add bi rmq

2026-04-21 14:52:27 +03:00 · 2026-04-21 14:52:27 +03:00 · d97e1d62ce
commit d97e1d62ce
parent dca654690b
1 changed files with 39 additions and 3 deletions
--- a/clusters/yc-k8s-test/infrastructure/bootstrap-jobs/service-bootstrap-jobs.yaml
+++ b/clusters/yc-k8s-test/infrastructure/bootstrap-jobs/service-bootstrap-jobs.yaml
@ -14,15 +14,27 @@ spec:
        spec:
          restartPolicy: OnFailure
          serviceAccountName: rabbitmq
+          automountServiceAccountToken: false
+          volumes:
+            - name: sa-token
+              projected:
+                sources:
+                  - serviceAccountToken:
+                      path: token
+                      expirationSeconds: 3600
          containers:
            - name: bootstrap
              image: alpine:3.20
+              volumeMounts:
+                - name: sa-token
+                  mountPath: /var/run/secrets/tokens
+                  readOnly: true
              command: ["/bin/sh", "-ec"]
              args:
                - |
                  apk add --no-cache curl jq >/dev/null
                  VAULT_ADDR="http://vault-vault-contour.vault.svc:8200"
-                  JWT="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
+                  JWT="$(cat /var/run/secrets/tokens/token)"
                  VAULT_TOKEN="$(curl -sS --request POST \
                    --data "{\"role\":\"rabbitmq\",\"jwt\":\"${JWT}\"}" \
                    "${VAULT_ADDR}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
@ -91,9 +103,21 @@ spec:
        spec:
          restartPolicy: OnFailure
          serviceAccountName: minio-sa
+          automountServiceAccountToken: false
+          volumes:
+            - name: sa-token
+              projected:
+                sources:
+                  - serviceAccountToken:
+                      path: token
+                      expirationSeconds: 3600
          containers:
            - name: bootstrap
              image: alpine:3.20
+              volumeMounts:
+                - name: sa-token
+                  mountPath: /var/run/secrets/tokens
+                  readOnly: true
              command: ["/bin/sh", "-ec"]
              args:
                - |
@ -102,7 +126,7 @@ spec:
                  chmod +x /usr/local/bin/mc

                  VAULT_ADDR="http://vault-vault-contour.vault.svc:8200"
-                  JWT="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
+                  JWT="$(cat /var/run/secrets/tokens/token)"
                  VAULT_TOKEN="$(curl -sS --request POST \
                    --data "{\"role\":\"minio\",\"jwt\":\"${JWT}\"}" \
                    "${VAULT_ADDR}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
@ -168,16 +192,28 @@ spec:
        spec:
          restartPolicy: OnFailure
          serviceAccountName: kafka-kafka-contour
+          automountServiceAccountToken: false
+          volumes:
+            - name: sa-token
+              projected:
+                sources:
+                  - serviceAccountToken:
+                      path: token
+                      expirationSeconds: 3600
          containers:
            - name: bootstrap
              image: alpine:3.20
+              volumeMounts:
+                - name: sa-token
+                  mountPath: /var/run/secrets/tokens
+                  readOnly: true
              command: ["/bin/sh", "-ec"]
              args:
                - |
                  apk add --no-cache bash curl jq kubectl >/dev/null

                  VAULT_ADDR="http://vault-vault-contour.vault.svc:8200"
-                  JWT="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
+                  JWT="$(cat /var/run/secrets/tokens/token)"
                  VAULT_TOKEN="$(curl -sS --request POST \
                    --data "{\"role\":\"kafka\",\"jwt\":\"${JWT}\"}" \
                    "${VAULT_ADDR}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"