apiVersion: batch/v1 kind: Job metadata: name: vault-bootstrap-general namespace: dev-tools annotations: argocd.argoproj.io/hook: Sync argocd.argoproj.io/hook-delete-policy: HookSucceeded argocd.argoproj.io/sync-wave: "1" spec: backoffLimit: 2 ttlSecondsAfterFinished: 60 template: spec: restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 containers: - name: vault image: hashicorp/vault:1.16 imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } env: - name: VAULT_ADDR value: "http://vault.dev-tools.svc.cluster.local:8200" - name: VAULT_TOKEN valueFrom: secretKeyRef: name: vault-admin-token key: token command: ["/bin/sh","-c"] args: - | set -euo pipefail echo "[general-secrets] wait for vault" i=0; until vault status >/dev/null 2>&1; do i=$((i+1)); [ "$i" -gt 30 ] && echo "vault not ready" && exit 1 echo "waiting... ($i/30)"; sleep 2 done echo "[general-secrets] enable & config k8s auth (idempotent)" vault auth enable -path="kubernetes" kubernetes 2>/dev/null || true vault write auth/kubernetes/config \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ kubernetes_host="https://kubernetes.default.svc:443" \ kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt echo "[general-secrets] ensure KV v2 mount" vault secrets enable -version=2 -path=general-secrets kv 2>/dev/null || true echo "[general-secrets] policy" cat >/tmp/p.hcl <<'EOF' path "general-secrets/metadata/*" { capabilities = ["list"] } path "general-secrets/data/*" { capabilities = ["read"] } EOF vault policy write eso-general-read /tmp/p.hcl || true echo "[general-secrets] role eso-general" vault write auth/kubernetes/role/eso-general \ bound_service_account_names="external-secrets" \ bound_service_account_namespaces="dev-tools" \ bound_audiences="https://kubernetes.default.svc" \ policies="eso-general-read" \ ttl=1h echo "[general-secrets] done"