bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault: prepopulate injector for jobs

Browse Source
This commit is contained in:
Brad Stein 2026-01-14 14:29:29 -03:00
parent f6fc250fe1
commit 98d67293bc
30 changed files with 60 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml
View File

@ -10,6 +10,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "bstein-dev-home" vault.hashicorp.com/role: "bstein-dev-home"
vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db" vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db"
vault.hashicorp.com/agent-inject-template-portal-env.sh: | vault.hashicorp.com/agent-inject-template-portal-env.sh: |
@ -70,4 +71,4 @@ spec:
- name: tests - name: tests
configMap: configMap:
name: portal-onboarding-e2e-tests name: portal-onboarding-e2e-tests
defaultMode: 0555 defaultMode: 0555

3
services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml
View File

@ -16,6 +16,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "bstein-dev-home" vault.hashicorp.com/role: "bstein-dev-home"
vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db" vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db"
vault.hashicorp.com/agent-inject-template-portal-env.sh: | vault.hashicorp.com/agent-inject-template-portal-env.sh: |
@ -73,4 +74,4 @@ spec:
- name: vaultwarden-cred-sync-script - name: vaultwarden-cred-sync-script
configMap: configMap:
name: vaultwarden-cred-sync-script name: vaultwarden-cred-sync-script
defaultMode: 0555 defaultMode: 0555

3
services/comms/bstein-force-leave-job.yaml
View File

@ -10,6 +10,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "comms" vault.hashicorp.com/role: "comms"
vault.hashicorp.com/agent-inject-secret-mas-admin-secret: "kv/data/atlas/comms/mas-admin-client-runtime" vault.hashicorp.com/agent-inject-secret-mas-admin-secret: "kv/data/atlas/comms/mas-admin-client-runtime"
vault.hashicorp.com/agent-inject-template-mas-admin-secret: | vault.hashicorp.com/agent-inject-template-mas-admin-secret: |
@ -185,4 +186,4 @@ spec:
print(json.dumps(results, indent=2, sort_keys=True)) print(json.dumps(results, indent=2, sort_keys=True))
if failures: if failures:
raise SystemExit(f"failed to leave/forget rooms: {', '.join(failures)}") raise SystemExit(f"failed to leave/forget rooms: {', '.join(failures)}")
PY PY

3
services/comms/guest-name-job.yaml
View File

@ -17,6 +17,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "comms" vault.hashicorp.com/role: "comms"
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
vault.hashicorp.com/agent-inject-template-turn-secret: | vault.hashicorp.com/agent-inject-template-turn-secret: |
@ -430,4 +431,4 @@ spec:
db_rename_numeric(existing) db_rename_numeric(existing)
finally: finally:
mas_revoke_session(admin_token, seeder_session) mas_revoke_session(admin_token, seeder_session)
PY PY

3
services/comms/mas-local-users-ensure-job.yaml
View File

@ -11,6 +11,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "comms" vault.hashicorp.com/role: "comms"
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
vault.hashicorp.com/agent-inject-template-turn-secret: | vault.hashicorp.com/agent-inject-template-turn-secret: |
@ -186,4 +187,4 @@ spec:
token = admin_token() token = admin_token()
ensure_user(token, os.environ["SEEDER_USER"], os.environ["SEEDER_PASS"]) ensure_user(token, os.environ["SEEDER_USER"], os.environ["SEEDER_PASS"])
ensure_user(token, os.environ["BOT_USER"], os.environ["BOT_PASS"]) ensure_user(token, os.environ["BOT_USER"], os.environ["BOT_PASS"])
PY PY

3
services/comms/othrys-kick-numeric-job.yaml
View File

@ -10,6 +10,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "comms" vault.hashicorp.com/role: "comms"
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
vault.hashicorp.com/agent-inject-template-turn-secret: | vault.hashicorp.com/agent-inject-template-turn-secret: |
@ -155,4 +156,4 @@ spec:
- name: vault-scripts - name: vault-scripts
configMap: configMap:
name: comms-vault-env name: comms-vault-env
defaultMode: 0555 defaultMode: 0555

