From d97e1d62ce07a91791b69271c72473c79f8680d3 Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Tue, 21 Apr 2026 14:52:27 +0300 Subject: [PATCH] add bi rmq --- .../service-bootstrap-jobs.yaml | 42 +++++++++++++++++-- 1 file changed, 39 insertions(+), 3 deletions(-) diff --git a/clusters/yc-k8s-test/infrastructure/bootstrap-jobs/service-bootstrap-jobs.yaml b/clusters/yc-k8s-test/infrastructure/bootstrap-jobs/service-bootstrap-jobs.yaml index 031c05d..0ec4134 100644 --- a/clusters/yc-k8s-test/infrastructure/bootstrap-jobs/service-bootstrap-jobs.yaml +++ b/clusters/yc-k8s-test/infrastructure/bootstrap-jobs/service-bootstrap-jobs.yaml @@ -14,15 +14,27 @@ spec: spec: restartPolicy: OnFailure serviceAccountName: rabbitmq + automountServiceAccountToken: false + volumes: + - name: sa-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 containers: - name: bootstrap image: alpine:3.20 + volumeMounts: + - name: sa-token + mountPath: /var/run/secrets/tokens + readOnly: true command: ["/bin/sh", "-ec"] args: - | apk add --no-cache curl jq >/dev/null VAULT_ADDR="http://vault-vault-contour.vault.svc:8200" - JWT="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" + JWT="$(cat /var/run/secrets/tokens/token)" VAULT_TOKEN="$(curl -sS --request POST \ --data "{\"role\":\"rabbitmq\",\"jwt\":\"${JWT}\"}" \ "${VAULT_ADDR}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')" @@ -91,9 +103,21 @@ spec: spec: restartPolicy: OnFailure serviceAccountName: minio-sa + automountServiceAccountToken: false + volumes: + - name: sa-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 containers: - name: bootstrap image: alpine:3.20 + volumeMounts: + - name: sa-token + mountPath: /var/run/secrets/tokens + readOnly: true command: ["/bin/sh", "-ec"] args: - | @@ -102,7 +126,7 @@ spec: chmod +x /usr/local/bin/mc VAULT_ADDR="http://vault-vault-contour.vault.svc:8200" - JWT="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" + JWT="$(cat /var/run/secrets/tokens/token)" VAULT_TOKEN="$(curl -sS --request POST \ --data "{\"role\":\"minio\",\"jwt\":\"${JWT}\"}" \ "${VAULT_ADDR}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')" @@ -168,16 +192,28 @@ spec: spec: restartPolicy: OnFailure serviceAccountName: kafka-kafka-contour + automountServiceAccountToken: false + volumes: + - name: sa-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 containers: - name: bootstrap image: alpine:3.20 + volumeMounts: + - name: sa-token + mountPath: /var/run/secrets/tokens + readOnly: true command: ["/bin/sh", "-ec"] args: - | apk add --no-cache bash curl jq kubectl >/dev/null VAULT_ADDR="http://vault-vault-contour.vault.svc:8200" - JWT="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" + JWT="$(cat /var/run/secrets/tokens/token)" VAULT_TOKEN="$(curl -sS --request POST \ --data "{\"role\":\"kafka\",\"jwt\":\"${JWT}\"}" \ "${VAULT_ADDR}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"