base/storage/vault-secrets.yaml

---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: vso-auth
  namespace: storage
spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: vso
    serviceAccount: default
---
# Scaleway S3 credentials for SeaweedFS remote sync.
# Same KV path as barman; synced separately so storage namespace has its own Secret.
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: scaleway-s3-creds
  namespace: storage
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: scaleway-s3
  refreshAfter: 30s
  destination:
    name: scaleway-s3-creds
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        ACCESS_KEY_ID:
          text: "{{ index .Secrets \"access-key-id\" }}"
        SECRET_ACCESS_KEY:
          text: "{{ index .Secrets \"secret-access-key\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: seaweedfs-s3-credentials
  namespace: storage
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: seaweedfs
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: seaweedfs-filer
  destination:
    name: seaweedfs-s3-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        S3_ACCESS_KEY:
          text: "{{ index .Secrets \"access-key\" }}"
        S3_SECRET_KEY:
          text: "{{ index .Secrets \"secret-key\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: seaweedfs-s3-json
  namespace: storage
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: seaweedfs
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: seaweedfs-filer
  destination:
    name: seaweedfs-s3-json
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        "s3.json":
          text: '{"identities":[{"name":"seaweed","credentials":[{"accessKey":"{{ index .Secrets "access-key" }}","secretKey":"{{ index .Secrets "secret-key" }}"}],"actions":["Admin","Read","Write","List","Tagging"]}]}'
feat(storage): migrate SeaweedFS S3 credentials to VSO; mount s3.json from Secret Previously s3.json was embedded in the seaweedfs-filer-config ConfigMap with hardcoded minioadmin credentials, and the config volume was mounted at /etc/seaweedfs/ (overwriting filer.toml with its own directory mount). - Remove s3.json from ConfigMap; fix the config volume to mount only filer.toml via subPath so both files coexist under /etc/seaweedfs/. - Add vault-secrets.yaml with VaultStaticSecrets that VSO syncs from OpenBao secret/seaweedfs: seaweedfs-s3-credentials (S3_ACCESS_KEY / S3_SECRET_KEY) and seaweedfs-s3-json (s3.json as a JSON template). - Mount seaweedfs-s3-json Secret at /etc/seaweedfs/s3.json via subPath. 2026-03-02 18:32:16 +00:00			`---`
			`apiVersion: secrets.hashicorp.com/v1beta1`
			`kind: VaultAuth`
			`metadata:`
			`name: vso-auth`
			`namespace: storage`
			`spec:`
			`method: kubernetes`
			`mount: kubernetes`
			`kubernetes:`
			`role: vso`
			`serviceAccount: default`
			`---`
feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates - Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS proxy, worker, DKIM config, and theme customization - Add Collabora deployment for document collaboration - Add Drive frontend nginx config and values - Add buildkitd namespace for in-cluster container builds - Add SeaweedFS remote sync and additional S3 buckets - Update vault secrets across namespaces (devtools, lasuite, media, monitoring, ory, storage) with expanded credential management - Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus remote write and additional scrape configs - Update local/production overlays with resource patches - Remove stale login-ui resource patch from production overlay 2026-03-10 19:00:57 +00:00			`# Scaleway S3 credentials for SeaweedFS remote sync.`
			`# Same KV path as barman; synced separately so storage namespace has its own Secret.`
			`apiVersion: secrets.hashicorp.com/v1beta1`
			`kind: VaultStaticSecret`
			`metadata:`
			`name: scaleway-s3-creds`
			`namespace: storage`
			`spec:`
			`vaultAuthRef: vso-auth`
			`mount: secret`
			`type: kv-v2`
			`path: scaleway-s3`
			`refreshAfter: 30s`
			`destination:`
			`name: scaleway-s3-creds`
			`create: true`
			`overwrite: true`
			`transformation:`
			`excludeRaw: true`
			`templates:`
			`ACCESS_KEY_ID:`
			`text: "{{ index .Secrets \"access-key-id\" }}"`
			`SECRET_ACCESS_KEY:`
			`text: "{{ index .Secrets \"secret-access-key\" }}"`
			`---`