3
services/comms/pin-othrys-job.yaml
View File

@ -17,6 +17,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "comms" vault.hashicorp.com/role: "comms"
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
vault.hashicorp.com/agent-inject-template-turn-secret: | vault.hashicorp.com/agent-inject-template-turn-secret: |
@ -163,4 +164,4 @@ spec:
- name: vault-scripts - name: vault-scripts
configMap: configMap:
name: comms-vault-env name: comms-vault-env
defaultMode: 0555 defaultMode: 0555

3
services/comms/reset-othrys-room-job.yaml
View File

@ -17,6 +17,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "comms" vault.hashicorp.com/role: "comms"
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
vault.hashicorp.com/agent-inject-template-turn-secret: | vault.hashicorp.com/agent-inject-template-turn-secret: |
@ -306,4 +307,4 @@ spec:
- name: vault-scripts - name: vault-scripts
configMap: configMap:
name: comms-vault-env name: comms-vault-env
defaultMode: 0555 defaultMode: 0555

3
services/comms/seed-othrys-room.yaml
View File

@ -15,6 +15,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "comms" vault.hashicorp.com/role: "comms"
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
vault.hashicorp.com/agent-inject-template-turn-secret: | vault.hashicorp.com/agent-inject-template-turn-secret: |
@ -179,4 +180,4 @@ spec:
- name: vault-scripts - name: vault-scripts
configMap: configMap:
name: comms-vault-env name: comms-vault-env
defaultMode: 0555 defaultMode: 0555

3
services/comms/synapse-seeder-admin-ensure-job.yaml
View File

@ -10,6 +10,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "comms" vault.hashicorp.com/role: "comms"
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
vault.hashicorp.com/agent-inject-template-turn-secret: | vault.hashicorp.com/agent-inject-template-turn-secret: |
@ -76,4 +77,4 @@ spec:
- name: vault-scripts - name: vault-scripts
configMap: configMap:
name: comms-vault-env name: comms-vault-env
defaultMode: 0555 defaultMode: 0555

3
services/comms/synapse-user-seed-job.yaml
View File

@ -11,6 +11,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "comms" vault.hashicorp.com/role: "comms"
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret" vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
vault.hashicorp.com/agent-inject-template-turn-secret: | vault.hashicorp.com/agent-inject-template-turn-secret: |
@ -150,4 +151,4 @@ spec:
- name: vault-scripts - name: vault-scripts
configMap: configMap:
name: comms-vault-env name: comms-vault-env
defaultMode: 0555 defaultMode: 0555

3
services/keycloak/endurain-oidc-secret-ensure-job.yaml
View File

@ -11,6 +11,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "sso-secrets" vault.hashicorp.com/role: "sso-secrets"
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
@ -49,4 +50,4 @@ spec:
volumeMounts: volumeMounts:
- name: endurain-oidc-secret-ensure-script - name: endurain-oidc-secret-ensure-script
mountPath: /scripts mountPath: /scripts
readOnly: true readOnly: true

3
services/keycloak/harbor-oidc-secret-ensure-job.yaml
View File

@ -11,6 +11,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "sso-secrets" vault.hashicorp.com/role: "sso-secrets"
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
@ -44,4 +45,4 @@ spec:
volumeMounts: volumeMounts:
- name: harbor-oidc-secret-ensure-script - name: harbor-oidc-secret-ensure-script
mountPath: /scripts mountPath: /scripts
readOnly: true readOnly: true

3
services/keycloak/ldap-federation-job.yaml
View File

@ -10,6 +10,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "sso" vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
@ -376,4 +377,4 @@ spec:
except Exception as e: except Exception as e:
print(f"WARNING: LDAP cleanup failed (continuing): {e}") print(f"WARNING: LDAP cleanup failed (continuing): {e}")
PY PY
volumeMounts: volumeMounts:

