# services/vault/oidc-config-cronjob.yaml apiVersion: batch/v1 kind: CronJob metadata: name: vault-oidc-config namespace: vault spec: schedule: "*/15 * * * *" concurrencyPolicy: Forbid successfulJobsHistoryLimit: 1 failedJobsHistoryLimit: 3 jobTemplate: spec: backoffLimit: 1 template: spec: serviceAccountName: vault restartPolicy: Never nodeSelector: kubernetes.io/arch: arm64 node-role.kubernetes.io/worker: "true" containers: - name: configure-oidc image: hashicorp/vault:1.17.6 imagePullPolicy: IfNotPresent command: - sh - /scripts/vault_oidc_configure.sh env: - name: VAULT_ADDR value: http://vault.vault.svc.cluster.local:8200 - name: VAULT_TOKEN valueFrom: secretKeyRef: name: vault-oidc-admin-token key: token - name: VAULT_OIDC_DISCOVERY_URL valueFrom: secretKeyRef: name: vault-oidc-config key: discovery_url - name: VAULT_OIDC_CLIENT_ID valueFrom: secretKeyRef: name: vault-oidc-config key: client_id - name: VAULT_OIDC_CLIENT_SECRET valueFrom: secretKeyRef: name: vault-oidc-config key: client_secret - name: VAULT_OIDC_DEFAULT_ROLE valueFrom: secretKeyRef: name: vault-oidc-config key: default_role optional: true - name: VAULT_OIDC_SCOPES valueFrom: secretKeyRef: name: vault-oidc-config key: scopes optional: true - name: VAULT_OIDC_USER_CLAIM valueFrom: secretKeyRef: name: vault-oidc-config key: user_claim optional: true - name: VAULT_OIDC_GROUPS_CLAIM valueFrom: secretKeyRef: name: vault-oidc-config key: groups_claim optional: true - name: VAULT_OIDC_TOKEN_POLICIES valueFrom: secretKeyRef: name: vault-oidc-config key: token_policies optional: true - name: VAULT_OIDC_ADMIN_GROUP valueFrom: secretKeyRef: name: vault-oidc-config key: admin_group optional: true - name: VAULT_OIDC_ADMIN_POLICIES valueFrom: secretKeyRef: name: vault-oidc-config key: admin_policies optional: true - name: VAULT_OIDC_DEV_GROUP valueFrom: secretKeyRef: name: vault-oidc-config key: dev_group optional: true - name: VAULT_OIDC_DEV_POLICIES valueFrom: secretKeyRef: name: vault-oidc-config key: dev_policies optional: true - name: VAULT_OIDC_USER_GROUP valueFrom: secretKeyRef: name: vault-oidc-config key: user_group optional: true - name: VAULT_OIDC_USER_POLICIES valueFrom: secretKeyRef: name: vault-oidc-config key: user_policies optional: true - name: VAULT_OIDC_REDIRECT_URIS valueFrom: secretKeyRef: name: vault-oidc-config key: redirect_uris optional: true - name: VAULT_OIDC_BOUND_AUDIENCES valueFrom: secretKeyRef: name: vault-oidc-config key: bound_audiences optional: true - name: VAULT_OIDC_BOUND_CLAIMS valueFrom: secretKeyRef: name: vault-oidc-config key: bound_claims optional: true - name: VAULT_OIDC_BOUND_CLAIMS_TYPE valueFrom: secretKeyRef: name: vault-oidc-config key: bound_claims_type optional: true volumeMounts: - name: oidc-config-script mountPath: /scripts readOnly: true volumes: - name: oidc-config-script configMap: name: vault-oidc-config-script defaultMode: 0555