From 00b86c3d3a8761f1ceac0c3c5aed365fc33c2f09 Mon Sep 17 00:00:00 2001
From: ixxeL2097 <fredspiers@gmail.com>
Date: Sat, 18 Apr 2026 15:40:06 +0200
Subject: [PATCH 1/3] fix(taskfile): allow cluster override via CLI in vault
 auth setup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The hardcoded `cluster: genmachine` task-level var in vault entry tasks
prevented `task vault:eso-auth-setup cluster=k0s` from targeting a
different cluster — task-level vars win over CLI in Taskfile v3.

- Replace the hardcoded default with `requires: vars: [cluster]` so the
  cluster name must be passed explicitly on the CLI
- Extract `kubernetes_host` dynamically from the current kubectl context
  instead of the hardcoded K8S_API root var, so configuring auth follows
  whichever cluster kubectl is pointed at
- Drop the now-unused K8S_API root var

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .taskfiles/vault/Taskfile.yaml | 18 +++++++++++-------
 Taskfile.yaml                  |  1 -
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/.taskfiles/vault/Taskfile.yaml b/.taskfiles/vault/Taskfile.yaml
index ce480cb78..16bc09019 100644
--- a/.taskfiles/vault/Taskfile.yaml
+++ b/.taskfiles/vault/Taskfile.yaml
@@ -5,8 +5,9 @@ version: '3'
 tasks:
   oicd-setup:
     desc: Configure k8s auth for Vault External Secrets
-    vars:
-      cluster: genmachine
+    requires:
+      vars:
+        - cluster
     cmds:
       - task: enable-vault-oidc
         vars:
@@ -14,8 +15,9 @@ tasks:
 
   eso-auth-setup:
     desc: Configure k8s auth for Vault External Secrets
-    vars:
-      cluster: genmachine
+    requires:
+      vars:
+        - cluster
     cmds:
       - task: enable-vault-k8s
         vars:
@@ -35,8 +37,9 @@ tasks:
 
   certmanager-auth-setup:
     desc: Configure k8s auth for Vault Certmanager
-    vars:
-      cluster: genmachine
+    requires:
+      vars:
+        - cluster
     cmds:
       - task: enable-vault-k8s
         vars:
@@ -84,10 +87,11 @@ tasks:
           sleep 5
         done
         kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' | base64 --decode > ca.crt
+        K8S_HOST="$(kubectl config view --raw --minify -o jsonpath='{.clusters[0].cluster.server}')"
         TOKEN="$(kubectl get secret -n {{.namespace}} {{.service_account}} -o jsonpath='{.data.token}' | base64 -d)"
         vault write -tls-skip-verify -address={{.VAULT_ENDPOINT}}  \
           auth/{{.cluster}}-k8s/config token_reviewer_jwt="$TOKEN" \
-          kubernetes_host="https://{{.K8S_API}}:6443" \
+          kubernetes_host="$K8S_HOST" \
           kubernetes_ca_cert=@ca.crt
         rm ca.crt
     requires:
diff --git a/Taskfile.yaml b/Taskfile.yaml
index 995a67b47..b0f80b49a 100644
--- a/Taskfile.yaml
+++ b/Taskfile.yaml
@@ -17,7 +17,6 @@ vars:
   VAULT_ENDPOINT: 'https://vault.k0s-fullstack.fredcorp.com'
   AUTHENTIK_ENDPOINT_GENMACHINE: 'https://authentik.talos-genmachine.fredcorp.com'
   AUTHENTIK_ENDPOINT_BEELINK: 'https://authentik.k0s-fullstack.fredcorp.com'
-  K8S_API: 'talos-cluster.genmachine.fredcorp.com'
   MINIO_API: 'minio-api.talos-genmachine.fredcorp.com'
 
 includes:

From 94f238fe1499435c1bd19a341aadb0ceaad13f34 Mon Sep 17 00:00:00 2001
From: ixxeL2097 <fredspiers@gmail.com>
Date: Sat, 18 Apr 2026 15:43:31 +0200
Subject: [PATCH 2/3] fix(external-secrets): align beelink ClusterSecretStore
 with cluster/role convention
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The beelink ClusterSecretStore authenticated against Vault via
`mountPath: kubernetes` + `role: external-secrets`, which didn't match
the naming convention enforced by `.taskfiles/vault/Taskfile.yaml`
(`{{.cluster}}-k8s/` mount, `eso` role) — same convention already used
by the genmachine manifest.

