base/ory/vault-secrets.yaml

---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: vso-auth
  namespace: ory
spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: vso
    serviceAccount: default
---
# Hydra app secrets (non-rotating). DSN comes from VaultDynamicSecret hydra-db-creds.
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: hydra
  namespace: ory
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: hydra
  refreshAfter: 30s
  destination:
    name: hydra
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        secretsSystem:
          text: "{{ index .Secrets \"system-secret\" }}"
        secretsCookie:
          text: "{{ index .Secrets \"cookie-secret\" }}"
        "pairwise-salt":
          text: "{{ index .Secrets \"pairwise-salt\" }}"
---
# Kratos non-rotating encryption keys. DSN comes from VaultDynamicSecret kratos-db-creds.
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: kratos-app-secrets
  namespace: ory
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: kratos
  refreshAfter: 30s
  destination:
    name: kratos-app-secrets
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        secretsDefault:
          text: "{{ index .Secrets \"secrets-default\" }}"
        secretsCookie:
          text: "{{ index .Secrets \"secrets-cookie\" }}"
        smtpConnectionURI:
          text: "{{ index .Secrets \"smtp-connection-uri\" }}"
---
# Kratos DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: kratos-db-creds
  namespace: ory
spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/kratos
  refreshAfter: 1h
  rolloutRestartTargets:
    - kind: Deployment
      name: kratos
    - kind: StatefulSet
      name: kratos-courier
  destination:
    name: kratos-db-creds
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        dsn:
          text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/kratos_db?sslmode=disable"
---
# Login UI session cookie + CSRF protection secrets.
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: login-ui-secrets
  namespace: ory
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: login-ui
  refreshAfter: 30s
  destination:
    name: login-ui-secrets
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        cookie-secret:
          text: "{{ index .Secrets \"cookie-secret\" }}"
        csrf-cookie-secret:
          text: "{{ index .Secrets \"csrf-cookie-secret\" }}"
---
# Hydra DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: hydra-db-creds
  namespace: ory
spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/hydra
  refreshAfter: 1h
  rolloutRestartTargets:
    - kind: Deployment
      name: hydra
  destination:
    name: hydra-db-creds
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        dsn:
          text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/hydra_db?sslmode=disable"
---
# Kratos Admin UI secrets.
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: kratos-admin-ui-secrets
  namespace: ory
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: kratos-admin
  refreshAfter: 30s
  destination:
    name: kratos-admin-ui-secrets
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        cookie-secret:
          text: "{{ index .Secrets \"cookie-secret\" }}"
        csrf-cookie-secret:
          text: "{{ index .Secrets \"csrf-cookie-secret\" }}"
        admin-identity-ids:
          text: "{{ index .Secrets \"admin-identity-ids\" }}"
feat(ory): replace hardcoded DSN + secrets with OpenBao DB engine + VSO All Ory service credentials now flow from OpenBao through VSO instead of being hardcoded in Helm values or Deployment env vars. Kratos: - Remove config.dsn; flip secret.enabled=false with nameOverride pointing at kratos-app-secrets (a VSO-managed Secret with secretsDefault, secretsCookie, smtpConnectionURI). - Inject DSN at runtime via deployment.extraEnv from kratos-db-creds (VaultDynamicSecret backed by OpenBao database static role, 24h rotation). Hydra: - Remove config.dsn; inject DSN via deployment.extraEnv from hydra-db-creds (VaultDynamicSecret, same rotation scheme). Login UI: - Replace hardcoded COOKIE_SECRET/CSRF_COOKIE_SECRET env var values with secretKeyRef reads from login-ui-secrets (VaultStaticSecret → secret/login-ui). vault-secrets.yaml adds: VaultAuth, Hydra VSS, kratos-app-secrets VSS, login-ui-secrets VSS, kratos-db-creds VDS, hydra-db-creds VDS. 2026-03-02 18:32:33 +00:00			`---`
			`apiVersion: secrets.hashicorp.com/v1beta1`
			`kind: VaultAuth`
			`metadata:`
			`name: vso-auth`
			`namespace: ory`