feat(storage): migrate SeaweedFS S3 credentials to VSO; mount s3.json from Secret Previously s3.json was embedded in the seaweedfs-filer-config ConfigMap with hardcoded minioadmin credentials, and the config volume was mounted at /etc/seaweedfs/ (overwriting filer.toml with its own directory mount). - Remove s3.json from ConfigMap; fix the config volume to mount only filer.toml via subPath so both files coexist under /etc/seaweedfs/. - Add vault-secrets.yaml with VaultStaticSecrets that VSO syncs from OpenBao secret/seaweedfs: seaweedfs-s3-credentials (S3_ACCESS_KEY / S3_SECRET_KEY) and seaweedfs-s3-json (s3.json as a JSON template). - Mount seaweedfs-s3-json Secret at /etc/seaweedfs/s3.json via subPath. 2026-03-02 18:32:16 +00:00			`apiVersion: secrets.hashicorp.com/v1beta1`
			`kind: VaultStaticSecret`
			`metadata:`
			`name: seaweedfs-s3-credentials`
			`namespace: storage`
			`spec:`
			`vaultAuthRef: vso-auth`
			`mount: secret`
			`type: kv-v2`
			`path: seaweedfs`
			`refreshAfter: 30s`
feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates - Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS proxy, worker, DKIM config, and theme customization - Add Collabora deployment for document collaboration - Add Drive frontend nginx config and values - Add buildkitd namespace for in-cluster container builds - Add SeaweedFS remote sync and additional S3 buckets - Update vault secrets across namespaces (devtools, lasuite, media, monitoring, ory, storage) with expanded credential management - Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus remote write and additional scrape configs - Update local/production overlays with resource patches - Remove stale login-ui resource patch from production overlay 2026-03-10 19:00:57 +00:00			`rolloutRestartTargets:`
			`- kind: Deployment`
			`name: seaweedfs-filer`
feat(storage): migrate SeaweedFS S3 credentials to VSO; mount s3.json from Secret Previously s3.json was embedded in the seaweedfs-filer-config ConfigMap with hardcoded minioadmin credentials, and the config volume was mounted at /etc/seaweedfs/ (overwriting filer.toml with its own directory mount). - Remove s3.json from ConfigMap; fix the config volume to mount only filer.toml via subPath so both files coexist under /etc/seaweedfs/. - Add vault-secrets.yaml with VaultStaticSecrets that VSO syncs from OpenBao secret/seaweedfs: seaweedfs-s3-credentials (S3_ACCESS_KEY / S3_SECRET_KEY) and seaweedfs-s3-json (s3.json as a JSON template). - Mount seaweedfs-s3-json Secret at /etc/seaweedfs/s3.json via subPath. 2026-03-02 18:32:16 +00:00			`destination:`
			`name: seaweedfs-s3-credentials`
			`create: true`
			`overwrite: true`
			`transformation:`
			`excludeRaw: true`
			`templates:`
			`S3_ACCESS_KEY:`
			`text: "{{ index .Secrets \"access-key\" }}"`
			`S3_SECRET_KEY:`
			`text: "{{ index .Secrets \"secret-key\" }}"`
			`---`
			`apiVersion: secrets.hashicorp.com/v1beta1`
			`kind: VaultStaticSecret`
			`metadata:`
			`name: seaweedfs-s3-json`
			`namespace: storage`
			`spec:`
			`vaultAuthRef: vso-auth`
			`mount: secret`
			`type: kv-v2`
			`path: seaweedfs`
			`refreshAfter: 30s`
feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates - Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS proxy, worker, DKIM config, and theme customization - Add Collabora deployment for document collaboration - Add Drive frontend nginx config and values - Add buildkitd namespace for in-cluster container builds - Add SeaweedFS remote sync and additional S3 buckets - Update vault secrets across namespaces (devtools, lasuite, media, monitoring, ory, storage) with expanded credential management - Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus remote write and additional scrape configs - Update local/production overlays with resource patches - Remove stale login-ui resource patch from production overlay 2026-03-10 19:00:57 +00:00			`rolloutRestartTargets:`
			`- kind: Deployment`
			`name: seaweedfs-filer`
feat(storage): migrate SeaweedFS S3 credentials to VSO; mount s3.json from Secret Previously s3.json was embedded in the seaweedfs-filer-config ConfigMap with hardcoded minioadmin credentials, and the config volume was mounted at /etc/seaweedfs/ (overwriting filer.toml with its own directory mount). - Remove s3.json from ConfigMap; fix the config volume to mount only filer.toml via subPath so both files coexist under /etc/seaweedfs/. - Add vault-secrets.yaml with VaultStaticSecrets that VSO syncs from OpenBao secret/seaweedfs: seaweedfs-s3-credentials (S3_ACCESS_KEY / S3_SECRET_KEY) and seaweedfs-s3-json (s3.json as a JSON template). - Mount seaweedfs-s3-json Secret at /etc/seaweedfs/s3.json via subPath. 2026-03-02 18:32:16 +00:00			`destination:`
			`name: seaweedfs-s3-json`
			`create: true`
			`overwrite: true`
			`transformation:`
			`excludeRaw: true`
			`templates:`
			`"s3.json":`
			`text: '{"identities":[{"name":"seaweed","credentials":[{"accessKey":"{{ index .Secrets "access-key" }}","secretKey":"{{ index .Secrets "secret-key" }}"}],"actions":["Admin","Read","Write","List","Tagging"]}]}'`