security: switch ESO→Vault auth from token to k8s SA

Remove static Vault token from Git (was exposed in vault-token-secret.yaml).
ESO now authenticates via Kubernetes service account JWT → short-lived tokens.
Add sync-hook Job to configure Vault k8s auth idempotently on ArgoCD sync.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

manifest/external-secrets/cluster-secret-store/secret-store.yaml

@@ -7,13 +7,11 @@ spec:
     vault:
       server: "http://vault.vault.svc.cluster.local:8200"
       path: "kv"
-      # Version is the Vault KV secret engine version.
-      # This can be either "v1" or "v2", defaults to "v2"
       version: "v2"
       auth:
-        # points to a secret that contains a vault token
+        kubernetes:
-        # https://www.vaultproject.io/docs/auth/token
+          mountPath: "kubernetes"
-        tokenSecretRef:
+          role: "eso"
-          name: "vault-token"
+          serviceAccountRef:
-          key: "token"
+            name: external-secrets
-          namespace: "external-secrets"
+            namespace: external-secrets

manifest/external-secrets/cluster-secret-store/vault-k8s-auth-job.yaml

@@ -0,0 +1,53 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: vault-k8s-auth-setup
+  namespace: external-secrets
+  annotations:
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+      - name: vault-setup
+        image: hashicorp/vault:1.21.2
+        env:
+        - name: VAULT_ADDR
+          value: "http://vault.vault.svc.cluster.local:8200"
+        - name: VAULT_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: vault-init-token
+              key: token
+        command:
+        - /bin/sh
+        - -c
+        - |
+          set -e
+
+          # idempotent — skip if k8s auth already configured
+          if vault auth list | grep -q "^kubernetes/"; then
+            echo "k8s auth already enabled, skipping setup"
+            exit 0
+          fi
+
+          vault auth enable kubernetes
+
+          vault write auth/kubernetes/config \
+            kubernetes_host="https://kubernetes.default.svc"
+
+          vault policy write eso-policy - <<EOF
+          path "kv/data/*" {
+            capabilities = ["read"]
+          }
+          EOF
+
+          vault write auth/kubernetes/role/eso \
+            bound_service_account_names=external-secrets \
+            bound_service_account_namespaces=external-secrets \
+            policies=eso-policy \
+            ttl=1h
+
+          echo "Vault k8s auth configured successfully"

manifest/external-secrets/cluster-secret-store/vault-token-secret.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: vault-token
-  namespace: external-secrets # Must match the namespace defined in ClusterSecretStore tokenSecretRef
-type: Opaque
-data:
-  # Base64 encoded vault token. 
-  # You can generate this by running: echo -n "YOUR_VAULT_TOKEN" | base64
-  token: aHZzLmJyUHBpbmZPTlI5RU9BeHpNR0ZIaDBIaA== # placeholder