--- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultAuth metadata: name: vso-auth namespace: ory spec: method: kubernetes mount: kubernetes kubernetes: role: vso serviceAccount: default --- # Hydra app secrets (non-rotating). DSN comes from VaultDynamicSecret hydra-db-creds. apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: hydra namespace: ory spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: hydra refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: hydra destination: name: hydra create: true overwrite: true transformation: excludeRaw: true templates: secretsSystem: text: "{{ index .Secrets \"system-secret\" }}" secretsCookie: text: "{{ index .Secrets \"cookie-secret\" }}" "pairwise-salt": text: "{{ index .Secrets \"pairwise-salt\" }}" --- # Kratos non-rotating encryption keys. DSN comes from VaultDynamicSecret kratos-db-creds. apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: kratos-app-secrets namespace: ory spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: kratos refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: kratos - kind: StatefulSet name: kratos-courier destination: name: kratos-app-secrets create: true overwrite: true transformation: excludeRaw: true templates: secretsDefault: text: "{{ index .Secrets \"secrets-default\" }}" secretsCookie: text: "{{ index .Secrets \"secrets-cookie\" }}" smtpConnectionURI: text: "{{ index .Secrets \"smtp-connection-uri\" }}" --- # Kratos DB credentials from OpenBao database secrets engine (static role, 24h rotation). apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultDynamicSecret metadata: name: kratos-db-creds namespace: ory spec: vaultAuthRef: vso-auth mount: database path: static-creds/kratos allowStaticCreds: true refreshAfter: 5m rolloutRestartTargets: - kind: Deployment name: kratos - kind: StatefulSet name: kratos-courier destination: name: kratos-db-creds create: true overwrite: true transformation: excludeRaw: true templates: dsn: text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/kratos_db?sslmode=disable" --- # Hydra DB credentials from OpenBao database secrets engine (static role, 24h rotation). apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultDynamicSecret metadata: name: hydra-db-creds namespace: ory spec: vaultAuthRef: vso-auth mount: database path: static-creds/hydra allowStaticCreds: true refreshAfter: 5m rolloutRestartTargets: - kind: Deployment name: hydra destination: name: hydra-db-creds create: true overwrite: true transformation: excludeRaw: true templates: dsn: text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/hydra_db?sslmode=disable" --- # Kratos Admin UI secrets. apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: kratos-admin-ui-secrets namespace: ory spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: kratos-admin refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: kratos-admin-ui destination: name: kratos-admin-ui-secrets create: true overwrite: true transformation: excludeRaw: true templates: cookie-secret: text: "{{ index .Secrets \"cookie-secret\" }}" csrf-cookie-secret: text: "{{ index .Secrets \"csrf-cookie-secret\" }}" admin-identity-ids: text: "{{ index .Secrets \"admin-identity-ids\" }}" s3-access-key: text: "{{ index .Secrets \"s3-access-key\" }}" s3-secret-key: text: "{{ index .Secrets \"s3-secret-key\" }}"