feat: migrate vso-system to ArgoCD (#81)

Migrate Vault Secrets Operator from Terragrunt to ArgoCD/Kustomize.
Deploys vault-secrets-operator v1.2.0 with 3 replicas, plus ClusterRole,
ClusterRoleBindings, and vault-admin ServiceAccount.

Note: static service account tokens (kubernetes.io/service-account-token)
cannot be stored in git; create manually or via Vault after deployment.

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #81
This commit was merged in pull request #81.
This commit is contained in:
2026-04-07 19:33:50 +10:00
parent b100f3034e
commit f0bdc0231a
10 changed files with 125 additions and 0 deletions
@@ -0,0 +1,24 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: vso-system
resources:
- ../../../base/vso-system
helmCharts:
- name: vault-secrets-operator
repo: https://helm.releases.hashicorp.com
version: "1.2.0"
releaseName: vault-secrets-operator
namespace: vso-system
valuesFile: values.yaml
patches:
- path: patch_vaultauth-remove-namespace.yaml
target:
group: secrets.hashicorp.com
version: v1beta1
kind: VaultAuth
name: default
@@ -0,0 +1,2 @@
- op: remove
path: /spec/namespace
@@ -0,0 +1,28 @@
defaultVaultConnection:
enabled: true
address: "https://vault.service.consul:8200"
skipTLSVerify: false
caCertSecret: "vault-ca-cert"
defaultAuthMethod:
enabled: true
method: "kubernetes"
mount: "k8s/au/syd1"
namespace: ""
kubernetes:
role: "default"
serviceAccount: "vault-secrets-operator-controller-manager"
tokenAudiences: ["vault"]
controller:
replicas: 3
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
globalVaultAuth:
enabled: true