Align the beelink manifest on the same convention so ESO can authenticate
against the mount created by `task vault:eso-auth-setup cluster=beelink`.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../beelink/templates/clusterSecretStore.yaml                 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gitops/manifests/external-secrets/beelink/templates/clusterSecretStore.yaml b/gitops/manifests/external-secrets/beelink/templates/clusterSecretStore.yaml
index 1864f5c40..2c09220ae 100644
--- a/gitops/manifests/external-secrets/beelink/templates/clusterSecretStore.yaml
+++ b/gitops/manifests/external-secrets/beelink/templates/clusterSecretStore.yaml
@@ -16,8 +16,8 @@ spec:
         key: fredcorp-ca-chain.pem
       auth:
         kubernetes:
-          mountPath: kubernetes
-          role: external-secrets
+          mountPath: beelink-k8s
+          role: eso
           serviceAccountRef:
             name: eso-auth
             namespace: external-secrets

From e7f742ecbece641349a2e18e561d4acc2f641479 Mon Sep 17 00:00:00 2001
From: ixxeL2097 <fredspiers@gmail.com>
Date: Sat, 18 Apr 2026 15:55:50 +0200
Subject: [PATCH 3/3] fix(cert-manager): align k0s ClusterIssuer naming with
 taskfile convention
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The k0s ClusterIssuer referenced `mountPath: /v1/auth/kubernetes`, role
`certmanager-vault-auth-k0s`, and SA/Secret `certmanager-vault-auth-k0s`,
but `.taskfiles/vault/Taskfile.yaml` creates `{{.cluster}}-k8s/` mounts
with role `certmanager` and looks up SA `certmanager-auth` — causing
`task vault:certmanager-auth-setup cluster=beelink` to hang on
"ServiceAccount certmanager-auth not found".

Align the k0s manifest with the genmachine convention already in use:
- mountPath → /v1/auth/beelink-k8s
- role → certmanager
- SA + Secret → certmanager-auth

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../cert-manager/k0s/templates/clusterIssuer.yaml  | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/gitops/manifests/cert-manager/k0s/templates/clusterIssuer.yaml b/gitops/manifests/cert-manager/k0s/templates/clusterIssuer.yaml
index 97b4f579e..1879ade5a 100644
--- a/gitops/manifests/cert-manager/k0s/templates/clusterIssuer.yaml
+++ b/gitops/manifests/cert-manager/k0s/templates/clusterIssuer.yaml
@@ -47,10 +47,10 @@ spec:
       name: root-ca-chain
     auth:
       kubernetes:
-        mountPath: /v1/auth/kubernetes
-        role: certmanager-vault-auth-k0s
+        mountPath: /v1/auth/beelink-k8s
+        role: certmanager
         secretRef:
-          name: certmanager-vault-auth-k0s
+          name: certmanager-auth
           key: token
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -63,18 +63,18 @@ roleRef:
   name: system:auth-delegator
 subjects:
   - kind: ServiceAccount
-    name: certmanager-vault-auth-k0s
+    name: certmanager-auth
     namespace: cert-manager
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: certmanager-vault-auth-k0s
+  name: certmanager-auth
 ---
 apiVersion: v1
 kind: Secret
 type: kubernetes.io/service-account-token
 metadata:
-  name: certmanager-vault-auth-k0s
+  name: certmanager-auth
   annotations:
-    kubernetes.io/service-account.name: 'certmanager-vault-auth-k0s'
+    kubernetes.io/service-account.name: 'certmanager-auth'