titan-iac/services/jenkins/vault-sync-deployment.yaml

# services/jenkins/vault-sync-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: jenkins-vault-sync
  namespace: jenkins
spec:
  replicas: 1
  selector:
    matchLabels:
      app: jenkins-vault-sync
  template:
    metadata:
      labels:
        app: jenkins-vault-sync
    spec:
      serviceAccountName: jenkins-vault-sync
      nodeSelector:
        kubernetes.io/arch: arm64
        node-role.kubernetes.io/worker: "true"
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              preference:
                matchExpressions:
                  - key: kubernetes.io/hostname
                    operator: NotIn
                    values: ["titan-13", "titan-15", "titan-17", "titan-19"]
      containers:
        - name: sync
          image: alpine:3.20
          command: ["/bin/sh", "-c"]
          args:
            - "sleep infinity"
          volumeMounts:
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
      volumes:
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: jenkins-vault