vault: prepopulate injector for jobs
This commit is contained in:
parent
f6fc250fe1
commit
98d67293bc
@ -10,6 +10,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "bstein-dev-home"
|
||||
vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db"
|
||||
vault.hashicorp.com/agent-inject-template-portal-env.sh: |
|
||||
@ -70,4 +71,4 @@ spec:
|
||||
- name: tests
|
||||
configMap:
|
||||
name: portal-onboarding-e2e-tests
|
||||
defaultMode: 0555
|
||||
defaultMode: 0555
|
||||
@ -16,6 +16,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "bstein-dev-home"
|
||||
vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db"
|
||||
vault.hashicorp.com/agent-inject-template-portal-env.sh: |
|
||||
@ -73,4 +74,4 @@ spec:
|
||||
- name: vaultwarden-cred-sync-script
|
||||
configMap:
|
||||
name: vaultwarden-cred-sync-script
|
||||
defaultMode: 0555
|
||||
defaultMode: 0555
|
||||
@ -10,6 +10,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "comms"
|
||||
vault.hashicorp.com/agent-inject-secret-mas-admin-secret: "kv/data/atlas/comms/mas-admin-client-runtime"
|
||||
vault.hashicorp.com/agent-inject-template-mas-admin-secret: |
|
||||
@ -185,4 +186,4 @@ spec:
|
||||
print(json.dumps(results, indent=2, sort_keys=True))
|
||||
if failures:
|
||||
raise SystemExit(f"failed to leave/forget rooms: {', '.join(failures)}")
|
||||
PY
|
||||
PY
|
||||
@ -17,6 +17,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "comms"
|
||||
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
|
||||
vault.hashicorp.com/agent-inject-template-turn-secret: |
|
||||
@ -430,4 +431,4 @@ spec:
|
||||
db_rename_numeric(existing)
|
||||
finally:
|
||||
mas_revoke_session(admin_token, seeder_session)
|
||||
PY
|
||||
PY
|
||||
@ -11,6 +11,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "comms"
|
||||
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
|
||||
vault.hashicorp.com/agent-inject-template-turn-secret: |
|
||||
@ -186,4 +187,4 @@ spec:
|
||||
token = admin_token()
|
||||
ensure_user(token, os.environ["SEEDER_USER"], os.environ["SEEDER_PASS"])
|
||||
ensure_user(token, os.environ["BOT_USER"], os.environ["BOT_PASS"])
|
||||
PY
|
||||
PY
|
||||
@ -10,6 +10,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "comms"
|
||||
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
|
||||
vault.hashicorp.com/agent-inject-template-turn-secret: |
|
||||
@ -155,4 +156,4 @@ spec:
|
||||
- name: vault-scripts
|
||||
configMap:
|
||||
name: comms-vault-env
|
||||
defaultMode: 0555
|
||||
defaultMode: 0555
|
||||
@ -17,6 +17,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "comms"
|
||||
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
|
||||
vault.hashicorp.com/agent-inject-template-turn-secret: |
|
||||
@ -163,4 +164,4 @@ spec:
|
||||
- name: vault-scripts
|
||||
configMap:
|
||||
name: comms-vault-env
|
||||
defaultMode: 0555
|
||||
defaultMode: 0555
|
||||
@ -17,6 +17,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "comms"
|
||||
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
|
||||
vault.hashicorp.com/agent-inject-template-turn-secret: |
|
||||
@ -306,4 +307,4 @@ spec:
|
||||
- name: vault-scripts
|
||||
configMap:
|
||||
name: comms-vault-env
|
||||
defaultMode: 0555
|
||||
defaultMode: 0555
|
||||
@ -15,6 +15,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "comms"
|
||||
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
|
||||
vault.hashicorp.com/agent-inject-template-turn-secret: |
|
||||
@ -179,4 +180,4 @@ spec:
|
||||
- name: vault-scripts
|
||||
configMap:
|
||||
name: comms-vault-env
|
||||
defaultMode: 0555
|
||||
defaultMode: 0555
|
||||
@ -10,6 +10,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "comms"
|
||||
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
|
||||
vault.hashicorp.com/agent-inject-template-turn-secret: |
|
||||
@ -76,4 +77,4 @@ spec:
|
||||
- name: vault-scripts
|
||||
configMap:
|
||||
name: comms-vault-env
|
||||
defaultMode: 0555
