duynguyen/k8s-cluster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
142dd15922c27b94e14a58847395ea319ae3e173
k8s-cluster/manifest/external-secrets/cluster-secret-store/vault-k8s-auth-job.yaml
duynguyen 9419f7d4a3 security: switch ESO→Vault auth from token to k8s SA 
Remove static Vault token from Git (was exposed in vault-token-secret.yaml).
ESO now authenticates via Kubernetes service account JWT → short-lived tokens.
Add sync-hook Job to configure Vault k8s auth idempotently on ArgoCD sync.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-22 13:08:21 +07:00

54 lines
1.4 KiB
YAML
Raw Blame History

apiVersion: batch/v1
kind: Job
metadata:
name: vault-k8s-auth-setup
namespace: external-secrets
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
spec:
template:
spec:
restartPolicy: OnFailure
containers:
- name: vault-setup
image: hashicorp/vault:1.21.2
env:
- name: VAULT_ADDR
value: "http://vault.vault.svc.cluster.local:8200"
- name: VAULT_TOKEN
valueFrom:
secretKeyRef:
name: vault-init-token
key: token
command:
- /bin/sh
- -c
- |
set -e
# idempotent — skip if k8s auth already configured
if vault auth list | grep -q "^kubernetes/"; then
echo "k8s auth already enabled, skipping setup"
exit 0
fi
vault auth enable kubernetes
vault write auth/kubernetes/config \
kubernetes_host="https://kubernetes.default.svc"
vault policy write eso-policy - <<EOF
path "kv/data/*" {
capabilities = ["read"]
}
EOF
vault write auth/kubernetes/role/eso \
bound_service_account_names=external-secrets \
bound_service_account_namespaces=external-secrets \
policies=eso-policy \
ttl=1h
echo "Vault k8s auth configured successfully"
Reference in New Issue View Git Blame Copy Permalink