add vault token syncer

Author: soerenschneider

apps/monitoring/prometheus-vault-token-sync/cronjob.yaml

@@ -0,0 +1,61 @@
+---
+apiVersion: batch/v1
+kind: "CronJob"
+metadata:
+  name: "prometheus-vault-token-syncer"
+spec:
+  schedule: "*/6 * * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      backoffLimit: 0
+      template:
+        spec:
+          restartPolicy: Never
+          securityContext:
+            runAsUser: 23764
+            runAsGroup: 23764
+            fsGroup: 23764
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          serviceAccountName: prometheus-vault-token-syncer
+          containers:
+            - name: "prometheus-vault-token-syncer"
+              image: "ghcr.io/soerenschneider/prometheus-vault-token-syncer:latest"
+              imagePullPolicy: "IfNotPresent"
+              env:
+                - name: "VAULT_MOUNT_PATH"
+                  value: "kubernetes"
+                - name: "VAULT_ADDR"
+                  value: "https://vault.ha.soeren.cloud"
+                - name: "VAULT_ROLE"
+                  value: "monitoring"
+                - name: "SECRET_NAMESPACE"
+                  valueFrom:
+                    fieldRef:
+                      fieldPath: metadata.namespace
+              securityContext:
+                runAsUser: 23764
+                runAsGroup: 23764
+                runAsNonRoot: true
+                privileged: false
+                readOnlyRootFilesystem: true
+                allowPrivilegeEscalation: false
+                seccompProfile:
+                  type: RuntimeDefault
+                capabilities:
+                  drop:
+                    - ALL
+              resources:
+                requests:
+                  memory: "64Mi"
+                  cpu: "5m"
+                limits:
+                  memory: "1Gi"
+              volumeMounts:
+                - name: storage
+                  mountPath: /data
+          volumes:
+            - name: storage
+              emptyDir: {}

apps/monitoring/prometheus-vault-token-sync/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cronjob.yaml
+  - rbac.yaml

apps/monitoring/prometheus-vault-token-sync/rbac.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-vault-token-syncer
+  namespace: monitoring
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secret-writer
+  namespace: monitoring
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: prometheus-vault-token-syncer-binding
+  namespace: monitoring
+subjects:
+  - kind: ServiceAccount
+    name: prometheus-vault-token-syncer
+    namespace: monitoring
+roleRef:
+  kind: Role
+  name: secret-writer
+  apiGroup: rbac.authorization.k8s.io

apps/monitoring/prometheus/components/tokens/kustomization.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+patches:
+  - target:
+      kind: Deployment
+      name: prometheus
+    patch: |
+      - op: add
+        path: /spec/template/spec/volumes/-
+        value:
+          name: tokens
+          secret:
+            secretName: prometheus-vault-token
+            optional: true
+      - op: add
+        path: /spec/template/spec/containers/0/volumeMounts/-
+        value:
+          name: tokens
+          mountPath: /etc/tokens
+          readOnly: true