|
||||
defaultMode: 0555
|
||||
@ -11,6 +11,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "comms"
|
||||
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
|
||||
vault.hashicorp.com/agent-inject-template-turn-secret: |
|
||||
@ -150,4 +151,4 @@ spec:
|
||||
- name: vault-scripts
|
||||
configMap:
|
||||
name: comms-vault-env
|
||||
defaultMode: 0555
|
||||
defaultMode: 0555
|
||||
@ -11,6 +11,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "sso-secrets"
|
||||
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
||||
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
|
||||
@ -49,4 +50,4 @@ spec:
|
||||
volumeMounts:
|
||||
- name: endurain-oidc-secret-ensure-script
|
||||
mountPath: /scripts
|
||||
readOnly: true
|
||||
readOnly: true
|
||||
@ -11,6 +11,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "sso-secrets"
|
||||
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
||||
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
|
||||
@ -44,4 +45,4 @@ spec:
|
||||
volumeMounts:
|
||||
- name: harbor-oidc-secret-ensure-script
|
||||
mountPath: /scripts
|
||||
readOnly: true
|
||||
readOnly: true
|
||||
@ -10,6 +10,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "sso"
|
||||
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
||||
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
|
||||
@ -376,4 +377,4 @@ spec:
|
||||
except Exception as e:
|
||||
print(f"WARNING: LDAP cleanup failed (continuing): {e}")
|
||||
PY
|
||||
volumeMounts:
|
||||
volumeMounts:
|
||||
@ -11,6 +11,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "sso-secrets"
|
||||
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
||||
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
|
||||
@ -121,4 +122,4 @@ spec:
|
||||
--from-literal=cookie_secret="${COOKIE_SECRET}" \
|
||||
--dry-run=client -o yaml | kubectl -n logging apply -f - >/dev/null
|
||||
volumeMounts:
|
||||
volumes:
|
||||
volumes:
|
||||
@ -19,6 +19,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/agent-init-first: "true"
|
||||
vault.hashicorp.com/role: "sso-secrets"
|
||||
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
||||
@ -123,4 +124,4 @@ spec:
|
||||
-d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/mas-secrets-runtime" >/dev/null
|
||||
volumeMounts:
|
||||
- name: work
|
||||
mountPath: /work
|
||||
mountPath: /work
|
||||
@ -10,6 +10,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "sso"
|
||||
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
||||
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
|
||||
@ -257,4 +258,4 @@ spec:
|
||||
raise SystemExit(f"Role mapping update failed (status={status}) resp={resp}")
|
||||
PY
|
||||
volumeMounts:
|
||||
volumes:
|
||||
volumes:
|
||||
@ -10,6 +10,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "sso"
|
||||
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
||||
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
|
||||
@ -69,4 +70,4 @@ spec:
|
||||
- name: tests
|
||||
configMap:
|
||||
name: portal-e2e-tests
|
||||
defaultMode: 0555
|
||||
defaultMode: 0555
|
||||
@ -10,6 +10,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "sso"
|
||||
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
||||
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
|
||||
@ -158,4 +159,4 @@ spec:
|
||||
print(f"OK: ensured token exchange enabled on client {target_client_id}")
|
||||
PY
|
||||
volumeMounts:
|
||||
volumes:
|
||||
volumes:
|
||||
@ -10,6 +10,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "sso"
|
||||
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
||||
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
|
||||
@ -290,4 +291,4 @@ spec:
|
||||
|
||||
print("OK: configured token exchange permissions for portal E2E client")
|
||||
PY
|
||||
volumeMounts:
|
||||
volumeMounts:
|
||||
@ -11,6 +11,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "sso"
|
||||
