security: switch ESO→Vault auth from token to k8s SA

Remove static Vault token from Git (was exposed in vault-token-secret.yaml). ESO now authenticates via Kubernetes service account JWT → short-lived tokens. Add sync-hook Job to configure Vault k8s auth idempotently on ArgoCD sync. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-22 13:08:21 +07:00
parent 9acc10d103
commit 9419f7d4a3
2 changed files with 59 additions and 8 deletions
--- a/manifest/external-secrets/cluster-secret-store/secret-store.yaml
+++ b/manifest/external-secrets/cluster-secret-store/secret-store.yaml
@@ -7,13 +7,11 @@ spec:
    vault:
      server: "http://vault.vault.svc.cluster.local:8200"
      path: "kv"
-      # Version is the Vault KV secret engine version.
-      # This can be either "v1" or "v2", defaults to "v2"
      version: "v2"
      auth:
-        # points to a secret that contains a vault token
-        # https://www.vaultproject.io/docs/auth/token
-        tokenSecretRef:
-          name: "vault-token"
-          key: "token"
-          namespace: "external-secrets"
+        kubernetes:
+          mountPath: "kubernetes"
+          role: "eso"
+          serviceAccountRef:
+            name: external-secrets
+            namespace: external-secrets