64 lines
2.1 KiB
YAML
64 lines
2.1 KiB
YAML
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: vault-bootstrap-internal-users
|
|
namespace: dev-tools
|
|
annotations:
|
|
argocd.argoproj.io/hook: Sync
|
|
argocd.argoproj.io/hook-delete-policy: HookSucceeded
|
|
argocd.argoproj.io/sync-wave: "1"
|
|
spec:
|
|
backoffLimit: 2
|
|
ttlSecondsAfterFinished: 60
|
|
template:
|
|
spec:
|
|
restartPolicy: OnFailure
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
containers:
|
|
- name: vault
|
|
image: hashicorp/vault:1.16
|
|
imagePullPolicy: IfNotPresent
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
capabilities: { drop: ["ALL"] }
|
|
env:
|
|
- name: VAULT_ADDR
|
|
value: "http://vault.dev-tools.svc.cluster.local:8200"
|
|
- name: VAULT_TOKEN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: vault-admin-token
|
|
key: token
|
|
command: ["/bin/sh","-c"]
|
|
args:
|
|
- |
|
|
set -e
|
|
echo "[bootstrap for scope internal-users]"
|
|
|
|
i=0
|
|
until vault status >/dev/null 2>&1; do
|
|
i=$((i+1))
|
|
[ "$i" -gt 30 ] && echo "Vault not ready" && exit 1
|
|
echo "Waiting for Vault... ($i/30)"; sleep 2
|
|
done
|
|
|
|
# vault secrets enable -version=2 -path=internal-users kv 2>/dev/null || true
|
|
|
|
cat >/tmp/policy.hcl <<'EOF'
|
|
path "internal-users/metadata/*" { capabilities = ["list"] }
|
|
path "internal-users/data/*" { capabilities = ["read"] }
|
|
EOF
|
|
vault policy write eso-internal-users-read /tmp/policy.hcl || true
|
|
|
|
vault write auth/kubernetes/role/eso-internal-users \
|
|
bound_service_account_names="external-secrets" \
|
|
bound_service_account_namespaces="dev-tools" \
|
|
bound_audiences="https://kubernetes.default.svc" \
|
|
policies="eso-internal-users-read" \
|
|
ttl=1h
|