vault: inject monitoring exporter and health jobs

services/health/endurain-oidc-config-cronjob.yaml

@@ -13,6 +13,22 @@ spec:
     spec:
       backoffLimit: 1
       template:
+        metadata:
+          annotations:
+            vault.hashicorp.com/agent-inject: "true"
+            vault.hashicorp.com/agent-pre-populate-only: "true"
+            vault.hashicorp.com/role: "health"
+            vault.hashicorp.com/agent-inject-secret-endurain-oidc-env: "kv/data/atlas/health/endurain-admin"
+            vault.hashicorp.com/agent-inject-template-endurain-oidc-env: |
+              {{- with secret "kv/data/atlas/health/endurain-admin" -}}
+              export ENDURAIN_ADMIN_USERNAME="{{ .Data.data.username }}"
+              export ENDURAIN_ADMIN_PASSWORD="{{ .Data.data.password }}"
+              {{- end }}
+              {{- with secret "kv/data/atlas/health/endurain-oidc" -}}
+              export ENDURAIN_OIDC_CLIENT_ID="{{ .Data.data.client_id }}"
+              export ENDURAIN_OIDC_CLIENT_SECRET="{{ .Data.data.client_secret }}"
+              export ENDURAIN_OIDC_ISSUER_URL="{{ .Data.data.issuer_url }}"
+              {{- end -}}
         spec:
           serviceAccountName: health-vault-sync
           restartPolicy: Never
@@ -47,35 +63,11 @@ spec:
                 - |
                   set -euo pipefail
                   apk add --no-cache bash curl jq >/dev/null
+                  . /vault/secrets/endurain-oidc-env
                   exec /scripts/endurain_oidc_configure.sh
               env:
                 - name: ENDURAIN_BASE_URL
                   value: http://endurain.health.svc.cluster.local
-                - name: ENDURAIN_ADMIN_USERNAME
-                  valueFrom:
-                    secretKeyRef:
-                      name: endurain-admin
-                      key: username
-                - name: ENDURAIN_ADMIN_PASSWORD
-                  valueFrom:
-                    secretKeyRef:
-                      name: endurain-admin
-                      key: password
-                - name: ENDURAIN_OIDC_CLIENT_ID
-                  valueFrom:
-                    secretKeyRef:
-                      name: endurain-oidc
-                      key: client_id
-                - name: ENDURAIN_OIDC_CLIENT_SECRET
-                  valueFrom:
-                    secretKeyRef:
-                      name: endurain-oidc
-                      key: client_secret
-                - name: ENDURAIN_OIDC_ISSUER_URL
-                  valueFrom:
-                    secretKeyRef:
-                      name: endurain-oidc
-                      key: issuer_url
               volumeMounts:
                 - name: endurain-oidc-config-script
                   mountPath: /scripts

services/health/sparkyfitness-oidc-config-cronjob.yaml

@@ -13,6 +13,22 @@ spec:
     spec:
       backoffLimit: 1
       template:
+        metadata:
+          annotations:
+            vault.hashicorp.com/agent-inject: "true"
+            vault.hashicorp.com/agent-pre-populate-only: "true"
+            vault.hashicorp.com/role: "health"
+            vault.hashicorp.com/agent-inject-secret-sparky-oidc-env: "kv/data/atlas/health/sparkyfitness-admin"
+            vault.hashicorp.com/agent-inject-template-sparky-oidc-env: |
+              {{- with secret "kv/data/atlas/health/sparkyfitness-admin" -}}
+              export SPARKYFITNESS_ADMIN_EMAIL="{{ .Data.data.email }}"
+              export SPARKYFITNESS_ADMIN_PASSWORD="{{ .Data.data.password }}"
+              {{- end }}
+              {{- with secret "kv/data/atlas/health/sparkyfitness-oidc" -}}
+              export SPARKYFITNESS_OIDC_CLIENT_ID="{{ .Data.data.client_id }}"
+              export SPARKYFITNESS_OIDC_CLIENT_SECRET="{{ .Data.data.client_secret }}"
+              export SPARKYFITNESS_OIDC_ISSUER_URL="{{ .Data.data.issuer_url }}"
+              {{- end -}}
         spec:
           serviceAccountName: health-vault-sync
           restartPolicy: Never
@@ -47,37 +63,13 @@ spec:
                 - |
                   set -euo pipefail
                   apk add --no-cache bash curl jq >/dev/null
+                  . /vault/secrets/sparky-oidc-env
                   exec /scripts/sparkyfitness_oidc_configure.sh
               env:
                 - name: SPARKYFITNESS_BASE_URL
                   value: http://sparkyfitness-server.health.svc.cluster.local:3010
                 - name: SPARKYFITNESS_FRONTEND_URL
                   value: https://sparkyfitness.bstein.dev
-                - name: SPARKYFITNESS_ADMIN_EMAIL
-                  valueFrom:
-                    secretKeyRef:
-                      name: sparkyfitness-admin
-                      key: email
-                - name: SPARKYFITNESS_ADMIN_PASSWORD
-                  valueFrom:
-                    secretKeyRef:
-                      name: sparkyfitness-admin
-                      key: password
-                - name: SPARKYFITNESS_OIDC_CLIENT_ID
-                  valueFrom:
-                    secretKeyRef:
-                      name: sparkyfitness-oidc
-                      key: client_id
-                - name: SPARKYFITNESS_OIDC_CLIENT_SECRET
-                  valueFrom:
-                    secretKeyRef:
-                      name: sparkyfitness-oidc
-                      key: client_secret
-                - name: SPARKYFITNESS_OIDC_ISSUER_URL
-                  valueFrom:
-                    secretKeyRef:
-                      name: sparkyfitness-oidc
-                      key: issuer_url
               volumeMounts:
                 - name: sparkyfitness-oidc-config-script
                   mountPath: /scripts

