diff --git a/infrastructure/vault-csi/kustomization.yaml b/infrastructure/vault-csi/kustomization.yaml index 5598653..a5d223d 100644 --- a/infrastructure/vault-csi/kustomization.yaml +++ b/infrastructure/vault-csi/kustomization.yaml @@ -1,7 +1,6 @@ # infrastructure/vault-csi/kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: kube-system resources: - secrets-store-csi-driver.yaml - vault-csi-provider.yaml diff --git a/infrastructure/vault-csi/vault-csi-provider.yaml b/infrastructure/vault-csi/vault-csi-provider.yaml index 379d7ff..0b63d1c 100644 --- a/infrastructure/vault-csi/vault-csi-provider.yaml +++ b/infrastructure/vault-csi/vault-csi-provider.yaml @@ -1,17 +1,111 @@ # infrastructure/vault-csi/vault-csi-provider.yaml -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease +apiVersion: v1 +kind: ServiceAccount metadata: name: vault-csi-provider namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vault-csi-provider-clusterrole +rules: + - apiGroups: [""] + resources: ["serviceaccounts/token"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vault-csi-provider-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vault-csi-provider-clusterrole +subjects: + - kind: ServiceAccount + name: vault-csi-provider + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vault-csi-provider-role + namespace: kube-system +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + resourceNames: ["vault-csi-provider-hmac-key"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vault-csi-provider-rolebinding + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vault-csi-provider-role +subjects: + - kind: ServiceAccount + name: vault-csi-provider + namespace: kube-system +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: vault-csi-provider + namespace: kube-system + labels: { app.kubernetes.io/name: vault-csi-provider } spec: - interval: 15m - chart: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: { app.kubernetes.io/name: vault-csi-provider } + template: + metadata: + labels: { app.kubernetes.io/name: vault-csi-provider } spec: - chart: vault-csi-provider - version: "~1.1.0" - sourceRef: - kind: HelmRepository - name: hashicorp - namespace: flux-system - values: {} + serviceAccountName: vault-csi-provider + containers: + - name: provider-vault-installer + image: hashicorp/vault-csi-provider:1.7.0 + imagePullPolicy: IfNotPresent + args: + - -endpoint=/provider/vault.sock + - -log-level=info + resources: + requests: { cpu: 50m, memory: 100Mi } + limits: { cpu: 50m, memory: 100Mi } + volumeMounts: + - { name: providervol, mountPath: "/provider" } + livenessProbe: + httpGet: + path: "/health/ready" + port: 8080 + scheme: "HTTP" + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/health/ready" + port: 8080 + scheme: "HTTP" + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + volumes: + - name: providervol + hostPath: + path: "/var/run/secrets-store-csi-providers" + nodeSelector: + kubernetes.io/os: linux