security: switch ESO→Vault auth from token to k8s SA

Remove static Vault token from Git (was exposed in vault-token-secret.yaml). ESO now authenticates via Kubernetes service account JWT → short-lived tokens. Add sync-hook Job to configure Vault k8s auth idempotently on ArgoCD sync. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-22 13:08:21 +07:00
parent 9acc10d103
commit 9419f7d4a3
2 changed files with 59 additions and 8 deletions
--- a/manifest/external-secrets/cluster-secret-store/secret-store.yaml
+++ b/manifest/external-secrets/cluster-secret-store/secret-store.yaml
@@ -7,13 +7,11 @@ spec:
    vault:
      server: "http://vault.vault.svc.cluster.local:8200"
      path: "kv"
-      # Version is the Vault KV secret engine version.
-      # This can be either "v1" or "v2", defaults to "v2"
      version: "v2"
      auth:
-        # points to a secret that contains a vault token
-        # https://www.vaultproject.io/docs/auth/token
-        tokenSecretRef:
-          name: "vault-token"
-          key: "token"
-          namespace: "external-secrets"
+        kubernetes:
+          mountPath: "kubernetes"
+          role: "eso"
+          serviceAccountRef:
+            name: external-secrets
+            namespace: external-secrets
--- a/manifest/external-secrets/cluster-secret-store/vault-k8s-auth-job.yaml
+++ b/manifest/external-secrets/cluster-secret-store/vault-k8s-auth-job.yaml
@@ -0,0 +1,53 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: vault-k8s-auth-setup
+  namespace: external-secrets
+  annotations:
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+      - name: vault-setup
+        image: hashicorp/vault:1.21.2
+        env:
+        - name: VAULT_ADDR
+          value: "http://vault.vault.svc.cluster.local:8200"
+        - name: VAULT_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: vault-init-token
+              key: token
+        command:
+        - /bin/sh
+        - -c
+        - |
+          set -e
+
+          # idempotent — skip if k8s auth already configured
+          if vault auth list | grep -q "^kubernetes/"; then
+            echo "k8s auth already enabled, skipping setup"
+            exit 0
+          fi
+
+          vault auth enable kubernetes
+
+          vault write auth/kubernetes/config \
+            kubernetes_host="https://kubernetes.default.svc"
+
+          vault policy write eso-policy - <<EOF
+          path "kv/data/*" {
+            capabilities = ["read"]
+          }
+          EOF
+
+          vault write auth/kubernetes/role/eso \
+            bound_service_account_names=external-secrets \
+            bound_service_account_namespaces=external-secrets \
+            policies=eso-policy \
+            ttl=1h
+
+          echo "Vault k8s auth configured successfully"