services/monitoring/grafana-org-bootstrap.yaml

@@ -2,13 +2,25 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: grafana-org-bootstrap-1
+  name: grafana-org-bootstrap-2
   namespace: monitoring
 spec:
   backoffLimit: 2
   template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/role: "monitoring"
+        vault.hashicorp.com/agent-inject-secret-grafana-env: "kv/data/atlas/monitoring/grafana-admin"
+        vault.hashicorp.com/agent-inject-template-grafana-env: |
+          {{- with secret "kv/data/atlas/monitoring/grafana-admin" -}}
+          export GRAFANA_USER="{{ index .Data.data "admin-user" }}"
+          export GRAFANA_PASSWORD="{{ index .Data.data "admin-password" }}"
+          {{- end -}}
     spec:
       restartPolicy: OnFailure
+      serviceAccountName: monitoring-vault-sync
       containers:
         - name: bootstrap
           image: python:3.11-alpine
@@ -17,20 +29,11 @@ spec:
               value: http://grafana
             - name: OVERVIEW_ORG_NAME
               value: Overview
-            - name: GRAFANA_USER
-              valueFrom:
-                secretKeyRef:
-                  name: grafana-admin
-                  key: admin-user
-            - name: GRAFANA_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: grafana-admin
-                  key: admin-password
           command: ["/bin/sh", "-c"]
           args:
             - |
               set -euo pipefail
+              . /vault/secrets/grafana-env
               python - <<'PY'
               import base64
               import json

services/monitoring/postmark-exporter-deployment.yaml

@@ -16,8 +16,20 @@ spec:
         prometheus.io/scrape: "true"
         prometheus.io/port: "8000"
         prometheus.io/path: "/metrics"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "monitoring"
+        vault.hashicorp.com/agent-inject-secret-postmark-env: "kv/data/atlas/monitoring/postmark-exporter"
+        vault.hashicorp.com/agent-inject-template-postmark-env: |
+          {{- with secret "kv/data/atlas/monitoring/postmark-exporter" -}}
+          export POSTMARK_SERVER_TOKEN="{{ index .Data.data "relay-username" }}"
+          export POSTMARK_SERVER_TOKEN_FALLBACK="{{ index .Data.data "relay-password" }}"
+          {{- if index .Data.data "sending-limit" }}
+          export POSTMARK_SENDING_LIMIT="{{ index .Data.data "sending-limit" }}"
+          {{- end }}
+          {{- end -}}
         bstein.dev/restarted-at: "2026-01-06T00:00:00Z"
     spec:
+      serviceAccountName: monitoring-vault-sync
       containers:
         - name: exporter
           image: python:3.12-alpine
@@ -26,25 +38,10 @@ spec:
           args:
             - |
               set -euo pipefail
+              . /vault/secrets/postmark-env
               pip install --no-cache-dir prometheus-client==0.22.1 requests==2.32.3
               exec python /app/monitoring_postmark_exporter.py
           env:
-            - name: POSTMARK_SERVER_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: postmark-exporter
-                  key: server-token
-            - name: POSTMARK_SERVER_TOKEN_FALLBACK
-              valueFrom:
-                secretKeyRef:
-                  name: postmark-exporter
-                  key: server-token-fallback
-            - name: POSTMARK_SENDING_LIMIT
-              valueFrom:
-                secretKeyRef:
-                  name: postmark-exporter
-                  key: sending-limit
-                  optional: true
             - name: POSTMARK_SENDING_LIMIT_WINDOW
               value: "30d"
             - name: POLL_INTERVAL_SECONDS

services/monitoring/secretproviderclass.yaml

@@ -16,15 +16,6 @@ spec:
       - objectName: "grafana-admin__admin-password"
         secretPath: "kv/data/atlas/monitoring/grafana-admin"
         secretKey: "admin-password"
-      - objectName: "postmark-exporter__relay-username"
-        secretPath: "kv/data/atlas/monitoring/postmark-exporter"
-        secretKey: "relay-username"
-      - objectName: "postmark-exporter__relay-password"
-        secretPath: "kv/data/atlas/monitoring/postmark-exporter"
-        secretKey: "relay-password"
-      - objectName: "postmark-exporter__sending-limit"
-        secretPath: "kv/data/atlas/monitoring/postmark-exporter"
-        secretKey: "sending-limit"
       - objectName: "postmark-relay__relay-username"
         secretPath: "kv/data/atlas/shared/postmark-relay"
         secretKey: "relay-username"
@@ -42,15 +33,6 @@ spec:
           key: admin-user
         - objectName: grafana-admin__admin-password
           key: admin-password
-    - secretName: postmark-exporter
-      type: Opaque
-      data:
-        - objectName: postmark-exporter__relay-username
-          key: server-token
-        - objectName: postmark-exporter__relay-password
-          key: server-token-fallback
-        - objectName: postmark-exporter__sending-limit
-          key: sending-limit
     - secretName: grafana-smtp
       type: Opaque
       data: