From 223ff4936fa9838f1c61e07fee246b4b40824876 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Wed, 14 Jan 2026 14:29:29 -0300 Subject: [PATCH] vault: prepopulate injector for jobs --- services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml | 3 ++- services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml | 3 ++- services/comms/bstein-force-leave-job.yaml | 3 ++- services/comms/guest-name-job.yaml | 3 ++- services/comms/mas-local-users-ensure-job.yaml | 3 ++- services/comms/othrys-kick-numeric-job.yaml | 3 ++- services/comms/pin-othrys-job.yaml | 3 ++- services/comms/reset-othrys-room-job.yaml | 3 ++- services/comms/seed-othrys-room.yaml | 3 ++- services/comms/synapse-seeder-admin-ensure-job.yaml | 3 ++- services/comms/synapse-user-seed-job.yaml | 3 ++- services/keycloak/endurain-oidc-secret-ensure-job.yaml | 3 ++- services/keycloak/harbor-oidc-secret-ensure-job.yaml | 3 ++- services/keycloak/ldap-federation-job.yaml | 3 ++- services/keycloak/logs-oidc-secret-ensure-job.yaml | 3 ++- services/keycloak/mas-secrets-ensure-job.yaml | 3 ++- services/keycloak/portal-e2e-client-job.yaml | 3 ++- .../keycloak/portal-e2e-execute-actions-email-test-job.yaml | 3 ++- services/keycloak/portal-e2e-target-client-job.yaml | 3 ++- .../keycloak/portal-e2e-token-exchange-permissions-job.yaml | 3 ++- services/keycloak/portal-e2e-token-exchange-test-job.yaml | 3 ++- services/keycloak/realm-settings-job.yaml | 3 ++- services/keycloak/sparkyfitness-oidc-secret-ensure-job.yaml | 3 ++- services/keycloak/synapse-oidc-secret-ensure-job.yaml | 3 ++- services/keycloak/user-overrides-job.yaml | 3 ++- services/keycloak/vault-oidc-secret-ensure-job.yaml | 3 ++- services/mailu/mailu-sync-cronjob.yaml | 3 ++- services/mailu/mailu-sync-job.yaml | 3 ++- services/nextcloud-mail-sync/cronjob.yaml | 3 ++- services/nextcloud/maintenance-cronjob.yaml | 3 ++- 30 files changed, 60 insertions(+), 30 deletions(-) diff --git a/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml b/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml index 16de572c..f8d27b37 100644 --- a/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml +++ b/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml @@ -10,6 +10,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "bstein-dev-home" vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db" vault.hashicorp.com/agent-inject-template-portal-env.sh: | @@ -70,4 +71,4 @@ spec: - name: tests configMap: name: portal-onboarding-e2e-tests - defaultMode: 0555 + defaultMode: 0555 \ No newline at end of file diff --git a/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml b/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml index efbab7e6..bba2b1b1 100644 --- a/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml +++ b/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml @@ -16,6 +16,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "bstein-dev-home" vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db" vault.hashicorp.com/agent-inject-template-portal-env.sh: | @@ -73,4 +74,4 @@ spec: - name: vaultwarden-cred-sync-script configMap: name: vaultwarden-cred-sync-script - defaultMode: 0555 + defaultMode: 0555 \ No newline at end of file diff --git a/services/comms/bstein-force-leave-job.yaml b/services/comms/bstein-force-leave-job.yaml index 4d38349d..759f30b2 100644 --- a/services/comms/bstein-force-leave-job.yaml +++ b/services/comms/bstein-force-leave-job.yaml @@ -10,6 +10,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "comms" vault.hashicorp.com/agent-inject-secret-mas-admin-secret: "kv/data/atlas/comms/mas-admin-client-runtime" vault.hashicorp.com/agent-inject-template-mas-admin-secret: | @@ -185,4 +186,4 @@ spec: print(json.dumps(results, indent=2, sort_keys=True)) if failures: raise SystemExit(f"failed to leave/forget rooms: {', '.join(failures)}") - PY + PY \ No newline at end of file diff --git a/services/comms/guest-name-job.yaml b/services/comms/guest-name-job.yaml index 00a1e47f..0ba2f527 100644 --- a/services/comms/guest-name-job.yaml +++ b/services/comms/guest-name-job.yaml @@ -17,6 +17,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "comms" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-template-turn-secret: | @@ -430,4 +431,4 @@ spec: db_rename_numeric(existing) finally: mas_revoke_session(admin_token, seeder_session) - PY + PY \ No newline at end of file diff --git a/services/comms/mas-local-users-ensure-job.yaml b/services/comms/mas-local-users-ensure-job.yaml index 3cf24f9b..fcb0fafa 100644 --- a/services/comms/mas-local-users-ensure-job.yaml +++ b/services/comms/mas-local-users-ensure-job.yaml @@ -11,6 +11,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "comms" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-template-turn-secret: | @@ -186,4 +187,4 @@ spec: token = admin_token() ensure_user(token, os.environ["SEEDER_USER"], os.environ["SEEDER_PASS"]) ensure_user(token, os.environ["BOT_USER"], os.environ["BOT_PASS"]) - PY + PY \ No newline at end of file diff --git a/services/comms/othrys-kick-numeric-job.yaml b/services/comms/othrys-kick-numeric-job.yaml index fa9d62d7..4d9ad6d9 100644 --- a/services/comms/othrys-kick-numeric-job.yaml +++ b/services/comms/othrys-kick-numeric-job.yaml @@ -10,6 +10,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "comms" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-template-turn-secret: | @@ -155,4 +156,4 @@ spec: - name: vault-scripts configMap: name: comms-vault-env - defaultMode: 0555 + defaultMode: 0555 \ No newline at end of file diff --git a/services/comms/pin-othrys-job.yaml b/services/comms/pin-othrys-job.yaml index e56a71f8..f25c18eb 100644 --- a/services/comms/pin-othrys-job.yaml +++ b/services/comms/pin-othrys-job.yaml @@ -17,6 +17,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "comms" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-template-turn-secret: | @@ -163,4 +164,4 @@ spec: - name: vault-scripts configMap: name: comms-vault-env - defaultMode: 0555 + defaultMode: 0555 \ No newline at end of file diff --git a/services/comms/reset-othrys-room-job.yaml b/services/comms/reset-othrys-room-job.yaml index 319e0a78..c0d941b6 100644 --- a/services/comms/reset-othrys-room-job.yaml +++ b/services/comms/reset-othrys-room-job.yaml @@ -17,6 +17,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "comms" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-template-turn-secret: | @@ -306,4 +307,4 @@ spec: - name: vault-scripts configMap: name: comms-vault-env - defaultMode: 0555 + defaultMode: 0555 \ No newline at end of file diff --git a/services/comms/seed-othrys-room.yaml b/services/comms/seed-othrys-room.yaml index 333ff359..ce87c85c 100644 --- a/services/comms/seed-othrys-room.yaml +++ b/services/comms/seed-othrys-room.yaml @@ -15,6 +15,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "comms" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-template-turn-secret: | @@ -179,4 +180,4 @@ spec: - name: vault-scripts configMap: name: comms-vault-env - defaultMode: 0555 + defaultMode: 0555 \ No newline at end of file diff --git a/services/comms/synapse-seeder-admin-ensure-job.yaml b/services/comms/synapse-seeder-admin-ensure-job.yaml index 450bdcda..073c28d5 100644 --- a/services/comms/synapse-seeder-admin-ensure-job.yaml +++ b/services/comms/synapse-seeder-admin-ensure-job.yaml @@ -10,6 +10,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "comms" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-template-turn-secret: | @@ -76,4 +77,4 @@ spec: - name: vault-scripts configMap: name: comms-vault-env - defaultMode: 0555 + defaultMode: 0555 \ No newline at end of file diff --git a/services/comms/synapse-user-seed-job.yaml b/services/comms/synapse-user-seed-job.yaml index 82b72e78..4117bff8 100644 --- a/services/comms/synapse-user-seed-job.yaml +++ b/services/comms/synapse-user-seed-job.yaml @@ -11,6 +11,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "comms" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-template-turn-secret: | @@ -150,4 +151,4 @@ spec: - name: vault-scripts configMap: name: comms-vault-env - defaultMode: 0555 + defaultMode: 0555 \ No newline at end of file diff --git a/services/keycloak/endurain-oidc-secret-ensure-job.yaml b/services/keycloak/endurain-oidc-secret-ensure-job.yaml index 386c663a..2ce30b45 100644 --- a/services/keycloak/endurain-oidc-secret-ensure-job.yaml +++ b/services/keycloak/endurain-oidc-secret-ensure-job.yaml @@ -11,6 +11,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "sso-secrets" vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | @@ -49,4 +50,4 @@ spec: volumeMounts: - name: endurain-oidc-secret-ensure-script mountPath: /scripts - readOnly: true + readOnly: true \ No newline at end of file diff --git a/services/keycloak/harbor-oidc-secret-ensure-job.yaml b/services/keycloak/harbor-oidc-secret-ensure-job.yaml index 598b801e..fc6dd7e9 100644 --- a/services/keycloak/harbor-oidc-secret-ensure-job.yaml +++ b/services/keycloak/harbor-oidc-secret-ensure-job.yaml @@ -11,6 +11,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "sso-secrets" vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | @@ -44,4 +45,4 @@ spec: volumeMounts: - name: harbor-oidc-secret-ensure-script mountPath: /scripts - readOnly: true + readOnly: true \ No newline at end of file diff --git a/services/keycloak/ldap-federation-job.yaml b/services/keycloak/ldap-federation-job.yaml index 8dd62c96..783200c8 100644 --- a/services/keycloak/ldap-federation-job.yaml +++ b/services/keycloak/ldap-federation-job.yaml @@ -10,6 +10,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "sso" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | @@ -376,4 +377,4 @@ spec: except Exception as e: print(f"WARNING: LDAP cleanup failed (continuing): {e}") PY - volumeMounts: + volumeMounts: \ No newline at end of file diff --git a/services/keycloak/logs-oidc-secret-ensure-job.yaml b/services/keycloak/logs-oidc-secret-ensure-job.yaml index 5f9316f0..67abdc9e 100644 --- a/services/keycloak/logs-oidc-secret-ensure-job.yaml +++ b/services/keycloak/logs-oidc-secret-ensure-job.yaml @@ -11,6 +11,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "sso-secrets" vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | @@ -121,4 +122,4 @@ spec: --from-literal=cookie_secret="${COOKIE_SECRET}" \ --dry-run=client -o yaml | kubectl -n logging apply -f - >/dev/null volumeMounts: - volumes: + volumes: \ No newline at end of file diff --git a/services/keycloak/mas-secrets-ensure-job.yaml b/services/keycloak/mas-secrets-ensure-job.yaml index 330cb514..ff5f0229 100644 --- a/services/keycloak/mas-secrets-ensure-job.yaml +++ b/services/keycloak/mas-secrets-ensure-job.yaml @@ -19,6 +19,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/agent-init-first: "true" vault.hashicorp.com/role: "sso-secrets" vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" @@ -123,4 +124,4 @@ spec: -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/mas-secrets-runtime" >/dev/null volumeMounts: - name: work - mountPath: /work + mountPath: /work \ No newline at end of file diff --git a/services/keycloak/portal-e2e-client-job.yaml b/services/keycloak/portal-e2e-client-job.yaml index c3d996d2..e54fdfa9 100644 --- a/services/keycloak/portal-e2e-client-job.yaml +++ b/services/keycloak/portal-e2e-client-job.yaml @@ -10,6 +10,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "sso" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | @@ -257,4 +258,4 @@ spec: