Sienna Meridian Satterwhite
ccfe8b877a
- Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS proxy, worker, DKIM config, and theme customization - Add Collabora deployment for document collaboration - Add Drive frontend nginx config and values - Add buildkitd namespace for in-cluster container builds - Add SeaweedFS remote sync and additional S3 buckets - Update vault secrets across namespaces (devtools, lasuite, media, monitoring, ory, storage) with expanded credential management - Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus remote write and additional scrape configs - Update local/production overlays with resource patches - Remove stale login-ui resource patch from production overlay
90 lines
2.0 KiB
YAML
90 lines
2.0 KiB
YAML
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultAuth
|
|
metadata:
|
|
name: vso-auth
|
|
namespace: devtools
|
|
spec:
|
|
method: kubernetes
|
|
mount: kubernetes
|
|
kubernetes:
|
|
role: vso
|
|
serviceAccount: default
|
|
---
|
|
# Gitea DB credentials from OpenBao database secrets engine (static role, 24h rotation).
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultDynamicSecret
|
|
metadata:
|
|
name: gitea-db-credentials
|
|
namespace: devtools
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: database
|
|
path: static-creds/gitea
|
|
allowStaticCreds: true
|
|
refreshAfter: 5m
|
|
rolloutRestartTargets:
|
|
- kind: Deployment
|
|
name: gitea
|
|
destination:
|
|
name: gitea-db-credentials
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
password:
|
|
text: "{{ index .Secrets \"password\" }}"
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: gitea-s3-credentials
|
|
namespace: devtools
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: secret
|
|
type: kv-v2
|
|
path: seaweedfs
|
|
refreshAfter: 30s
|
|
rolloutRestartTargets:
|
|
- kind: Deployment
|
|
name: gitea
|
|
destination:
|
|
name: gitea-s3-credentials
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
"access-key":
|
|
text: "{{ index .Secrets \"access-key\" }}"
|
|
"secret-key":
|
|
text: "{{ index .Secrets \"secret-key\" }}"
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: gitea-admin-credentials
|
|
namespace: devtools
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: secret
|
|
type: kv-v2
|
|
path: gitea
|
|
refreshAfter: 30s
|
|
rolloutRestartTargets:
|
|
- kind: Deployment
|
|
name: gitea
|
|
destination:
|
|
name: gitea-admin-credentials
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
username:
|
|
text: "{{ index .Secrets \"admin-username\" }}"
|
|
password:
|
|
text: "{{ index .Secrets \"admin-password\" }}"
|