--- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultAuth metadata: name: vso-auth namespace: stalwart spec: method: kubernetes mount: kubernetes kubernetes: role: vso serviceAccount: default --- # Stalwart DB credentials from OpenBao database secrets engine (static role, 24h rotation). apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultDynamicSecret metadata: name: stalwart-db-credentials namespace: stalwart spec: vaultAuthRef: vso-auth mount: database path: static-creds/stalwart allowStaticCreds: true refreshAfter: 5m rolloutRestartTargets: - kind: Deployment name: stalwart destination: name: stalwart-db-credentials create: true overwrite: true transformation: excludeRaw: true templates: password: text: "{{ index .Secrets \"password\" }}" --- # Stalwart application secrets (admin password, DKIM key) from OpenBao KV. apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: stalwart-app-secrets namespace: stalwart spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: stalwart refreshAfter: 30s destination: name: stalwart-app-secrets create: true overwrite: true transformation: excludeRaw: true templates: admin-password: text: "{{ index .Secrets \"admin-password\" }}" dkim-private-key: text: "{{ index .Secrets \"dkim-private-key\" }}" --- # SeaweedFS S3 credentials (shared — same secret as lasuite namespace). apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: seaweedfs-s3-credentials namespace: stalwart spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: seaweedfs refreshAfter: 30s destination: name: seaweedfs-s3-credentials create: true overwrite: true transformation: excludeRaw: true templates: S3_ACCESS_KEY: text: "{{ index .Secrets \"access-key\" }}" S3_SECRET_KEY: text: "{{ index .Secrets \"secret-key\" }}"