raise SystemExit(f"Role mapping update failed (status={status}) resp={resp}") PY volumeMounts: - volumes: + volumes: \ No newline at end of file diff --git a/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml b/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml index aeb3a0de..cc23305d 100644 --- a/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml +++ b/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml @@ -10,6 +10,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "sso" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | @@ -69,4 +70,4 @@ spec: - name: tests configMap: name: portal-e2e-tests - defaultMode: 0555 + defaultMode: 0555 \ No newline at end of file diff --git a/services/keycloak/portal-e2e-target-client-job.yaml b/services/keycloak/portal-e2e-target-client-job.yaml index 2900ae91..6fee3e85 100644 --- a/services/keycloak/portal-e2e-target-client-job.yaml +++ b/services/keycloak/portal-e2e-target-client-job.yaml @@ -10,6 +10,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "sso" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | @@ -158,4 +159,4 @@ spec: print(f"OK: ensured token exchange enabled on client {target_client_id}") PY volumeMounts: - volumes: + volumes: \ No newline at end of file diff --git a/services/keycloak/portal-e2e-token-exchange-permissions-job.yaml b/services/keycloak/portal-e2e-token-exchange-permissions-job.yaml index 026260ae..9ef1a017 100644 --- a/services/keycloak/portal-e2e-token-exchange-permissions-job.yaml +++ b/services/keycloak/portal-e2e-token-exchange-permissions-job.yaml @@ -10,6 +10,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "sso" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | @@ -290,4 +291,4 @@ spec: print("OK: configured token exchange permissions for portal E2E client") PY - volumeMounts: + volumeMounts: \ No newline at end of file diff --git a/services/keycloak/portal-e2e-token-exchange-test-job.yaml b/services/keycloak/portal-e2e-token-exchange-test-job.yaml index f32fa520..ae1c6360 100644 --- a/services/keycloak/portal-e2e-token-exchange-test-job.yaml +++ b/services/keycloak/portal-e2e-token-exchange-test-job.yaml @@ -11,6 +11,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "sso" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | @@ -70,4 +71,4 @@ spec: - name: tests configMap: name: portal-e2e-tests - defaultMode: 0555 + defaultMode: 0555 \ No newline at end of file diff --git a/services/keycloak/realm-settings-job.yaml b/services/keycloak/realm-settings-job.yaml index d26e1991..926ebeb9 100644 --- a/services/keycloak/realm-settings-job.yaml +++ b/services/keycloak/realm-settings-job.yaml @@ -10,6 +10,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "sso" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | @@ -467,4 +468,4 @@ spec: f"Unexpected execution update response for identity-provider-redirector: {status}" ) PY - volumeMounts: + volumeMounts: \ No newline at end of file diff --git a/services/keycloak/sparkyfitness-oidc-secret-ensure-job.yaml b/services/keycloak/sparkyfitness-oidc-secret-ensure-job.yaml index 6405d81a..ea38eec5 100644 --- a/services/keycloak/sparkyfitness-oidc-secret-ensure-job.yaml +++ b/services/keycloak/sparkyfitness-oidc-secret-ensure-job.yaml @@ -11,6 +11,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "sso-secrets" vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | @@ -49,4 +50,4 @@ spec: volumeMounts: - name: sparkyfitness-oidc-secret-ensure-script mountPath: /scripts - readOnly: true + readOnly: true \ No newline at end of file diff --git a/services/keycloak/synapse-oidc-secret-ensure-job.yaml b/services/keycloak/synapse-oidc-secret-ensure-job.yaml index f4f0da42..9a5dd8e0 100644 --- a/services/keycloak/synapse-oidc-secret-ensure-job.yaml +++ b/services/keycloak/synapse-oidc-secret-ensure-job.yaml @@ -11,6 +11,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "sso-secrets" vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | @@ -81,4 +82,4 @@ spec: curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \ -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/synapse-oidc" >/dev/null volumeMounts: - volumes: + volumes: \ No newline at end of file diff --git a/services/keycloak/user-overrides-job.yaml b/services/keycloak/user-overrides-job.yaml index d0063fb6..431d4fee 100644 --- a/services/keycloak/user-overrides-job.yaml +++ b/services/keycloak/user-overrides-job.yaml @@ -10,6 +10,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "sso" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | @@ -164,4 +165,4 @@ spec: if status not in (200, 204): raise SystemExit(f"Unexpected user update response: {status}") PY - volumeMounts: + volumeMounts: \ No newline at end of file diff --git a/services/keycloak/vault-oidc-secret-ensure-job.yaml b/services/keycloak/vault-oidc-secret-ensure-job.yaml index 982444f1..29f69b76 100644 --- a/services/keycloak/vault-oidc-secret-ensure-job.yaml +++ b/services/keycloak/vault-oidc-secret-ensure-job.yaml @@ -11,6 +11,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "sso-secrets" vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | @@ -44,4 +45,4 @@ spec: volumeMounts: - name: vault-oidc-secret-ensure-script mountPath: /scripts - readOnly: true + readOnly: true \ No newline at end of file diff --git a/services/mailu/mailu-sync-cronjob.yaml b/services/mailu/mailu-sync-cronjob.yaml index e4ef9beb..9e0e35c2 100644 --- a/services/mailu/mailu-sync-cronjob.yaml +++ b/services/mailu/mailu-sync-cronjob.yaml @@ -13,6 +13,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "mailu-mailserver" vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret" vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: | @@ -78,4 +79,4 @@ spec: - name: vault-scripts configMap: name: mailu-vault-env - defaultMode: 0555 + defaultMode: 0555 \ No newline at end of file diff --git a/services/mailu/mailu-sync-job.yaml b/services/mailu/mailu-sync-job.yaml index b1cee93d..00c84c56 100644 --- a/services/mailu/mailu-sync-job.yaml +++ b/services/mailu/mailu-sync-job.yaml @@ -9,6 +9,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "mailu-mailserver" vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret" vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: | @@ -74,4 +75,4 @@ spec: - name: vault-scripts configMap: name: mailu-vault-env - defaultMode: 0555 + defaultMode: 0555 \ No newline at end of file diff --git a/services/nextcloud-mail-sync/cronjob.yaml b/services/nextcloud-mail-sync/cronjob.yaml index e6dcd378..6f38778a 100644 --- a/services/nextcloud-mail-sync/cronjob.yaml +++ b/services/nextcloud-mail-sync/cronjob.yaml @@ -15,6 +15,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "nextcloud" vault.hashicorp.com/agent-inject-secret-nextcloud-env.sh: "kv/data/atlas/nextcloud/nextcloud-db" vault.hashicorp.com/agent-inject-template-nextcloud-env.sh: | @@ -103,4 +104,4 @@ spec: - name: sync-script configMap: name: nextcloud-mail-sync-script - defaultMode: 0755 + defaultMode: 0755 \ No newline at end of file diff --git a/services/nextcloud/maintenance-cronjob.yaml b/services/nextcloud/maintenance-cronjob.yaml index 8c924170..1ace3fc1 100644 --- a/services/nextcloud/maintenance-cronjob.yaml +++ b/services/nextcloud/maintenance-cronjob.yaml @@ -13,6 +13,7 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "nextcloud" vault.hashicorp.com/agent-inject-secret-nextcloud-env.sh: "kv/data/atlas/nextcloud/nextcloud-db" vault.hashicorp.com/agent-inject-template-nextcloud-env.sh: | @@ -93,4 +94,4 @@ spec: - name: maintenance-script configMap: name: nextcloud-maintenance-script - defaultMode: 0755 + defaultMode: 0755 \ No newline at end of file