# infrastructure/vault-csi/vault-csi-provider.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: vault-csi-provider
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: vault-csi-provider-clusterrole
rules:
  - apiGroups: [""]
    resources: ["serviceaccounts/token"]
    verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: vault-csi-provider-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: vault-csi-provider-clusterrole
subjects:
  - kind: ServiceAccount
    name: vault-csi-provider
    namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: vault-csi-provider-role
  namespace: kube-system
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]
    resourceNames: ["vault-csi-provider-hmac-key"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: vault-csi-provider-rolebinding
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: vault-csi-provider-role
subjects:
  - kind: ServiceAccount
    name: vault-csi-provider
    namespace: kube-system
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: vault-csi-provider
  namespace: kube-system
  labels: { app.kubernetes.io/name: vault-csi-provider }
spec:
  updateStrategy:
    type: RollingUpdate
  selector:
    matchLabels: { app.kubernetes.io/name: vault-csi-provider }
  template:
    metadata:
      labels: { app.kubernetes.io/name: vault-csi-provider }
    spec:
      serviceAccountName: vault-csi-provider
      containers:
        - name: provider-vault-installer
          image: hashicorp/vault-csi-provider:1.7.0
          imagePullPolicy: IfNotPresent
          args:
            - -endpoint=/provider/vault.sock
            - -log-level=info
          resources:
            requests: { cpu: 50m, memory: 100Mi }
            limits:   { cpu: 50m, memory: 100Mi }
          volumeMounts:
            - { name: providervol, mountPath: "/provider" }
          livenessProbe:
            httpGet:
              path: "/health/ready"
              port: 8080
              scheme: "HTTP"
            failureThreshold: 2
            initialDelaySeconds: 5
            periodSeconds: 5
            successThreshold: 1
            timeoutSeconds: 3
          readinessProbe:
            httpGet:
              path: "/health/ready"
              port: 8080
              scheme: "HTTP"
            failureThreshold: 2
            initialDelaySeconds: 5
            periodSeconds: 5
            successThreshold: 1
            timeoutSeconds: 3
      volumes:
        - name: providervol
          hostPath:
            path: "/var/run/secrets-store-csi-providers"
      nodeSelector:
        kubernetes.io/os: linux