--- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultAuth metadata: name: vso-auth namespace: lasuite spec: method: kubernetes mount: kubernetes kubernetes: role: vso serviceAccount: default --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: seaweedfs-s3-credentials namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: seaweedfs refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: hive - kind: Deployment name: people-backend - kind: Deployment name: people-celery-worker - kind: Deployment name: people-celery-beat - kind: Deployment name: docs-backend - kind: Deployment name: docs-celery-worker - kind: Deployment name: docs-y-provider - kind: Deployment name: drive-backend - kind: Deployment name: drive-backend-celery-default - kind: Deployment name: meet-backend - kind: Deployment name: meet-celery-worker - kind: Deployment name: messages-backend - kind: Deployment name: messages-worker - kind: Deployment name: projects destination: name: seaweedfs-s3-credentials create: true overwrite: true transformation: excludeRaw: true templates: S3_ACCESS_KEY: text: "{{ index .Secrets \"access-key\" }}" S3_SECRET_KEY: text: "{{ index .Secrets \"secret-key\" }}" --- # Hive DB credentials from OpenBao database secrets engine (static role, 24h rotation). apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultDynamicSecret metadata: name: hive-db-url namespace: lasuite spec: vaultAuthRef: vso-auth mount: database path: static-creds/hive allowStaticCreds: true refreshAfter: 5m rolloutRestartTargets: - kind: Deployment name: hive destination: name: hive-db-url create: true overwrite: true transformation: excludeRaw: true templates: url: text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/hive_db" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: hive-oidc namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: hive refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: hive destination: name: hive-oidc create: true overwrite: true transformation: excludeRaw: true templates: "client-id": text: "{{ index .Secrets \"oidc-client-id\" }}" "client-secret": text: "{{ index .Secrets \"oidc-client-secret\" }}" --- # People DB credentials from OpenBao database secrets engine (static role, 24h rotation). apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultDynamicSecret metadata: name: people-db-credentials namespace: lasuite spec: vaultAuthRef: vso-auth mount: database path: static-creds/people allowStaticCreds: true refreshAfter: 5m rolloutRestartTargets: - kind: Deployment name: people-backend - kind: Deployment name: people-celery-worker - kind: Deployment name: people-celery-beat destination: name: people-db-credentials create: true overwrite: true transformation: excludeRaw: true templates: password: text: "{{ index .Secrets \"password\" }}" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: people-django-secret namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: people refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: people-backend - kind: Deployment name: people-celery-worker - kind: Deployment name: people-celery-beat destination: name: people-django-secret create: true overwrite: true transformation: excludeRaw: true templates: DJANGO_SECRET_KEY: text: "{{ index .Secrets \"django-secret-key\" }}" --- # Docs DB credentials from OpenBao database secrets engine (static role, 24h rotation). apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultDynamicSecret metadata: name: docs-db-credentials namespace: lasuite spec: vaultAuthRef: vso-auth mount: database path: static-creds/docs allowStaticCreds: true refreshAfter: 5m rolloutRestartTargets: - kind: Deployment name: docs-backend - kind: Deployment name: docs-celery-worker - kind: Deployment name: docs-y-provider destination: name: docs-db-credentials create: true overwrite: true transformation: excludeRaw: true templates: password: text: "{{ index .Secrets \"password\" }}" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: docs-django-secret namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: docs refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: docs-backend - kind: Deployment name: docs-celery-worker - kind: Deployment name: docs-y-provider destination: name: docs-django-secret create: true overwrite: true transformation: excludeRaw: true templates: DJANGO_SECRET_KEY: text: "{{ index .Secrets \"django-secret-key\" }}" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: docs-collaboration-secret namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: docs refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: docs-backend - kind: Deployment name: docs-y-provider destination: name: docs-collaboration-secret create: true overwrite: true transformation: excludeRaw: true templates: secret: text: "{{ index .Secrets \"collaboration-secret\" }}" --- # Meet DB credentials from OpenBao database secrets engine (static role, 24h rotation). apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultDynamicSecret metadata: name: meet-db-credentials namespace: lasuite spec: vaultAuthRef: vso-auth mount: database path: static-creds/meet allowStaticCreds: true refreshAfter: 5m rolloutRestartTargets: - kind: Deployment name: meet-backend - kind: Deployment name: meet-celery-worker destination: name: meet-db-credentials create: true overwrite: true transformation: excludeRaw: true templates: password: text: "{{ index .Secrets \"password\" }}" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: meet-django-secret namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: meet refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: meet-backend - kind: Deployment name: meet-celery-worker destination: name: meet-django-secret create: true overwrite: true transformation: excludeRaw: true templates: DJANGO_SECRET_KEY: text: "{{ index .Secrets \"django-secret-key\" }}" APPLICATION_JWT_SECRET_KEY: text: "{{ index .Secrets \"application-jwt-secret-key\" }}" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: meet-livekit namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: livekit refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: meet-backend - kind: Deployment name: meet-celery-worker destination: name: meet-livekit create: true overwrite: true transformation: excludeRaw: true templates: LIVEKIT_API_KEY: text: "{{ index .Secrets \"api-key\" }}" LIVEKIT_API_SECRET: text: "{{ index .Secrets \"api-secret\" }}" --- # Drive DB credentials from OpenBao database secrets engine (static role, 24h rotation). apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultDynamicSecret metadata: name: drive-db-credentials namespace: lasuite spec: vaultAuthRef: vso-auth mount: database path: static-creds/drive allowStaticCreds: true refreshAfter: 5m rolloutRestartTargets: - kind: Deployment name: drive-backend - kind: Deployment name: drive-backend-celery-default destination: name: