titan-iac/services/vault/oidc-config-cronjob.yaml

# services/vault/oidc-config-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: vault-oidc-config
  namespace: vault
spec:
  schedule: "*/15 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        spec:
          serviceAccountName: vault
          restartPolicy: Never
          nodeSelector:
            kubernetes.io/arch: arm64
            node-role.kubernetes.io/worker: "true"
          containers:
            - name: configure-oidc
              image: hashicorp/vault:1.17.6
              imagePullPolicy: IfNotPresent
              command:
                - sh
                - /scripts/vault_oidc_configure.sh
              env:
                - name: VAULT_ADDR
                  value: http://vault.vault.svc.cluster.local:8200
                - name: VAULT_TOKEN
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-admin-token
                      key: token
                - name: VAULT_OIDC_DISCOVERY_URL
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: discovery_url
                - name: VAULT_OIDC_CLIENT_ID
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: client_id
                - name: VAULT_OIDC_CLIENT_SECRET
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: client_secret
                - name: VAULT_OIDC_DEFAULT_ROLE
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: default_role
                      optional: true
                - name: VAULT_OIDC_SCOPES
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: scopes
                      optional: true
                - name: VAULT_OIDC_USER_CLAIM
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: user_claim
                      optional: true
                - name: VAULT_OIDC_GROUPS_CLAIM
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: groups_claim
                      optional: true
                - name: VAULT_OIDC_TOKEN_POLICIES
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: token_policies
                      optional: true
                - name: VAULT_OIDC_ADMIN_GROUP
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: admin_group
                      optional: true
                - name: VAULT_OIDC_ADMIN_POLICIES
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: admin_policies
                      optional: true
                - name: VAULT_OIDC_DEV_GROUP
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: dev_group
                      optional: true
                - name: VAULT_OIDC_DEV_POLICIES
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: dev_policies
                      optional: true
                - name: VAULT_OIDC_USER_GROUP
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: user_group
                      optional: true
                - name: VAULT_OIDC_USER_POLICIES
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: user_policies
                      optional: true
                - name: VAULT_OIDC_REDIRECT_URIS
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: redirect_uris
                      optional: true
                - name: VAULT_OIDC_BOUND_AUDIENCES
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: bound_audiences
                      optional: true
                - name: VAULT_OIDC_BOUND_CLAIMS
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: bound_claims
                      optional: true
                - name: VAULT_OIDC_BOUND_CLAIMS_TYPE
                  valueFrom:
                    secretKeyRef:
                      name: vault-oidc-config
                      key: bound_claims_type
                      optional: true
              volumeMounts:
                - name: oidc-config-script
                  mountPath: /scripts
                  readOnly: true
          volumes:
            - name: oidc-config-script
              configMap:
                name: vault-oidc-config-script
                defaultMode: 0555