3
services/keycloak/logs-oidc-secret-ensure-job.yaml
View File

@ -11,6 +11,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "sso-secrets" vault.hashicorp.com/role: "sso-secrets"
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
@ -121,4 +122,4 @@ spec:
--from-literal=cookie_secret="${COOKIE_SECRET}" \ --from-literal=cookie_secret="${COOKIE_SECRET}" \
--dry-run=client -o yaml | kubectl -n logging apply -f - >/dev/null --dry-run=client -o yaml | kubectl -n logging apply -f - >/dev/null
volumeMounts: volumeMounts:
volumes: volumes:

3
services/keycloak/mas-secrets-ensure-job.yaml
View File

@ -19,6 +19,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/agent-init-first: "true" vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/role: "sso-secrets" vault.hashicorp.com/role: "sso-secrets"
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
@ -123,4 +124,4 @@ spec:
-d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/mas-secrets-runtime" >/dev/null -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/mas-secrets-runtime" >/dev/null
volumeMounts: volumeMounts:
- name: work - name: work
mountPath: /work mountPath: /work

3
services/keycloak/portal-e2e-client-job.yaml
View File

@ -10,6 +10,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "sso" vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
@ -257,4 +258,4 @@ spec:
raise SystemExit(f"Role mapping update failed (status={status}) resp={resp}") raise SystemExit(f"Role mapping update failed (status={status}) resp={resp}")
PY PY
volumeMounts: volumeMounts:
volumes: volumes:

3
services/keycloak/portal-e2e-execute-actions-email-test-job.yaml
View File

@ -10,6 +10,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "sso" vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
@ -69,4 +70,4 @@ spec:
- name: tests - name: tests
configMap: configMap:
name: portal-e2e-tests name: portal-e2e-tests
defaultMode: 0555 defaultMode: 0555

3
services/keycloak/portal-e2e-target-client-job.yaml
View File

@ -10,6 +10,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "sso" vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
@ -158,4 +159,4 @@ spec:
print(f"OK: ensured token exchange enabled on client {target_client_id}") print(f"OK: ensured token exchange enabled on client {target_client_id}")
PY PY
volumeMounts: volumeMounts:
volumes: volumes:

3
services/keycloak/portal-e2e-token-exchange-permissions-job.yaml
View File

@ -10,6 +10,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "sso" vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
@ -290,4 +291,4 @@ spec:
print("OK: configured token exchange permissions for portal E2E client") print("OK: configured token exchange permissions for portal E2E client")
PY PY
volumeMounts: volumeMounts:

3
services/keycloak/portal-e2e-token-exchange-test-job.yaml
View File

@ -11,6 +11,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "sso" vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
@ -70,4 +71,4 @@ spec:
- name: tests - name: tests
configMap: configMap:
name: portal-e2e-tests name: portal-e2e-tests
defaultMode: 0555 defaultMode: 0555

3
services/keycloak/realm-settings-job.yaml
View File

@ -10,6 +10,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "sso" vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
@ -467,4 +468,4 @@ spec:
f"Unexpected execution update response for identity-provider-redirector: {status}" f"Unexpected execution update response for identity-provider-redirector: {status}"
) )
PY PY
volumeMounts: volumeMounts:

3
services/keycloak/sparkyfitness-oidc-secret-ensure-job.yaml
View File

@ -11,6 +11,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "sso-secrets" vault.hashicorp.com/role: "sso-secrets"
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
@ -49,4 +50,4 @@ spec:
volumeMounts: volumeMounts:
- name: sparkyfitness-oidc-secret-ensure-script - name: sparkyfitness-oidc-secret-ensure-script
mountPath: /scripts mountPath: /scripts
readOnly: true readOnly: true

