# services/vault/k8s-auth-config-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: vault-k8s-auth-config
  namespace: vault
  labels:
    atlas.bstein.dev/glue: "true"
spec:
  schedule: "*/15 * * * *"
  suspend: false
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        spec:
          serviceAccountName: vault-admin
          restartPolicy: Never
          nodeSelector:
            kubernetes.io/arch: arm64
            node-role.kubernetes.io/worker: "true"
          containers:
            - name: configure-k8s-auth
              image: hashicorp/vault:1.17.6
              imagePullPolicy: IfNotPresent
              command:
                - sh
                - /scripts/vault_k8s_auth_configure.sh
              env:
                - name: VAULT_ADDR
                  value: http://10.43.57.249:8200
                - name: VAULT_K8S_ROLE
                  value: vault-admin
                - name: VAULT_K8S_TOKEN_REVIEWER_JWT_FILE
                  value: /var/run/secrets/vault-token-reviewer/token
                - name: VAULT_K8S_ROLE_TTL
                  value: 1h
              volumeMounts:
                - name: k8s-auth-config-script
                  mountPath: /scripts
                  readOnly: true
                - name: token-reviewer
                  mountPath: /var/run/secrets/vault-token-reviewer
                  readOnly: true
          volumes:
            - name: k8s-auth-config-script
              configMap:
                name: vault-k8s-auth-config-script
                defaultMode: 0555
            - name: token-reviewer
              secret:
                secretName: vault-admin-token-reviewer