studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ory): replace hardcoded DSN + secrets with OpenBao DB engine + VSO

Browse Source 
All Ory service credentials now flow from OpenBao through VSO instead
of being hardcoded in Helm values or Deployment env vars.

Kratos:
- Remove config.dsn; flip secret.enabled=false with nameOverride pointing
  at kratos-app-secrets (a VSO-managed Secret with secretsDefault,
  secretsCookie, smtpConnectionURI).
- Inject DSN at runtime via deployment.extraEnv from kratos-db-creds
  (VaultDynamicSecret backed by OpenBao database static role, 24h rotation).

Hydra:
- Remove config.dsn; inject DSN via deployment.extraEnv from hydra-db-creds
  (VaultDynamicSecret, same rotation scheme).

Login UI:
- Replace hardcoded COOKIE_SECRET/CSRF_COOKIE_SECRET env var values with
  secretKeyRef reads from login-ui-secrets (VaultStaticSecret → secret/login-ui).

vault-secrets.yaml adds: VaultAuth, Hydra VSS, kratos-app-secrets VSS,
login-ui-secrets VSS, kratos-db-creds VDS, hydra-db-creds VDS.
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-02 18:32:33 +00:00
parent 580eb3983e
commit c7b812dde8
5 changed files with 167 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
base/ory/kustomization.yaml
View File

@@ -8,6 +8,7 @@ resources:
- login-ui-deployment.yaml
# Hydra chart CRDs are not rendered by helm template; apply manually.
- hydra-oauth2client-crd.yaml
- vault-secrets.yaml
# The hydra-maester sub-chart does not set .Release.Namespace in its Deployment template.
patches: