78 lines
2.4 KiB
YAML
78 lines
2.4 KiB
YAML
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: vault-bootstrap-cicd
|
|
namespace: dev-tools
|
|
annotations:
|
|
argocd.argoproj.io/hook: Sync
|
|
argocd.argoproj.io/hook-delete-policy: HookSucceeded
|
|
argocd.argoproj.io/sync-wave: "1"
|
|
spec:
|
|
backoffLimit: 2
|
|
ttlSecondsAfterFinished: 60
|
|
template:
|
|
spec:
|
|
restartPolicy: OnFailure
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
containers:
|
|
- name: vault
|
|
image: hashicorp/vault:1.16
|
|
imagePullPolicy: IfNotPresent
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 64Mi
|
|
limits:
|
|
cpu: 200m
|
|
memory: 128Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
drop: ["ALL"]
|
|
env:
|
|
- name: VAULT_ADDR
|
|
value: "http://vault.dev-tools.svc.cluster.local:8200"
|
|
- name: VAULT_TOKEN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: vault-admin-token
|
|
key: token
|
|
command: ["/bin/sh","-c"]
|
|
args:
|
|
- |
|
|
set -e
|
|
echo "[bootstrap for scope cicd]"
|
|
|
|
# המתנה לזמינות Vault
|
|
i=0
|
|
until vault status >/dev/null 2>&1; do
|
|
i=$((i+1))
|
|
if [ "$i" -gt 30 ]; then
|
|
echo "Vault is not ready after 30 attempts"; exit 1
|
|
fi
|
|
echo "Waiting for Vault... ($i/30)"
|
|
sleep 2
|
|
done
|
|
|
|
# אם צריך להפעיל KV (בזהירות, רק אם לטוקן יש הרשאות):
|
|
# vault secrets enable -version=2 -path=cicd kv 2>/dev/null || true
|
|
|
|
# מדיניות קריאה בלבד ל-KV v2
|
|
cat >/tmp/policy.hcl <<'EOF'
|
|
path "cicd/metadata/*" { capabilities = ["list"] }
|
|
path "cicd/data/*" { capabilities = ["read"] }
|
|
EOF
|
|
vault policy write eso-cicd-read /tmp/policy.hcl || true
|
|
|
|
vault write auth/kubernetes/role/eso-cicd \
|
|
bound_service_account_names="external-secrets" \
|
|
bound_service_account_namespaces="dev-tools" \
|
|
bound_audiences="https://kubernetes.default.svc" \
|
|
policies="eso-cicd-read" \
|
|
ttl=1h
|