FEAT(vault): add clustersecretstore

- for vault-backend - Create cluster-wide secret store for External Secrets Operator - Configure Kubernetes auth with external-secrets service account - Enable all namespaces to access Vault secrets via ClusterSecretStore
2025-12-17 16:25:49 +09:00
parent 05a5de7c0f
commit fa24f224ee
2 changed files with 23 additions and 1 deletions
--- a/vault/cluster-secret-store.yaml
+++ b/vault/cluster-secret-store.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-backend
+spec:
+  provider:
+    vault:
+      server: http://vault.vault.svc.cluster.local:8200
+      path: secret
+      version: v2
+      auth:
+        kubernetes:
+          mountPath: kubernetes
+          role: external-secrets
+          serviceAccountRef:
+            name: external-secrets
+            namespace: external-secrets
--- a/vault/kustomization.yaml
+++ b/vault/kustomization.yaml
@@ -4,4 +4,9 @@ kind: Kustomization
 resources:
  # ArgoCD Application 리소스는 infrastructure/kustomization.yaml에서 관리
  # - argocd/vault.yaml
-  # - argocd/vault-secrets.yaml
+  # - argocd/vault-secrets.yaml
+
+  # External Secrets integration
+  # ServiceAccount is managed by external-secrets Helm chart
+  - cluster-secret-store.yaml
+  # vault-config-job.yaml은 삭제됨 (민감한 정보 포함으로 인해 .md 파일로 대체)