apiVersion: batch/v1
kind: Job
metadata:
  name: vault-k8s-auth-setup
  namespace: external-secrets
  annotations:
    argocd.argoproj.io/hook: Sync
    argocd.argoproj.io/hook-delete-policy: HookSucceeded
spec:
  template:
    spec:
      restartPolicy: OnFailure
      containers:
      - name: vault-setup
        image: hashicorp/vault:1.21.2
        env:
        - name: VAULT_ADDR
          value: "http://vault.vault.svc.cluster.local:8200"
        - name: VAULT_TOKEN
          valueFrom:
            secretKeyRef:
              name: vault-init-token
              key: token
        command:
        - /bin/sh
        - -c
        - |
          set -e

          # idempotent — skip if k8s auth already configured
          if vault auth list | grep -q "^kubernetes/"; then
            echo "k8s auth already enabled, skipping setup"
            exit 0
          fi

          vault auth enable kubernetes

          vault write auth/kubernetes/config \
            kubernetes_host="https://kubernetes.default.svc"

          vault policy write eso-policy - <<EOF
          path "kv/data/*" {
            capabilities = ["read"]
          }
          EOF

          vault write auth/kubernetes/role/eso \
            bound_service_account_names=external-secrets \
            bound_service_account_namespaces=external-secrets \
            policies=eso-policy \
            ttl=1h

          echo "Vault k8s auth configured successfully"