From 1add32e6837f6253e90ce5a8c7e078d7a46e2159 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Wed, 14 Jan 2026 11:46:13 -0300
Subject: [PATCH] infra: add vault injector

---
 .../flux-system/platform/kustomization.yaml   |  1 +
 .../vault-injector/kustomization.yaml         | 16 +++++++
 .../vault-injector/helmrelease.yaml           | 43 +++++++++++++++++++
 .../vault-injector/kustomization.yaml         |  5 +++
 4 files changed, 65 insertions(+)
 create mode 100644 clusters/atlas/flux-system/platform/vault-injector/kustomization.yaml
 create mode 100644 infrastructure/vault-injector/helmrelease.yaml
 create mode 100644 infrastructure/vault-injector/kustomization.yaml

diff --git a/clusters/atlas/flux-system/platform/kustomization.yaml b/clusters/atlas/flux-system/platform/kustomization.yaml
index 6f88db7..83ca71e 100644
--- a/clusters/atlas/flux-system/platform/kustomization.yaml
+++ b/clusters/atlas/flux-system/platform/kustomization.yaml
@@ -13,3 +13,4 @@ resources:
   - longhorn-ui/kustomization.yaml
   - postgres/kustomization.yaml
   - ../platform/vault-csi/kustomization.yaml
+  - ../platform/vault-injector/kustomization.yaml
diff --git a/clusters/atlas/flux-system/platform/vault-injector/kustomization.yaml b/clusters/atlas/flux-system/platform/vault-injector/kustomization.yaml
new file mode 100644
index 0000000..d7d740d
--- /dev/null
+++ b/clusters/atlas/flux-system/platform/vault-injector/kustomization.yaml
@@ -0,0 +1,16 @@
+# clusters/atlas/flux-system/platform/vault-injector/kustomization.yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: vault-injector
+  namespace: flux-system
+spec:
+  interval: 30m
+  path: ./infrastructure/vault-injector
+  targetNamespace: vault
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  wait: true
diff --git a/infrastructure/vault-injector/helmrelease.yaml b/infrastructure/vault-injector/helmrelease.yaml
new file mode 100644
index 0000000..6a9c0fd
--- /dev/null
+++ b/infrastructure/vault-injector/helmrelease.yaml
@@ -0,0 +1,43 @@
+# infrastructure/vault-injector/helmrelease.yaml
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: vault-injector
+  namespace: vault
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: vault
+      version: 0.31.0
+      sourceRef:
+        kind: HelmRepository
+        name: hashicorp
+        namespace: flux-system
+  install:
+    remediation: { retries: 3 }
+    timeout: 10m
+  upgrade:
+    remediation:
+      retries: 3
+      remediateLastFailure: true
+    cleanupOnFail: true
+    timeout: 10m
+  values:
+    global:
+      externalVaultAddr: http://vault.vault.svc.cluster.local:8200
+      tlsDisable: true
+    server:
+      enabled: false
+    csi:
+      enabled: false
+    injector:
+      enabled: true
+      replicas: 1
+      agentImage:
+        repository: hashicorp/vault
+        tag: "1.17.6"
+      webhook:
+        failurePolicy: Ignore
+      nodeSelector:
+        node-role.kubernetes.io/worker: "true"
diff --git a/infrastructure/vault-injector/kustomization.yaml b/infrastructure/vault-injector/kustomization.yaml
new file mode 100644
index 0000000..b4db089
--- /dev/null
+++ b/infrastructure/vault-injector/kustomization.yaml
@@ -0,0 +1,5 @@
+# infrastructure/vault-injector/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helmrelease.yaml