sbbb/base/lasuite/vault-secrets.yaml

---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: vso-auth
  namespace: lasuite
spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: vso
    serviceAccount: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: seaweedfs-s3-credentials
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: seaweedfs
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: hive
    - kind: Deployment
      name: people-backend
    - kind: Deployment
      name: people-celery-worker
    - kind: Deployment
      name: people-celery-beat
    - kind: Deployment
      name: docs-backend
    - kind: Deployment
      name: docs-celery-worker
    - kind: Deployment
      name: docs-y-provider
    - kind: Deployment
      name: drive-backend
    - kind: Deployment
      name: drive-backend-celery-default
    - kind: Deployment
      name: meet-backend
    - kind: Deployment
      name: meet-celery-worker
    - kind: Deployment
      name: messages-backend
    - kind: Deployment
      name: messages-worker
    - kind: Deployment
      name: projects
  destination:
    name: seaweedfs-s3-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        S3_ACCESS_KEY:
          text: "{{ index .Secrets \"access-key\" }}"
        S3_SECRET_KEY:
          text: "{{ index .Secrets \"secret-key\" }}"
---
# Hive DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: hive-db-url
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/hive
  allowStaticCreds: true
  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: Deployment
      name: hive
  destination:
    name: hive-db-url
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        url:
          text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/hive_db"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: hive-oidc
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: hive
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: hive
  destination:
    name: hive-oidc
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        "client-id":
          text: "{{ index .Secrets \"oidc-client-id\" }}"
        "client-secret":
          text: "{{ index .Secrets \"oidc-client-secret\" }}"
---
# People DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: people-db-credentials
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/people
  allowStaticCreds: true
  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: Deployment
      name: people-backend
    - kind: Deployment
      name: people-celery-worker
    - kind: Deployment
      name: people-celery-beat
  destination:
    name: people-db-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        password:
          text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: people-django-secret
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: people
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: people-backend
    - kind: Deployment
      name: people-celery-worker
    - kind: Deployment
      name: people-celery-beat
  destination:
    name: people-django-secret
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        DJANGO_SECRET_KEY:
          text: "{{ index .Secrets \"django-secret-key\" }}"
---
# Docs DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: docs-db-credentials
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/docs
  allowStaticCreds: true
  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: Deployment
      name: docs-backend
    - kind: Deployment
      name: docs-celery-worker
    - kind: Deployment
      name: docs-y-provider
  destination:
    name: docs-db-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        password:
          text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: docs-django-secret
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: docs
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: docs-backend
    - kind: Deployment
      name: docs-celery-worker
    - kind: Deployment
      name: docs-y-provider
  destination:
    name: docs-django-secret
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        DJANGO_SECRET_KEY:
          text: "{{ index .Secrets \"django-secret-key\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: docs-collaboration-secret
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: docs
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: docs-backend
    - kind: Deployment
      name: docs-y-provider
  destination:
    name: docs-collaboration-secret
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        secret:
          text: "{{ index .Secrets \"collaboration-secret\" }}"
---
# Meet DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: meet-db-credentials
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/meet
  allowStaticCreds: true
  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: Deployment
      name: meet-backend
    - kind: Deployment
      name: meet-celery-worker
  destination:
    name: meet-db-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        password:
          text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: meet-django-secret
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: meet
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: meet-backend
    - kind: Deployment
      name: meet-celery-worker
  destination:
    name: meet-django-secret
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        DJANGO_SECRET_KEY:
          text: "{{ index .Secrets \"django-secret-key\" }}"
        APPLICATION_JWT_SECRET_KEY:
          text: "{{ index .Secrets \"application-jwt-secret-key\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: meet-livekit
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: livekit
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: meet-backend
    - kind: Deployment
      name: meet-celery-worker
  destination:
    name: meet-livekit
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        LIVEKIT_API_KEY:
          text: "{{ index .Secrets \"api-key\" }}"
        LIVEKIT_API_SECRET:
          text: "{{ index .Secrets \"api-secret\" }}"
---
# Drive DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: drive-db-credentials
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/drive
  allowStaticCreds: true
  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: Deployment
      name: drive-backend
    - kind: Deployment
      name: drive-backend-celery-default
  destination:
    name: drive-db-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        password:
