vault: use dedicated service account for k8s auth

2025-12-25 03:43:17 -03:00 · 2025-12-25 03:43:17 -03:00 · 77ecf3229e
commit 77ecf3229e
parent bb93f730d5
4 changed files with 22 additions and 0 deletions
--- a/services/vault/kustomization.yaml
+++ b/services/vault/kustomization.yaml
@ -4,6 +4,8 @@ kind: Kustomization
 namespace: vault
 resources:
  - namespace.yaml
+  - serviceaccount.yaml
+  - rbac.yaml
  - configmap.yaml
  - statefulset.yaml
  - service.yaml
--- a/services/vault/rbac.yaml
+++ b/services/vault/rbac.yaml
@ -0,0 +1,13 @@
+# services/vault/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vault-auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: vault
+    namespace: vault
--- a/services/vault/serviceaccount.yaml
+++ b/services/vault/serviceaccount.yaml
@ -0,0 +1,6 @@
+# services/vault/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+  namespace: vault
--- a/services/vault/statefulset.yaml
+++ b/services/vault/statefulset.yaml
@ -17,6 +17,7 @@ spec:
      labels:
        app: vault
    spec:
+      serviceAccountName: vault
      nodeSelector:
        node-role.kubernetes.io/worker: "true"
        kubernetes.io/arch: arm64