duynguyen/k8s-cluster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9419f7d4a3e8b485cde27d0677385a2d3bc852b2
k8s-cluster/manifest/external-secrets/cluster-secret-store/secret-store.yaml
duynguyen 9419f7d4a3 security: switch ESO→Vault auth from token to k8s SA 
Remove static Vault token from Git (was exposed in vault-token-secret.yaml).
ESO now authenticates via Kubernetes service account JWT → short-lived tokens.
Add sync-hook Job to configure Vault k8s auth idempotently on ArgoCD sync.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-22 13:08:21 +07:00

18 lines
408 B
YAML
Raw Blame History

apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
name: vault-backend
spec:
provider:
vault:
server: "http://vault.vault.svc.cluster.local:8200"
path: "kv"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "eso"
serviceAccountRef:
name: external-secrets
namespace: external-secrets
Reference in New Issue View Git Blame Copy Permalink