artifacts/oci/charts/infra/platform/k3s/templates/vault-bootstrap.yaml

{{- if .Values.vaultBootstrap.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
  name: vault-bootstrap
  namespace: {{ .Values.namespaces.vault }}
spec:
  template:
    spec:
      serviceAccountName: {{ .Values.vaultBootstrap.serviceAccountName }}
      restartPolicy: OnFailure
      containers:
        - name: bootstrap
          image: {{ .Values.vaultBootstrap.image }}
          env:
            - name: VAULT_ADDR
              value: http://vault.{{ .Values.namespaces.vault }}.svc.cluster.local:8200
            - name: VAULT_TOKEN
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.vaultBootstrap.rootTokenSecretName }}
                  key: {{ .Values.vaultBootstrap.rootTokenSecretKey }}
            - name: CLOUDFLARE_API_TOKEN
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.vaultBootstrap.cloudflareSecretName }}
                  key: {{ .Values.vaultBootstrap.cloudflareSecretKey }}
          command:
            - /bin/sh
            - -ec
            - |
              until vault status >/dev/null 2>&1; do
                sleep 5
              done
              vault secrets enable -path=secret kv-v2 || true
              cat <<'EOF' >/tmp/eso-policy.hcl
              path "secret/data/*" {
                capabilities = ["read"]
              }
              path "secret/metadata/*" {
                capabilities = ["read", "list"]
              }
              EOF
              vault policy write eso-read /tmp/eso-policy.hcl
              vault auth enable kubernetes || true
              vault write auth/kubernetes/config \
                kubernetes_host="https://kubernetes.default.svc:443" \
                kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
                token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
              vault write auth/kubernetes/role/external-secrets \
                bound_service_account_names="external-secrets" \
                bound_service_account_namespaces="{{ .Values.vaultBootstrap.externalSecretsRoleNamespace }}" \
                policies="eso-read" \
                ttl="1h"
              vault kv put secret/platform/cloudflare api-token="${CLOUDFLARE_API_TOKEN}"              
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Values.vaultBootstrap.serviceAccountName }}
  namespace: {{ .Values.namespaces.vault }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: vault-bootstrap-auth-delegator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - kind: ServiceAccount
    name: {{ .Values.vaultBootstrap.serviceAccountName }}
    namespace: {{ .Values.namespaces.vault }}
{{- end }}