2025-12-25 03:14:50 -03:00
|
|
|
# infrastructure/vault-csi/vault-csi-provider.yaml
|
2025-12-25 03:20:13 -03:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: ServiceAccount
|
2025-12-25 03:14:50 -03:00
|
|
|
metadata:
|
|
|
|
|
name: vault-csi-provider
|
|
|
|
|
namespace: kube-system
|
2025-12-25 03:20:13 -03:00
|
|
|
---
|
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
|
kind: ClusterRole
|
|
|
|
|
metadata:
|
|
|
|
|
name: vault-csi-provider-clusterrole
|
|
|
|
|
rules:
|
|
|
|
|
- apiGroups: [""]
|
|
|
|
|
resources: ["serviceaccounts/token"]
|
|
|
|
|
verbs: ["create"]
|
|
|
|
|
---
|
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
|
kind: ClusterRoleBinding
|
|
|
|
|
metadata:
|
|
|
|
|
name: vault-csi-provider-clusterrolebinding
|
|
|
|
|
roleRef:
|
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
|
kind: ClusterRole
|
|
|
|
|
name: vault-csi-provider-clusterrole
|
|
|
|
|
subjects:
|
|
|
|
|
- kind: ServiceAccount
|
|
|
|
|
name: vault-csi-provider
|
|
|
|
|
namespace: kube-system
|
|
|
|
|
---
|
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
|
kind: Role
|
|
|
|
|
metadata:
|
|
|
|
|
name: vault-csi-provider-role
|
|
|
|
|
namespace: kube-system
|
|
|
|
|
rules:
|
|
|
|
|
- apiGroups: [""]
|
|
|
|
|
resources: ["secrets"]
|
|
|
|
|
verbs: ["get"]
|
|
|
|
|
resourceNames: ["vault-csi-provider-hmac-key"]
|
|
|
|
|
- apiGroups: [""]
|
|
|
|
|
resources: ["secrets"]
|
|
|
|
|
verbs: ["create"]
|
|
|
|
|
---
|
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
|
kind: RoleBinding
|
|
|
|
|
metadata:
|
|
|
|
|
name: vault-csi-provider-rolebinding
|
|
|
|
|
namespace: kube-system
|
|
|
|
|
roleRef:
|
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
|
kind: Role
|
|
|
|
|
name: vault-csi-provider-role
|
|
|
|
|
subjects:
|
|
|
|
|
- kind: ServiceAccount
|
|
|
|
|
name: vault-csi-provider
|
|
|
|
|
namespace: kube-system
|
|
|
|
|
---
|
|
|
|
|
apiVersion: apps/v1
|
|
|
|
|
kind: DaemonSet
|
|
|
|
|
metadata:
|
|
|
|
|
name: vault-csi-provider
|
|
|
|
|
namespace: kube-system
|
|
|
|
|
labels: { app.kubernetes.io/name: vault-csi-provider }
|
2025-12-25 03:14:50 -03:00
|
|
|
spec:
|
2025-12-25 03:20:13 -03:00
|
|
|
updateStrategy:
|
|
|
|
|
type: RollingUpdate
|
|
|
|
|
selector:
|
|
|
|
|
matchLabels: { app.kubernetes.io/name: vault-csi-provider }
|
|
|
|
|
template:
|
|
|
|
|
metadata:
|
|
|
|
|
labels: { app.kubernetes.io/name: vault-csi-provider }
|
2025-12-25 03:14:50 -03:00
|
|
|
spec:
|
2025-12-25 03:20:13 -03:00
|
|
|
serviceAccountName: vault-csi-provider
|
|
|
|
|
containers:
|
|
|
|
|
- name: provider-vault-installer
|
|
|
|
|
image: hashicorp/vault-csi-provider:1.7.0
|
|
|
|
|
imagePullPolicy: IfNotPresent
|
|
|
|
|
args:
|
|
|
|
|
- -endpoint=/provider/vault.sock
|
|
|
|
|
- -log-level=info
|
|
|
|
|
resources:
|
|
|
|
|
requests: { cpu: 50m, memory: 100Mi }
|
|
|
|
|
limits: { cpu: 50m, memory: 100Mi }
|
|
|
|
|
volumeMounts:
|
|
|
|
|
- { name: providervol, mountPath: "/provider" }
|
|
|
|
|
livenessProbe:
|
|
|
|
|
httpGet:
|
|
|
|
|
path: "/health/ready"
|
|
|
|
|
port: 8080
|
|
|
|
|
scheme: "HTTP"
|
|
|
|
|
failureThreshold: 2
|
|
|
|
|
initialDelaySeconds: 5
|
|
|
|
|
periodSeconds: 5
|
|
|
|
|
successThreshold: 1
|
|
|
|
|
timeoutSeconds: 3
|
|
|
|
|
readinessProbe:
|
|
|
|
|
httpGet:
|
|
|
|
|
path: "/health/ready"
|
|
|
|
|
port: 8080
|
|
|
|
|
scheme: "HTTP"
|
|
|
|
|
failureThreshold: 2
|
|
|
|
|
initialDelaySeconds: 5
|
|
|
|
|
periodSeconds: 5
|
|
|
|
|
successThreshold: 1
|
|
|
|
|
timeoutSeconds: 3
|
|
|
|
|
volumes:
|
|
|
|
|
- name: providervol
|
|
|
|
|
hostPath:
|
|
|
|
|
path: "/var/run/secrets-store-csi-providers"
|
|
|
|
|
nodeSelector:
|
|
|
|
|
kubernetes.io/os: linux
|