          text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: drive-django-secret
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: drive
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: drive-backend
    - kind: Deployment
      name: drive-backend-celery-default
  destination:
    name: drive-django-secret
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        DJANGO_SECRET_KEY:
          text: "{{ index .Secrets \"django-secret-key\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: collabora-credentials
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: collabora
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: collabora
  destination:
    name: collabora-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        username:
          text: "{{ index .Secrets \"username\" }}"
        password:
          text: "{{ index .Secrets \"password\" }}"
---
# Messages DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: messages-db-credentials
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/messages
  allowStaticCreds: true
  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: Deployment
      name: messages-backend
    - kind: Deployment
      name: messages-worker
  destination:
    name: messages-db-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        password:
          text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: messages-django-secret
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: messages
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: messages-backend
    - kind: Deployment
      name: messages-worker
    - kind: Deployment
      name: messages-mta-in
  destination:
    name: messages-django-secret
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        DJANGO_SECRET_KEY:
          text: "{{ index .Secrets \"django-secret-key\" }}"
        SALT_KEY:
          text: "{{ index .Secrets \"salt-key\" }}"
        MDA_API_SECRET:
          text: "{{ index .Secrets \"mda-api-secret\" }}"
        OIDC_STORE_REFRESH_TOKEN_KEY:
          text: "{{ index .Secrets \"oidc-refresh-token-key\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: messages-dkim-key
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: messages
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: messages-mpa
  destination:
    name: messages-dkim-key
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        dkim-private-key:
          text: "{{ index .Secrets \"dkim-private-key\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: messages-mpa-credentials
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: messages
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: messages-mpa
  destination:
    name: messages-mpa-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        RSPAMD_password:
          text: "{{ index .Secrets \"rspamd-password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: messages-socks-credentials
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: messages
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: messages-socks-proxy
  destination:
    name: messages-socks-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        PROXY_USERS:
          text: "{{ index .Secrets \"socks-proxy-users\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: messages-mta-out-credentials
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: messages
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: messages-mta-out
  destination:
    name: messages-mta-out-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        SMTP_USERNAME:
          text: "{{ index .Secrets \"mta-out-smtp-username\" }}"
        SMTP_PASSWORD:
          text: "{{ index .Secrets \"mta-out-smtp-password\" }}"
---
# Calendars DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: calendars-db-credentials
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/calendars
  allowStaticCreds: true
  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: Deployment
      name: calendars-backend
    - kind: Deployment
      name: calendars-worker
    - kind: Deployment
      name: calendars-caldav
  destination:
    name: calendars-db-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        password:
          text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: calendars-django-secret
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: calendars
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: calendars-backend
    - kind: Deployment
      name: calendars-worker
    - kind: Deployment
      name: calendars-caldav
  destination:
    name: calendars-django-secret
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        DJANGO_SECRET_KEY:
          text: "{{ index .Secrets \"django-secret-key\" }}"
        SALT_KEY:
          text: "{{ index .Secrets \"salt-key\" }}"
        CALDAV_INBOUND_API_KEY:
          text: "{{ index .Secrets \"caldav-inbound-api-key\" }}"
        CALDAV_OUTBOUND_API_KEY:
          text: "{{ index .Secrets \"caldav-outbound-api-key\" }}"
        CALDAV_INTERNAL_API_KEY:
          text: "{{ index .Secrets \"caldav-internal-api-key\" }}"
---
# Projects DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: projects-db-url
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/projects
  allowStaticCreds: true
  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: Deployment
      name: projects
  destination:
    name: projects-db-url
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        url:
          text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/projects_db"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: projects-app-secrets
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: projects
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: projects
  destination:
    name: projects-app-secrets
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        SECRET_KEY:
          text: "{{ index .Secrets \"secret-key\" }}"
---
# Postfix DKIM signing key from OpenBao KV.
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: postfix-dkim
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: postfix-dkim
  refreshAfter: 1h
  rolloutRestartTargets:
    - kind: Deployment
      name: postfix
  destination:
    name: postfix-dkim
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        private.key:
          text: "{{ index .Secrets \"private-key\" }}"
        selector:
          text: "{{ index .Secrets \"selector\" }}"