vault: add admin role for config jobs

services/vault/k8s-auth-config-cronjob.yaml

@@ -14,7 +14,7 @@ spec:
       backoffLimit: 1
       template:
         spec:
-          serviceAccountName: vault
+          serviceAccountName: vault-admin
           restartPolicy: Never
           nodeSelector:
             kubernetes.io/arch: arm64
@@ -30,7 +30,7 @@ spec:
                 - name: VAULT_ADDR
                   value: http://vault.vault.svc.cluster.local:8200
                 - name: VAULT_K8S_ROLE
-                  value: vault
+                  value: vault-admin
                 - name: VAULT_K8S_ROLE_TTL
                   value: 1h
               volumeMounts:

services/vault/kustomization.yaml

@@ -5,6 +5,7 @@ namespace: vault
 resources:
   - namespace.yaml
   - serviceaccount.yaml
+  - serviceaccount-admin.yaml
   - rbac.yaml
   - configmap.yaml
   - statefulset.yaml

services/vault/oidc-config-cronjob.yaml

@@ -16,7 +16,7 @@ spec:
         metadata:
           annotations:
             vault.hashicorp.com/agent-inject: "true"
-            vault.hashicorp.com/role: "vault"
+            vault.hashicorp.com/role: "vault-admin"
             vault.hashicorp.com/agent-inject-secret-vault-oidc-env.sh: "kv/data/atlas/vault/vault-oidc-config"
             vault.hashicorp.com/agent-inject-template-vault-oidc-env.sh: |
               {{ with secret "kv/data/atlas/vault/vault-oidc-config" }}
@@ -40,7 +40,7 @@ spec:
               export VAULT_OIDC_BOUND_CLAIMS_TYPE="{{ .Data.data.bound_claims_type }}"
               {{ end }}
         spec:
-          serviceAccountName: vault
+          serviceAccountName: vault-admin
           restartPolicy: Never
           nodeSelector:
             kubernetes.io/arch: arm64
@@ -58,7 +58,7 @@ spec:
                 - name: VAULT_ADDR
                   value: http://vault.vault.svc.cluster.local:8200
                 - name: VAULT_K8S_ROLE
-                  value: vault
+                  value: vault-admin
                 - name: VAULT_ENV_FILE
                   value: /vault/secrets/vault-oidc-env.sh
               volumeMounts:

services/vault/scripts/vault_k8s_auth_configure.sh

@@ -50,6 +50,13 @@ vault write auth/kubernetes/config \
   kubernetes_host="${k8s_host}" \
   kubernetes_ca_cert="${k8s_ca}"
 
+write_raw_policy() {
+  name="$1"
+  body="$2"
+  log "writing policy ${name}"
+  printf '%s\n' "${body}" | vault policy write "${name}" -
+}
+
 write_policy_and_role() {
   role="$1"
   namespace="$2"
@@ -90,6 +97,41 @@ path \"kv/metadata/atlas/${path}\" {
     ttl="${role_ttl}"
 }
 
+vault_admin_policy='
+path "sys/auth" {
+  capabilities = ["read"]
+}
+path "sys/auth/*" {
+  capabilities = ["create", "update", "delete", "sudo", "read"]
+}
+path "auth/kubernetes/*" {
+  capabilities = ["create", "update", "read"]
+}
+path "auth/oidc/*" {
+  capabilities = ["create", "update", "read"]
+}
+path "sys/policies/acl" {
+  capabilities = ["list"]
+}
+path "sys/policies/acl/*" {
+  capabilities = ["create", "update", "read"]
+}
+path "kv/data/atlas/vault/*" {
+  capabilities = ["read"]
+}
+path "kv/metadata/atlas/vault/*" {
+  capabilities = ["list"]
+}
+'
+
+write_raw_policy "vault-admin" "${vault_admin_policy}"
+log "writing role vault-admin"
+vault write "auth/kubernetes/role/vault-admin" \
+  bound_service_account_names="vault-admin" \
+  bound_service_account_namespaces="vault" \
+  policies="vault-admin" \
+  ttl="${role_ttl}"
+
 write_policy_and_role "outline" "outline" "outline-vault" \
   "outline/* shared/postmark-relay" ""
 write_policy_and_role "planka" "planka" "planka-vault" \

services/vault/serviceaccount-admin.yaml

@@ -0,0 +1,6 @@
+# services/vault/serviceaccount-admin.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-admin
+  namespace: vault