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
||||
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
|
||||
@ -70,4 +71,4 @@ spec:
|
||||
- name: tests
|
||||
configMap:
|
||||
name: portal-e2e-tests
|
||||
defaultMode: 0555
|
||||
defaultMode: 0555
|
||||
@ -10,6 +10,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "sso"
|
||||
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
||||
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
|
||||
@ -467,4 +468,4 @@ spec:
|
||||
f"Unexpected execution update response for identity-provider-redirector: {status}"
|
||||
)
|
||||
PY
|
||||
volumeMounts:
|
||||
volumeMounts:
|
||||
@ -11,6 +11,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "sso-secrets"
|
||||
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
||||
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
|
||||
@ -49,4 +50,4 @@ spec:
|
||||
volumeMounts:
|
||||
- name: sparkyfitness-oidc-secret-ensure-script
|
||||
mountPath: /scripts
|
||||
readOnly: true
|
||||
readOnly: true
|
||||
@ -11,6 +11,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "sso-secrets"
|
||||
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
||||
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
|
||||
@ -81,4 +82,4 @@ spec:
|
||||
curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
|
||||
-d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/synapse-oidc" >/dev/null
|
||||
volumeMounts:
|
||||
volumes:
|
||||
volumes:
|
||||
@ -10,6 +10,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "sso"
|
||||
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
||||
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
|
||||
@ -164,4 +165,4 @@ spec:
|
||||
if status not in (200, 204):
|
||||
raise SystemExit(f"Unexpected user update response: {status}")
|
||||
PY
|
||||
volumeMounts:
|
||||
volumeMounts:
|
||||
@ -11,6 +11,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "sso-secrets"
|
||||
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
||||
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
|
||||
@ -44,4 +45,4 @@ spec:
|
||||
volumeMounts:
|
||||
- name: vault-oidc-secret-ensure-script
|
||||
mountPath: /scripts
|
||||
readOnly: true
|
||||
readOnly: true
|
||||
@ -13,6 +13,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "mailu-mailserver"
|
||||
vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret"
|
||||
vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: |
|
||||
@ -78,4 +79,4 @@ spec:
|
||||
- name: vault-scripts
|
||||
configMap:
|
||||
name: mailu-vault-env
|
||||
defaultMode: 0555
|
||||
defaultMode: 0555
|
||||
@ -9,6 +9,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "mailu-mailserver"
|
||||
vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret"
|
||||
vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: |
|
||||
@ -74,4 +75,4 @@ spec:
|
||||
- name: vault-scripts
|
||||
configMap:
|
||||
name: mailu-vault-env
|
||||
defaultMode: 0555
|
||||
defaultMode: 0555
|
||||
@ -15,6 +15,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "nextcloud"
|
||||
vault.hashicorp.com/agent-inject-secret-nextcloud-env.sh: "kv/data/atlas/nextcloud/nextcloud-db"
|
||||
vault.hashicorp.com/agent-inject-template-nextcloud-env.sh: |
|
||||
@ -103,4 +104,4 @@ spec:
|
||||
- name: sync-script
|
||||
configMap:
|
||||
name: nextcloud-mail-sync-script
|
||||
defaultMode: 0755
|
||||
defaultMode: 0755
|
||||
@ -13,6 +13,7 @@ spec:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/agent-pre-populate-only: "true"
|
||||
vault.hashicorp.com/role: "nextcloud"
|
||||
vault.hashicorp.com/agent-inject-secret-nextcloud-env.sh: "kv/data/atlas/nextcloud/nextcloud-db"
|
||||
vault.hashicorp.com/agent-inject-template-nextcloud-env.sh: |
|
||||
@ -93,4 +94,4 @@ spec:
|
||||
- name: maintenance-script
|
||||
configMap:
|
||||
name: nextcloud-maintenance-script
|
||||
defaultMode: 0755
|
||||
defaultMode: 0755
|
||||
Loading…
x
Reference in New Issue
Block a user