feat(ory): replace hardcoded DSN + secrets with OpenBao DB engine + VSO

All Ory service credentials now flow from OpenBao through VSO instead of being hardcoded in Helm values or Deployment env vars. Kratos: - Remove config.dsn; flip secret.enabled=false with nameOverride pointing at kratos-app-secrets (a VSO-managed Secret with secretsDefault, secretsCookie, smtpConnectionURI). - Inject DSN at runtime via deployment.extraEnv from kratos-db-creds (VaultDynamicSecret backed by OpenBao database static role, 24h rotation). Hydra: - Remove config.dsn; inject DSN via deployment.extraEnv from hydra-db-creds (VaultDynamicSecret, same rotation scheme). Login UI: - Replace hardcoded COOKIE_SECRET/CSRF_COOKIE_SECRET env var values with secretKeyRef reads from login-ui-secrets (VaultStaticSecret → secret/login-ui). vault-secrets.yaml adds: VaultAuth, Hydra VSS, kratos-app-secrets VSS, login-ui-secrets VSS, kratos-db-creds VDS, hydra-db-creds VDS.
2026-03-02 18:32:33 +00:00
parent 580eb3983e
commit c7b812dde8
5 changed files with 167 additions and 9 deletions
--- a/base/ory/login-ui-deployment.yaml
+++ b/base/ory/login-ui-deployment.yaml
@@ -30,11 +30,17 @@ spec:
            - name: PORT
              value: "3000"
            - name: COOKIE_SECRET
-              value: "localdev-cookie-secret"
+              valueFrom:
+                secretKeyRef:
+                  name: login-ui-secrets
+                  key: cookie-secret
            - name: CSRF_COOKIE_NAME
              value: "csrf"
            - name: CSRF_COOKIE_SECRET
-              value: "localdev-csrf-secret"
+              valueFrom:
+                secretKeyRef:
+                  name: login-ui-secrets
+                  key: csrf-cookie-secret
          resources:
            limits:
              memory: 256Mi