67 lines
2.3 KiB
YAML
67 lines
2.3 KiB
YAML
# services/vault/k8s-auth-config-cronjob.yaml
|
|
apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
name: vault-k8s-auth-config
|
|
namespace: vault
|
|
labels:
|
|
atlas.bstein.dev/glue: "true"
|
|
spec:
|
|
schedule: "*/15 * * * *"
|
|
suspend: false
|
|
concurrencyPolicy: Forbid
|
|
successfulJobsHistoryLimit: 1
|
|
failedJobsHistoryLimit: 3
|
|
jobTemplate:
|
|
spec:
|
|
backoffLimit: 1
|
|
template:
|
|
spec:
|
|
serviceAccountName: vault-admin
|
|
restartPolicy: Never
|
|
nodeSelector:
|
|
kubernetes.io/arch: arm64
|
|
node-role.kubernetes.io/worker: "true"
|
|
containers:
|
|
- name: configure-k8s-auth
|
|
image: hashicorp/vault:1.17.6
|
|
imagePullPolicy: IfNotPresent
|
|
command:
|
|
- sh
|
|
- /scripts/vault_k8s_auth_configure.sh
|
|
env:
|
|
- name: VAULT_ADDR
|
|
value: http://10.43.57.249:8200
|
|
- name: VAULT_K8S_ROLE
|
|
value: vault-admin
|
|
- name: VAULT_TOKEN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: vault-init
|
|
key: root_token
|
|
- name: VAULT_K8S_TOKEN_REVIEWER_JWT_FILE
|
|
value: /var/run/secrets/vault-token-reviewer/token
|
|
- name: VAULT_K8S_ROLE_TTL
|
|
value: 1h
|
|
- name: VAULT_K8S_BOUND_AUDIENCES
|
|
value: "https://kubernetes.default.svc,https://kubernetes.default.svc.cluster.local,k3s"
|
|
- name: VAULT_K8S_ISSUER
|
|
value: https://kubernetes.default.svc.cluster.local
|
|
- name: VAULT_K8S_DISABLE_ISS_VALIDATION
|
|
value: "false"
|
|
volumeMounts:
|
|
- name: k8s-auth-config-script
|
|
mountPath: /scripts
|
|
readOnly: true
|
|
- name: token-reviewer
|
|
mountPath: /var/run/secrets/vault-token-reviewer
|
|
readOnly: true
|
|
volumes:
|
|
- name: k8s-auth-config-script
|
|
configMap:
|
|
name: vault-k8s-auth-config-script
|
|
defaultMode: 0555
|
|
- name: token-reviewer
|
|
secret:
|
|
secretName: vault-admin-token-reviewer
|