apiVersion: batch/v1 kind: Job metadata: name: vault-bootstrap-internal-users namespace: dev-tools annotations: argocd.argoproj.io/hook: Sync argocd.argoproj.io/hook-delete-policy: HookSucceeded argocd.argoproj.io/sync-wave: "1" spec: backoffLimit: 2 ttlSecondsAfterFinished: 60 template: spec: restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 containers: - name: vault image: hashicorp/vault:1.16 imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } env: - name: VAULT_ADDR value: "http://vault.dev-tools.svc.cluster.local:8200" - name: VAULT_TOKEN valueFrom: secretKeyRef: name: vault-admin-token key: token command: ["/bin/sh","-c"] args: - | set -euo pipefail echo "[internal-users] wait for vault" i=0; until vault status >/dev/null 2>&1; do i=$((i+1)); [ "$i" -gt 30 ] && echo "vault not ready" && exit 1 echo "waiting... ($i/30)"; sleep 2 done echo "[internal-users] enable & config k8s auth (idempotent)" vault auth enable -path="kubernetes" kubernetes 2>/dev/null || true vault write auth/kubernetes/config \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ kubernetes_host="https://kubernetes.default.svc:443" \ kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt echo "[internal-users] ensure KV v2 mount" vault secrets enable -version=2 -path=internal-users kv 2>/dev/null || true echo "[internal-users] policy" cat >/tmp/p.hcl <<'EOF' path "internal-users/metadata/*" { capabilities = ["list"] } path "internal-users/data/*" { capabilities = ["read"] } EOF vault policy write eso-internal-users-read /tmp/p.hcl || true echo "[internal-users] role eso-internal-users" vault write auth/kubernetes/role/eso-internal-users \ bound_service_account_names="external-secrets" \ bound_service_account_namespaces="dev-tools" \ bound_audiences="https://kubernetes.default.svc" \ policies="eso-internal-users-read" \ ttl=1h echo "[internal-users] done"