			`spec:`
			`method: kubernetes`
			`mount: kubernetes`
			`kubernetes:`
			`role: vso`
			`serviceAccount: default`
			`---`
			`# Hydra app secrets (non-rotating). DSN comes from VaultDynamicSecret hydra-db-creds.`
			`apiVersion: secrets.hashicorp.com/v1beta1`
			`kind: VaultStaticSecret`
			`metadata:`
			`name: hydra`
			`namespace: ory`
			`spec:`
			`vaultAuthRef: vso-auth`
			`mount: secret`
			`type: kv-v2`
			`path: hydra`
			`refreshAfter: 30s`
			`destination:`
			`name: hydra`
			`create: true`
			`overwrite: true`
			`transformation:`
			`excludeRaw: true`
			`templates:`
			`secretsSystem:`
			`text: "{{ index .Secrets \"system-secret\" }}"`
			`secretsCookie:`
			`text: "{{ index .Secrets \"cookie-secret\" }}"`
			`"pairwise-salt":`
			`text: "{{ index .Secrets \"pairwise-salt\" }}"`
			`---`
			`# Kratos non-rotating encryption keys. DSN comes from VaultDynamicSecret kratos-db-creds.`
			`apiVersion: secrets.hashicorp.com/v1beta1`
			`kind: VaultStaticSecret`
			`metadata:`
			`name: kratos-app-secrets`
			`namespace: ory`
			`spec:`
			`vaultAuthRef: vso-auth`
			`mount: secret`
			`type: kv-v2`
			`path: kratos`
			`refreshAfter: 30s`
			`destination:`
			`name: kratos-app-secrets`
			`create: true`
			`overwrite: true`
			`transformation:`
			`excludeRaw: true`
			`templates:`
			`secretsDefault:`
			`text: "{{ index .Secrets \"secrets-default\" }}"`
			`secretsCookie:`
			`text: "{{ index .Secrets \"secrets-cookie\" }}"`
			`smtpConnectionURI:`
			`text: "{{ index .Secrets \"smtp-connection-uri\" }}"`
			`---`
			`# Kratos DB credentials from OpenBao database secrets engine (static role, 24h rotation).`
			`apiVersion: secrets.hashicorp.com/v1beta1`
			`kind: VaultDynamicSecret`
			`metadata:`
			`name: kratos-db-creds`
			`namespace: ory`
			`spec:`
			`vaultAuthRef: vso-auth`
			`mount: database`
			`path: static-creds/kratos`
			`refreshAfter: 1h`
			`rolloutRestartTargets:`
			`- kind: Deployment`
			`name: kratos`
			`- kind: StatefulSet`
			`name: kratos-courier`
			`destination:`
			`name: kratos-db-creds`
			`create: true`
			`overwrite: true`
			`transformation:`
			`excludeRaw: true`
			`templates:`
			`dsn:`
			`text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/kratos_db?sslmode=disable"`
			`---`
			`# Login UI session cookie + CSRF protection secrets.`
			`apiVersion: secrets.hashicorp.com/v1beta1`
			`kind: VaultStaticSecret`
			`metadata:`
			`name: login-ui-secrets`
			`namespace: ory`
			`spec:`
			`vaultAuthRef: vso-auth`
			`mount: secret`
			`type: kv-v2`
			`path: login-ui`
			`refreshAfter: 30s`
			`destination:`
			`name: login-ui-secrets`
			`create: true`
			`overwrite: true`
			`transformation:`
			`excludeRaw: true`
			`templates:`
			`cookie-secret:`
			`text: "{{ index .Secrets \"cookie-secret\" }}"`
			`csrf-cookie-secret:`
			`text: "{{ index .Secrets \"csrf-cookie-secret\" }}"`
			`---`
			`# Hydra DB credentials from OpenBao database secrets engine (static role, 24h rotation).`
			`apiVersion: secrets.hashicorp.com/v1beta1`
			`kind: VaultDynamicSecret`
			`metadata:`
			`name: hydra-db-creds`
			`namespace: ory`
			`spec:`
			`vaultAuthRef: vso-auth`
			`mount: database`
			`path: static-creds/hydra`
			`refreshAfter: 1h`
			`rolloutRestartTargets:`
			`- kind: Deployment`
			`name: hydra`
			`destination:`
			`name: hydra-db-creds`
			`create: true`
			`overwrite: true`
			`transformation:`
			`excludeRaw: true`
			`templates:`
			`dsn:`
			`text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/hydra_db?sslmode=disable"`
feat(ory): add kratos-admin-ui service Deploy the custom Kratos admin UI (Deno/Hono + Cunningham React): - K8s Deployment + Service in ory namespace - VSO VaultStaticSecret for cookie/csrf/admin-identity-ids secrets - Pingora route for admin.DOMAIN_SUFFIX 2026-03-03 11:30:52 +00:00			`---`
			`# Kratos Admin UI secrets.`
			`apiVersion: secrets.hashicorp.com/v1beta1`
			`kind: VaultStaticSecret`
			`metadata:`
			`name: kratos-admin-ui-secrets`
			`namespace: ory`
			`spec:`
			`vaultAuthRef: vso-auth`
			`mount: secret`
			`type: kv-v2`
			`path: kratos-admin`
			`refreshAfter: 30s`
			`destination:`
			`name: kratos-admin-ui-secrets`
			`create: true`
			`overwrite: true`
			`transformation:`
			`excludeRaw: true`
			`templates:`
			`cookie-secret:`
			`text: "{{ index .Secrets \"cookie-secret\" }}"`
			`csrf-cookie-secret:`
			`text: "{{ index .Secrets \"csrf-cookie-secret\" }}"`
			`admin-identity-ids:`
			`text: "{{ index .Secrets \"admin-identity-ids\" }}"`