3
services/keycloak/synapse-oidc-secret-ensure-job.yaml
View File

@ -11,6 +11,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "sso-secrets" vault.hashicorp.com/role: "sso-secrets"
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
@ -81,4 +82,4 @@ spec:
curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \ curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
-d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/synapse-oidc" >/dev/null -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/synapse-oidc" >/dev/null
volumeMounts: volumeMounts:
volumes: volumes:

3
services/keycloak/user-overrides-job.yaml
View File

@ -10,6 +10,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "sso" vault.hashicorp.com/role: "sso"
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: | vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
@ -164,4 +165,4 @@ spec:
if status not in (200, 204): if status not in (200, 204):
raise SystemExit(f"Unexpected user update response: {status}") raise SystemExit(f"Unexpected user update response: {status}")
PY PY
volumeMounts: volumeMounts:

3
services/keycloak/vault-oidc-secret-ensure-job.yaml
View File

@ -11,6 +11,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "sso-secrets" vault.hashicorp.com/role: "sso-secrets"
vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
@ -44,4 +45,4 @@ spec:
volumeMounts: volumeMounts:
- name: vault-oidc-secret-ensure-script - name: vault-oidc-secret-ensure-script
mountPath: /scripts mountPath: /scripts
readOnly: true readOnly: true

3
services/mailu/mailu-sync-cronjob.yaml
View File

@ -13,6 +13,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "mailu-mailserver" vault.hashicorp.com/role: "mailu-mailserver"
vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret" vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret"
vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: | vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: |
@ -78,4 +79,4 @@ spec:
- name: vault-scripts - name: vault-scripts
configMap: configMap:
name: mailu-vault-env name: mailu-vault-env
defaultMode: 0555 defaultMode: 0555

3
services/mailu/mailu-sync-job.yaml
View File

@ -9,6 +9,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "mailu-mailserver" vault.hashicorp.com/role: "mailu-mailserver"
vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret" vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret"
vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: | vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: |
@ -74,4 +75,4 @@ spec:
- name: vault-scripts - name: vault-scripts
configMap: configMap:
name: mailu-vault-env name: mailu-vault-env
defaultMode: 0555 defaultMode: 0555

3
services/nextcloud-mail-sync/cronjob.yaml
View File

@ -15,6 +15,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "nextcloud" vault.hashicorp.com/role: "nextcloud"
vault.hashicorp.com/agent-inject-secret-nextcloud-env.sh: "kv/data/atlas/nextcloud/nextcloud-db" vault.hashicorp.com/agent-inject-secret-nextcloud-env.sh: "kv/data/atlas/nextcloud/nextcloud-db"
vault.hashicorp.com/agent-inject-template-nextcloud-env.sh: | vault.hashicorp.com/agent-inject-template-nextcloud-env.sh: |
@ -103,4 +104,4 @@ spec:
- name: sync-script - name: sync-script
configMap: configMap:
name: nextcloud-mail-sync-script name: nextcloud-mail-sync-script
defaultMode: 0755 defaultMode: 0755

3
services/nextcloud/maintenance-cronjob.yaml
View File

@ -13,6 +13,7 @@ spec:
metadata: metadata:
annotations: annotations:
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "nextcloud" vault.hashicorp.com/role: "nextcloud"
vault.hashicorp.com/agent-inject-secret-nextcloud-env.sh: "kv/data/atlas/nextcloud/nextcloud-db" vault.hashicorp.com/agent-inject-secret-nextcloud-env.sh: "kv/data/atlas/nextcloud/nextcloud-db"
vault.hashicorp.com/agent-inject-template-nextcloud-env.sh: | vault.hashicorp.com/agent-inject-template-nextcloud-env.sh: |
@ -93,4 +94,4 @@ spec:
- name: maintenance-script - name: maintenance-script
configMap: configMap:
name: nextcloud-maintenance-script name: nextcloud-maintenance-script
defaultMode: 0755 defaultMode: 0755