diff --git a/manifest/external-secrets/cluster-secret-store/secret-store.yaml b/manifest/external-secrets/cluster-secret-store/secret-store.yaml index f61a1ae..1b0c127 100644 --- a/manifest/external-secrets/cluster-secret-store/secret-store.yaml +++ b/manifest/external-secrets/cluster-secret-store/secret-store.yaml @@ -7,13 +7,11 @@ spec: vault: server: "http://vault.vault.svc.cluster.local:8200" path: "kv" - # Version is the Vault KV secret engine version. - # This can be either "v1" or "v2", defaults to "v2" version: "v2" auth: - # points to a secret that contains a vault token - # https://www.vaultproject.io/docs/auth/token - tokenSecretRef: - name: "vault-token" - key: "token" - namespace: "external-secrets" + kubernetes: + mountPath: "kubernetes" + role: "eso" + serviceAccountRef: + name: external-secrets + namespace: external-secrets diff --git a/manifest/external-secrets/cluster-secret-store/vault-k8s-auth-job.yaml b/manifest/external-secrets/cluster-secret-store/vault-k8s-auth-job.yaml new file mode 100644 index 0000000..d5c8be2 --- /dev/null +++ b/manifest/external-secrets/cluster-secret-store/vault-k8s-auth-job.yaml @@ -0,0 +1,53 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: vault-k8s-auth-setup + namespace: external-secrets + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded +spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: vault-setup + image: hashicorp/vault:1.21.2 + env: + - name: VAULT_ADDR + value: "http://vault.vault.svc.cluster.local:8200" + - name: VAULT_TOKEN + valueFrom: + secretKeyRef: + name: vault-init-token + key: token + command: + - /bin/sh + - -c + - | + set -e + + # idempotent — skip if k8s auth already configured + if vault auth list | grep -q "^kubernetes/"; then + echo "k8s auth already enabled, skipping setup" + exit 0 + fi + + vault auth enable kubernetes + + vault write auth/kubernetes/config \ + kubernetes_host="https://kubernetes.default.svc" + + vault policy write eso-policy - <