dvirlabs/dev-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
dev-tools/manifests/cluster-secret-store/oidc/bootstrap-job.disable
dvirlabs 87d812b73b Fix resources
2025-10-01 14:32:57 +03:00

76 lines
2.2 KiB
Plaintext
Raw Blame History

apiVersion: batch/v1
kind: Job
metadata:
name: vault-bootstrap-oidc
namespace: dev-tools
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
argocd.argoproj.io/sync-wave: "1"
spec:
backoffLimit: 2
ttlSecondsAfterFinished: 60
template:
spec:
restartPolicy: OnFailure
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: vault
image: hashicorp/vault:1.16
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
env:
- name: VAULT_ADDR
value: "http://vault.dev-tools.svc.cluster.local:8200"
- name: VAULT_TOKEN
valueFrom:
secretKeyRef:
name: vault-admin-token
key: token
command:
- /bin/sh
- -c
args:
- |
set -e
echo "[bootstrap for scope oidc-secrets]"
i=0
until vault status >/dev/null 2>&1; do
i=$((i+1))
if [ "$i" -gt 30 ]; then
echo "Vault is not ready after 30 attempts"; exit 1
fi
echo "Waiting for Vault... ($i/30)"
sleep 2
done
cat >/tmp/policy.hcl <<'EOF'
path "oidc-secrets/metadata/*" { capabilities = ["list"] }
path "oidc-secrets/data/*" { capabilities = ["read"] }
EOF
vault policy write eso-oidc-read /tmp/policy.hcl || true
vault write auth/kubernetes/role/eso-oidc \
bound_service_account_names="external-secrets" \
bound_service_account_namespaces="dev-tools" \
bound_audiences="https://kubernetes.default.svc" \
policies="eso-oidc-read" \
ttl=1h
Reference in New Issue View Git Blame Copy Permalink