vault-csi: deploy vault provider daemonset

2025-12-25 03:20:13 -03:00 · 2025-12-25 03:20:13 -03:00 · 2acc7a06b2
commit 2acc7a06b2
parent 5666eceec7
2 changed files with 105 additions and 12 deletions
--- a/infrastructure/vault-csi/kustomization.yaml
+++ b/infrastructure/vault-csi/kustomization.yaml
@ -1,7 +1,6 @@
 # infrastructure/vault-csi/kustomization.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: kube-system
 resources:
  - secrets-store-csi-driver.yaml
  - vault-csi-provider.yaml
--- a/infrastructure/vault-csi/vault-csi-provider.yaml
+++ b/infrastructure/vault-csi/vault-csi-provider.yaml
@ -1,17 +1,111 @@
 # infrastructure/vault-csi/vault-csi-provider.yaml
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
+apiVersion: v1
+kind: ServiceAccount
 metadata:
  name: vault-csi-provider
  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vault-csi-provider-clusterrole
+rules:
+  - apiGroups: [""]
+    resources: ["serviceaccounts/token"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vault-csi-provider-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: vault-csi-provider-clusterrole
+subjects:
+  - kind: ServiceAccount
+    name: vault-csi-provider
+    namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vault-csi-provider-role
+  namespace: kube-system
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]
+    resourceNames: ["vault-csi-provider-hmac-key"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vault-csi-provider-rolebinding
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: vault-csi-provider-role
+subjects:
+  - kind: ServiceAccount
+    name: vault-csi-provider
+    namespace: kube-system
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: vault-csi-provider
+  namespace: kube-system
+  labels: { app.kubernetes.io/name: vault-csi-provider }
 spec:
-  interval: 15m
-  chart:
+  updateStrategy:
+    type: RollingUpdate
+  selector:
+    matchLabels: { app.kubernetes.io/name: vault-csi-provider }
+  template:
+    metadata:
+      labels: { app.kubernetes.io/name: vault-csi-provider }
    spec:
-      chart: vault-csi-provider
-      version: "~1.1.0"
-      sourceRef:
-        kind: HelmRepository
-        name: hashicorp
-        namespace: flux-system
-  values: {}
+      serviceAccountName: vault-csi-provider
+      containers:
+        - name: provider-vault-installer
+          image: hashicorp/vault-csi-provider:1.7.0
+          imagePullPolicy: IfNotPresent
+          args:
+            - -endpoint=/provider/vault.sock
+            - -log-level=info
+          resources:
+            requests: { cpu: 50m, memory: 100Mi }
+            limits:   { cpu: 50m, memory: 100Mi }
+          volumeMounts:
+            - { name: providervol, mountPath: "/provider" }
+          livenessProbe:
+            httpGet:
+              path: "/health/ready"
+              port: 8080
+              scheme: "HTTP"
+            failureThreshold: 2
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            successThreshold: 1
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: "/health/ready"
+              port: 8080
+              scheme: "HTTP"
+            failureThreshold: 2
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            successThreshold: 1
+            timeoutSeconds: 3
+      volumes:
+        - name: providervol
+          hostPath:
+            path: "/var/run/secrets-store-csi-providers"
+      nodeSelector:
+        kubernetes.io/os: linux