chore: use vault (via vso) to get app secrets

.kontinuous/env/dev/templates/vaultsecrets.yaml

@@ -0,0 +1,135 @@
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  name: vault
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vault
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vault
+roleRef:
+  kind: Role
+  name: vault
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: vault
+  namespace: vault
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: kyverno-create-vault-secrets
+rules:
+- apiGroups:
+  - secrets.hashicorp.com
+  resources:
+  - vaultstaticsecrets
+  verbs:
+  - create
+  - update
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kyverno-create-vault-secrets
+roleRef:
+  kind: Role
+  name: kyverno-create-vault-secrets
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: kyverno-background-controller
+  namespace: kyverno
+---
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: refresh-vault-secrets
+spec:
+  background: false
+  rules:
+  - name: update-vault-secret-annotation
+    match:
+      resources:
+        kinds:
+        - Pod
+        operations:
+        - CREATE
+    context:
+    - name: secretvolumes
+      variable:
+        jmesPath: "request.object.spec.volumes[?secret].secret.secretName"
+        default: []
+    - name: secretenvfrom
+      variable:
+        jmesPath: "request.object.spec.containers[?envFrom].envFrom[].secretRef.name"
+        default: []
+    - name: secretenvvaluefrom
+      variable:
+        jmesPath: "request.object.spec.containers[?env].env[].valueFrom.secretKeyRef.name"
+        default: []
+    preconditions:
+      any:
+      - key: "{{ `{{ length(secretvolumes) }}` }}"
+        operator: GreaterThan
+        value: 0
+      - key: "{{ `{{ length(secretenvfrom) }}` }}"
+        operator: GreaterThan
+        value: 0
+      - key: "{{ `{{ length(secretenvvaluefrom) }}` }}"
+        operator: GreaterThan
+        value: 0
+    generate:
+      synchronize: true
+      apiVersion: secrets.hashicorp.com/v1beta1
+      kind: VaultStaticSecret
+      name: vault-app
+      namespace: carnets-vault-refresh-test
+      data:
+        metadata:
+          name: vault-app
+          labels:
+            app: carnet-standup
+          annotations:
+            fabrique.social.gouv.fr/refresh-time: "{{ `{{ request.object.metadata.creationTimestamp }}` }}"
+        spec:
+          destination:
+            create: true
+            name: app
+            overwrite: false
+            transformation: {}
+          hmacSecretData: true
+          refreshAfter: 24h
+          mount: secret/carnets-standup/dev
+          path: app-dev
+          type: kv-v2
+          vaultAuthRef: static-auth
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: static-auth
+spec:
+  kubernetes:
+    audiences:
+    - vault
+    role: carnets-standup-dev-app
+    serviceAccount: vault
+    tokenExpirationSeconds: 600
+  method: kubernetes
+  mount: ovh-dev