mirror of
https://github.com/holos-run/holos.git
synced 2026-03-21 17:55:01 +00:00
e98ee28f74
This patch adds the `eso-creds-refresher` CronJob which executes every 8 hours in the holos-system namespace of each workload cluster. The job creates Secrets with a `token` field representing the id token credential for a SecretStore to use when synchronizing secrets to and from the provisioner cluster. Service accounts in the provisioner cluster are selected with selector=holos.run/job.name=eso-creds-refresher. Each selected service account has a token issued with a 12 hour expiration ttl and is stored in a Secret matching the service account name in the same namespace in the workload cluster. The job takes about 25 seconds to run once the image is cached on the node.