From 86c9951cc46d8f66bb6be8dd268cc9449f715f93 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Thu, 15 Jan 2026 02:06:28 -0300
Subject: [PATCH] vault: add admin role for config jobs

---
 services/vault/k8s-auth-config-cronjob.yaml   |  4 +-
 services/vault/kustomization.yaml             |  1 +
 services/vault/oidc-config-cronjob.yaml       |  6 +--
 .../vault/scripts/vault_k8s_auth_configure.sh | 42 +++++++++++++++++++
 services/vault/serviceaccount-admin.yaml      |  6 +++
 5 files changed, 54 insertions(+), 5 deletions(-)
 create mode 100644 services/vault/serviceaccount-admin.yaml

diff --git a/services/vault/k8s-auth-config-cronjob.yaml b/services/vault/k8s-auth-config-cronjob.yaml
index e9ee3e9..e71570f 100644
--- a/services/vault/k8s-auth-config-cronjob.yaml
+++ b/services/vault/k8s-auth-config-cronjob.yaml
@@ -14,7 +14,7 @@ spec:
       backoffLimit: 1
       template:
         spec:
-          serviceAccountName: vault
+          serviceAccountName: vault-admin
           restartPolicy: Never
           nodeSelector:
             kubernetes.io/arch: arm64
@@ -30,7 +30,7 @@ spec:
                 - name: VAULT_ADDR
                   value: http://vault.vault.svc.cluster.local:8200
                 - name: VAULT_K8S_ROLE
-                  value: vault
+                  value: vault-admin
                 - name: VAULT_K8S_ROLE_TTL
                   value: 1h
               volumeMounts:
diff --git a/services/vault/kustomization.yaml b/services/vault/kustomization.yaml
index 6381404..e9f15c1 100644
--- a/services/vault/kustomization.yaml
+++ b/services/vault/kustomization.yaml
@@ -5,6 +5,7 @@ namespace: vault
 resources:
   - namespace.yaml
   - serviceaccount.yaml
+  - serviceaccount-admin.yaml
   - rbac.yaml
   - configmap.yaml
   - statefulset.yaml
diff --git a/services/vault/oidc-config-cronjob.yaml b/services/vault/oidc-config-cronjob.yaml
index b143d99..4f879d0 100644
--- a/services/vault/oidc-config-cronjob.yaml
+++ b/services/vault/oidc-config-cronjob.yaml
@@ -16,7 +16,7 @@ spec:
         metadata:
           annotations:
             vault.hashicorp.com/agent-inject: "true"
-            vault.hashicorp.com/role: "vault"
+            vault.hashicorp.com/role: "vault-admin"
             vault.hashicorp.com/agent-inject-secret-vault-oidc-env.sh: "kv/data/atlas/vault/vault-oidc-config"
             vault.hashicorp.com/agent-inject-template-vault-oidc-env.sh: |
               {{ with secret "kv/data/atlas/vault/vault-oidc-config" }}
@@ -40,7 +40,7 @@ spec:
               export VAULT_OIDC_BOUND_CLAIMS_TYPE="{{ .Data.data.bound_claims_type }}"
               {{ end }}
         spec:
-          serviceAccountName: vault
+          serviceAccountName: vault-admin
           restartPolicy: Never
           nodeSelector:
             kubernetes.io/arch: arm64
@@ -58,7 +58,7 @@ spec:
                 - name: VAULT_ADDR
                   value: http://vault.vault.svc.cluster.local:8200
                 - name: VAULT_K8S_ROLE
-                  value: vault
+                  value: vault-admin
                 - name: VAULT_ENV_FILE
                   value: /vault/secrets/vault-oidc-env.sh
               volumeMounts:
diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh
index ed67c9b..2bc9166 100644
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@@ -50,6 +50,13 @@ vault write auth/kubernetes/config \
   kubernetes_host="${k8s_host}" \
   kubernetes_ca_cert="${k8s_ca}"
 
+write_raw_policy() {
+  name="$1"
+  body="$2"
+  log "writing policy ${name}"
+  printf '%s\n' "${body}" | vault policy write "${name}" -
+}
+
 write_policy_and_role() {
   role="$1"
   namespace="$2"
@@ -90,6 +97,41 @@ path \"kv/metadata/atlas/${path}\" {
     ttl="${role_ttl}"
 }
 
+vault_admin_policy='
+path "sys/auth" {
+  capabilities = ["read"]
+}
+path "sys/auth/*" {
+  capabilities = ["create", "update", "delete", "sudo", "read"]
+}
+path "auth/kubernetes/*" {
+  capabilities = ["create", "update", "read"]
+}
+path "auth/oidc/*" {
+  capabilities = ["create", "update", "read"]
+}
+path "sys/policies/acl" {
+  capabilities = ["list"]
+}
+path "sys/policies/acl/*" {
+  capabilities = ["create", "update", "read"]
+}
+path "kv/data/atlas/vault/*" {
+  capabilities = ["read"]
+}
+path "kv/metadata/atlas/vault/*" {
+  capabilities = ["list"]
+}
+'
+
+write_raw_policy "vault-admin" "${vault_admin_policy}"
+log "writing role vault-admin"
+vault write "auth/kubernetes/role/vault-admin" \
+  bound_service_account_names="vault-admin" \
+  bound_service_account_namespaces="vault" \
+  policies="vault-admin" \
+  ttl="${role_ttl}"
+
 write_policy_and_role "outline" "outline" "outline-vault" \
   "outline/* shared/postmark-relay" ""
 write_policy_and_role "planka" "planka" "planka-vault" \
diff --git a/services/vault/serviceaccount-admin.yaml b/services/vault/serviceaccount-admin.yaml
new file mode 100644
index 0000000..a9072bb
--- /dev/null
+++ b/services/vault/serviceaccount-admin.yaml
@@ -0,0 +1,6 @@
+# services/vault/serviceaccount-admin.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-admin
+  namespace: vault