bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
titan-iac/services/vault/oidc-config-cronjob.yaml

115 lines
4.0 KiB
YAML
Raw Blame History

# services/vault/oidc-config-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
name: vault-oidc-config
namespace: vault
spec:
schedule: "*/15 * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 3
jobTemplate:
spec:
backoffLimit: 1
template:
spec:
serviceAccountName: vault
restartPolicy: Never
nodeSelector:
kubernetes.io/arch: arm64
node-role.kubernetes.io/worker: "true"
containers:
- name: configure-oidc
image: hashicorp/vault:1.17.6
imagePullPolicy: IfNotPresent
command:
- bash
- /scripts/vault_oidc_configure.sh
env:
- name: VAULT_ADDR
value: http://vault.vault.svc.cluster.local:8200
- name: VAULT_TOKEN
valueFrom:
secretKeyRef:
name: vault-oidc-admin-token
key: token
- name: VAULT_OIDC_DISCOVERY_URL
valueFrom:
secretKeyRef:
name: vault-oidc-config
key: discovery_url
- name: VAULT_OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: vault-oidc-config
key: client_id
- name: VAULT_OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: vault-oidc-config
key: client_secret
- name: VAULT_OIDC_DEFAULT_ROLE
valueFrom:
secretKeyRef:
name: vault-oidc-config
key: default_role
optional: true
- name: VAULT_OIDC_SCOPES
valueFrom:
secretKeyRef:
name: vault-oidc-config
key: scopes
optional: true
- name: VAULT_OIDC_USER_CLAIM
valueFrom:
secretKeyRef:
name: vault-oidc-config
key: user_claim
optional: true
- name: VAULT_OIDC_GROUPS_CLAIM
valueFrom:
secretKeyRef:
name: vault-oidc-config
key: groups_claim
optional: true
- name: VAULT_OIDC_TOKEN_POLICIES
valueFrom:
secretKeyRef:
name: vault-oidc-config
key: token_policies
optional: true
- name: VAULT_OIDC_REDIRECT_URIS
valueFrom:
secretKeyRef:
name: vault-oidc-config
key: redirect_uris
optional: true
- name: VAULT_OIDC_BOUND_AUDIENCES
valueFrom:
secretKeyRef:
name: vault-oidc-config
key: bound_audiences
optional: true
- name: VAULT_OIDC_BOUND_CLAIMS
valueFrom:
secretKeyRef:
name: vault-oidc-config
key: bound_claims
optional: true
- name: VAULT_OIDC_BOUND_CLAIMS_TYPE
valueFrom:
secretKeyRef:
name: vault-oidc-config
key: bound_claims_type
optional: true
volumeMounts:
- name: oidc-config-script
mountPath: /scripts
readOnly: true
volumes:
- name: oidc-config-script
configMap:
name: vault-oidc-config-script
defaultMode: 0555
Reference in New Issue View Git Blame Copy Permalink