feat: migrate vso-system to ArgoCD (#81)

Migrate Vault Secrets Operator from Terragrunt to ArgoCD/Kustomize.
Deploys vault-secrets-operator v1.2.0 with 3 replicas, plus ClusterRole,
ClusterRoleBindings, and vault-admin ServiceAccount.

Note: static service account tokens (kubernetes.io/service-account-token)
cannot be stored in git; create manually or via Vault after deployment.

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #81
This commit was merged in pull request #81.
This commit is contained in:
2026-04-07 19:33:50 +10:00
parent b100f3034e
commit f0bdc0231a
10 changed files with 125 additions and 0 deletions
@@ -0,0 +1,12 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: vault-service-account-admin
app.kubernetes.io/part-of: vault-secrets-system
name: vso-system-vault-service-account-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
@@ -0,0 +1,32 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/part-of: vault-secrets-operator
name: vso-system-vault-secrets-operator-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-secrets-operator-controller-manager
namespace: vso-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: vso-system-vault-admin-binding
app.kubernetes.io/part-of: vault-secrets-system
name: vso-system-vault-admin-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vso-system-vault-service-account-admin
subjects:
- kind: ServiceAccount
name: vso-system-vault-admin
namespace: vso-system
+9
View File
@@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- serviceaccount_vault-admin.yaml
- clusterrole_vault-service-account-admin.yaml
- clusterrolebindings.yaml
+7
View File
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: vso-system
name: vso-system
@@ -0,0 +1,9 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: vault-admin
app.kubernetes.io/part-of: vault-secrets-system
name: vso-system-vault-admin
namespace: vso-system