apiVersion: batch/v1 kind: Job metadata: name: vault-bootstrap-internal-users namespace: dev-tools annotations: argocd.argoproj.io/hook: Sync argocd.argoproj.io/hook-delete-policy: HookSucceeded argocd.argoproj.io/sync-wave: "1" spec: backoffLimit: 2 ttlSecondsAfterFinished: 60 template: spec: restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 containers: - name: vault image: hashicorp/vault:1.16 imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } env: - name: VAULT_ADDR value: "http://vault.dev-tools.svc.cluster.local:8200" - name: VAULT_TOKEN valueFrom: secretKeyRef: name: vault-admin-token key: token command: ["/bin/sh","-c"] args: - | set -e echo "[bootstrap for scope internal-users]" i=0 until vault status >/dev/null 2>&1; do i=$((i+1)) [ "$i" -gt 30 ] && echo "Vault not ready" && exit 1 echo "Waiting for Vault... ($i/30)"; sleep 2 done # vault secrets enable -version=2 -path=internal-users kv 2>/dev/null || true cat >/tmp/policy.hcl <<'EOF' path "internal-users/metadata/*" { capabilities = ["list"] } path "internal-users/data/*" { capabilities = ["read"] } EOF vault policy write eso-internal-users-read /tmp/policy.hcl || true vault write auth/kubernetes/role/eso-internal-users \ bound_service_account_names="external-secrets" \ bound_service_account_namespaces="dev-tools" \ bound_audiences="https://kubernetes.default.svc" \ policies="eso-internal-users-read" \ ttl=1h