL env: - name: VAULT_ADDR value: "http://vault.dev-tools.svc.cluster.local:8200" - name: VAULT_TOKEN valueFrom: secretKeyRef: name: vault-admin-token key: token command: - /bin/sh - -c args: - | set -e echo "[bootstrap for scope cicd]" i=0 until vault status >/dev/null 2>&1; do i=$((i+1)) if [ "$i" -gt 30 ]; then echo "Vault is not ready after 30 attempts"; exit 1 fi echo "Waiting for Vault... ($i/30)" sleep 2 done cat >/tmp/policy.hcl <<'EOF' path "general-secrets { capabilities = ["list"] } path "general-secrets/data/*" { capabilities = ["read"] } EOF vault policy write eso-general-secrets-read /tmp/policy.hcl || true vault write auth/kubernetes/role/eso-general-secrets \ bound_service_account_names="external-secrets" \ bound_service_account_namespaces="dev-tools" \ bound_audiences="https://kubernetes.default.svc" \ policies="eso-general-secrets-read" \ ttl=1h