security: switch ESO→Vault auth from token to k8s SA

Remove static Vault token from Git (was exposed in vault-token-secret.yaml).
ESO now authenticates via Kubernetes service account JWT → short-lived tokens.
Add sync-hook Job to configure Vault k8s auth idempotently on ArgoCD sync.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

manifest/external-secrets/cluster-secret-store/vault-k8s-auth-job.yaml

@@ -0,0 +1,53 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: vault-k8s-auth-setup
+  namespace: external-secrets
+  annotations:
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+      - name: vault-setup
+        image: hashicorp/vault:1.21.2
+        env:
+        - name: VAULT_ADDR
+          value: "http://vault.vault.svc.cluster.local:8200"
+        - name: VAULT_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: vault-init-token
+              key: token
+        command:
+        - /bin/sh
+        - -c
+        - |
+          set -e
+
+          # idempotent — skip if k8s auth already configured
+          if vault auth list | grep -q "^kubernetes/"; then
+            echo "k8s auth already enabled, skipping setup"
+            exit 0
+          fi
+
+          vault auth enable kubernetes
+
+          vault write auth/kubernetes/config \
+            kubernetes_host="https://kubernetes.default.svc"
+
+          vault policy write eso-policy - <<EOF
+          path "kv/data/*" {
+            capabilities = ["read"]
+          }
+          EOF
+
+          vault write auth/kubernetes/role/eso \
+            bound_service_account_names=external-secrets \
+            bound_service_account_namespaces=external-secrets \
+            policies=eso-policy \
+            ttl=1h
+
+          echo "Vault k8s auth configured successfully"