drive-db-credentials create: true overwrite: true transformation: excludeRaw: true templates: password: text: "{{ index .Secrets \"password\" }}" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: drive-django-secret namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: drive refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: drive-backend - kind: Deployment name: drive-backend-celery-default destination: name: drive-django-secret create: true overwrite: true transformation: excludeRaw: true templates: DJANGO_SECRET_KEY: text: "{{ index .Secrets \"django-secret-key\" }}" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: collabora-credentials namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: collabora refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: collabora destination: name: collabora-credentials create: true overwrite: true transformation: excludeRaw: true templates: username: text: "{{ index .Secrets \"username\" }}" password: text: "{{ index .Secrets \"password\" }}" --- # Messages DB credentials from OpenBao database secrets engine (static role, 24h rotation). apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultDynamicSecret metadata: name: messages-db-credentials namespace: lasuite spec: vaultAuthRef: vso-auth mount: database path: static-creds/messages allowStaticCreds: true refreshAfter: 5m rolloutRestartTargets: - kind: Deployment name: messages-backend - kind: Deployment name: messages-worker destination: name: messages-db-credentials create: true overwrite: true transformation: excludeRaw: true templates: password: text: "{{ index .Secrets \"password\" }}" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: messages-django-secret namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: messages refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: messages-backend - kind: Deployment name: messages-worker - kind: Deployment name: messages-mta-in destination: name: messages-django-secret create: true overwrite: true transformation: excludeRaw: true templates: DJANGO_SECRET_KEY: text: "{{ index .Secrets \"django-secret-key\" }}" SALT_KEY: text: "{{ index .Secrets \"salt-key\" }}" MDA_API_SECRET: text: "{{ index .Secrets \"mda-api-secret\" }}" OIDC_STORE_REFRESH_TOKEN_KEY: text: "{{ index .Secrets \"oidc-refresh-token-key\" }}" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: messages-dkim-key namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: messages refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: messages-mpa destination: name: messages-dkim-key create: true overwrite: true transformation: excludeRaw: true templates: dkim-private-key: text: "{{ index .Secrets \"dkim-private-key\" }}" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: messages-mpa-credentials namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: messages refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: messages-mpa destination: name: messages-mpa-credentials create: true overwrite: true transformation: excludeRaw: true templates: RSPAMD_password: text: "{{ index .Secrets \"rspamd-password\" }}" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: messages-socks-credentials namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: messages refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: messages-socks-proxy destination: name: messages-socks-credentials create: true overwrite: true transformation: excludeRaw: true templates: PROXY_USERS: text: "{{ index .Secrets \"socks-proxy-users\" }}" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: messages-mta-out-credentials namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: messages refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: messages-mta-out destination: name: messages-mta-out-credentials create: true overwrite: true transformation: excludeRaw: true templates: SMTP_USERNAME: text: "{{ index .Secrets \"mta-out-smtp-username\" }}" SMTP_PASSWORD: text: "{{ index .Secrets \"mta-out-smtp-password\" }}" --- # Calendars DB credentials from OpenBao database secrets engine (static role, 24h rotation). apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultDynamicSecret metadata: name: calendars-db-credentials namespace: lasuite spec: vaultAuthRef: vso-auth mount: database path: static-creds/calendars allowStaticCreds: true refreshAfter: 5m rolloutRestartTargets: - kind: Deployment name: calendars-backend - kind: Deployment name: calendars-worker - kind: Deployment name: calendars-caldav destination: name: calendars-db-credentials create: true overwrite: true transformation: excludeRaw: true templates: password: text: "{{ index .Secrets \"password\" }}" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: calendars-django-secret namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: calendars refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: calendars-backend - kind: Deployment name: calendars-worker - kind: Deployment name: calendars-caldav destination: name: calendars-django-secret create: true overwrite: true transformation: excludeRaw: true templates: DJANGO_SECRET_KEY: text: "{{ index .Secrets \"django-secret-key\" }}" SALT_KEY: text: "{{ index .Secrets \"salt-key\" }}" CALDAV_INBOUND_API_KEY: text: "{{ index .Secrets \"caldav-inbound-api-key\" }}" CALDAV_OUTBOUND_API_KEY: text: "{{ index .Secrets \"caldav-outbound-api-key\" }}" CALDAV_INTERNAL_API_KEY: text: "{{ index .Secrets \"caldav-internal-api-key\" }}" --- # Projects DB credentials from OpenBao database secrets engine (static role, 24h rotation). apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultDynamicSecret metadata: name: projects-db-url namespace: lasuite spec: vaultAuthRef: vso-auth mount: database path: static-creds/projects allowStaticCreds: true refreshAfter: 5m rolloutRestartTargets: - kind: Deployment name: projects destination: name: projects-db-url create: true overwrite: true transformation: excludeRaw: true templates: url: text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/projects_db" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: projects-app-secrets namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: projects refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: projects destination: name: projects-app-secrets create: true overwrite: true transformation: excludeRaw: true templates: SECRET_KEY: text: "{{ index .Secrets \"secret-key\" }}" --- # Postfix DKIM signing key from OpenBao KV. apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: postfix-dkim namespace: lasuite spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: postfix-dkim refreshAfter: 1h rolloutRestartTargets: - kind: Deployment name: postfix destination: name: postfix-dkim create: true overwrite: true transformation: excludeRaw: true templates: private.key: text: "{{ index .Secrets \"private-key\" }}" selector: text: "{{ index .Secrets \"selector\" }}"