From fa24f224ee2eee8d20584d8ab8cf9b0a44af4a3b Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Wed, 17 Dec 2025 16:25:49 +0900
Subject: [PATCH] FEAT(vault): add clustersecretstore

- for vault-backend
- Create cluster-wide secret store for External Secrets Operator
- Configure Kubernetes auth with external-secrets service account
- Enable all namespaces to access Vault secrets via ClusterSecretStore
---
 vault/cluster-secret-store.yaml | 17 +++++++++++++++++
 vault/kustomization.yaml        |  7 ++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 vault/cluster-secret-store.yaml

diff --git a/vault/cluster-secret-store.yaml b/vault/cluster-secret-store.yaml
new file mode 100644
index 0000000..23f3dc3
--- /dev/null
+++ b/vault/cluster-secret-store.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-backend
+spec:
+  provider:
+    vault:
+      server: http://vault.vault.svc.cluster.local:8200
+      path: secret
+      version: v2
+      auth:
+        kubernetes:
+          mountPath: kubernetes
+          role: external-secrets
+          serviceAccountRef:
+            name: external-secrets
+            namespace: external-secrets
diff --git a/vault/kustomization.yaml b/vault/kustomization.yaml
index 3307b26..0ceedfe 100644
--- a/vault/kustomization.yaml
+++ b/vault/kustomization.yaml
@@ -4,4 +4,9 @@ kind: Kustomization
 resources:
   # ArgoCD Application 리소스는 infrastructure/kustomization.yaml에서 관리
   # - argocd/vault.yaml
-  # - argocd/vault-secrets.yaml
\ No newline at end of file
+  # - argocd/vault-secrets.yaml
+
+  # External Secrets integration
+  # ServiceAccount is managed by external-secrets Helm chart
+  - cluster-secret-store.yaml
+  # vault-config-job.yaml은 삭제됨 (민감한 정보 포함으로 인해 .md 파일로 대체)
\ No newline at end of file