studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3c7460f4a620d686a00d6ca4f7a3c212e37c02e9
sbbb/base/lasuite/vault-secrets.yaml
Sienna Meridian Satterwhite 3c7460f4a6 feat(lasuite): add calendars service deployment manifests 
Add K8s manifests for calendars backend, frontend (Caddy), CalDAV
server, and Celery worker. Wire Pingora routing for cal.sunbeam.pt
with path-based backend/caldav/static splits. Add OAuth2Client for
OIDC, VaultDynamicSecret for DB credentials, VaultStaticSecret for
Django/CalDAV keys, and TLS cert coverage for the cal subdomain.
Register calendars in the integration service gaufre widget.
2026-03-18 18:36:05 +00:00

640 lines
15 KiB
YAML
Raw Blame History

---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vso-auth
namespace: lasuite
spec:
method: kubernetes
mount: kubernetes
kubernetes:
role: vso
serviceAccount: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: seaweedfs-s3-credentials
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: seaweedfs
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: hive
- kind: Deployment
name: people-backend
- kind: Deployment
name: people-celery-worker
- kind: Deployment
name: people-celery-beat
- kind: Deployment
name: docs-backend
- kind: Deployment
name: docs-celery-worker
- kind: Deployment
name: docs-y-provider
- kind: Deployment
name: drive-backend
- kind: Deployment
name: drive-backend-celery-default
- kind: Deployment
name: meet-backend
- kind: Deployment
name: meet-celery-worker
- kind: Deployment
name: messages-backend
- kind: Deployment
name: messages-worker
destination:
name: seaweedfs-s3-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
S3_ACCESS_KEY:
text: "{{ index .Secrets \"access-key\" }}"
S3_SECRET_KEY:
text: "{{ index .Secrets \"secret-key\" }}"
---
# Hive DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: hive-db-url
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: database
path: static-creds/hive
allowStaticCreds: true
refreshAfter: 5m
rolloutRestartTargets:
- kind: Deployment
name: hive
destination:
name: hive-db-url
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
url:
text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/hive_db"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: hive-oidc
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: hive
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: hive
destination:
name: hive-oidc
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
"client-id":
text: "{{ index .Secrets \"oidc-client-id\" }}"
"client-secret":
text: "{{ index .Secrets \"oidc-client-secret\" }}"
---
# People DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: people-db-credentials
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: database
path: static-creds/people
allowStaticCreds: true
refreshAfter: 5m
rolloutRestartTargets:
- kind: Deployment
name: people-backend
- kind: Deployment
name: people-celery-worker
- kind: Deployment
name: people-celery-beat
destination:
name: people-db-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
password:
text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: people-django-secret
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: people
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: people-backend
- kind: Deployment
name: people-celery-worker
- kind: Deployment
name: people-celery-beat
destination:
name: people-django-secret
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
DJANGO_SECRET_KEY:
text: "{{ index .Secrets \"django-secret-key\" }}"
---
# Docs DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: docs-db-credentials
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: database
path: static-creds/docs
allowStaticCreds: true
refreshAfter: 5m
rolloutRestartTargets:
- kind: Deployment
name: docs-backend
- kind: Deployment
name: docs-celery-worker
- kind: Deployment
name: docs-y-provider
destination:
name: docs-db-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
password:
text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: docs-django-secret
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: docs
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: docs-backend
- kind: Deployment
name: docs-celery-worker
- kind: Deployment
name: docs-y-provider
destination:
name: docs-django-secret
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
DJANGO_SECRET_KEY:
text: "{{ index .Secrets \"django-secret-key\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: docs-collaboration-secret
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: docs
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: docs-backend
- kind: Deployment
name: docs-y-provider
destination:
name: docs-collaboration-secret
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
secret:
text: "{{ index .Secrets \"collaboration-secret\" }}"
---
# Meet DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: meet-db-credentials
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: database
path: static-creds/meet
allowStaticCreds: true
refreshAfter: 5m
rolloutRestartTargets:
- kind: Deployment
name: meet-backend
- kind: Deployment
name: meet-celery-worker
destination:
name: meet-db-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
password:
text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: meet-django-secret
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: meet
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: meet-backend
- kind: Deployment
name: meet-celery-worker
destination:
name: meet-django-secret
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
DJANGO_SECRET_KEY:
text: "{{ index .Secrets \"django-secret-key\" }}"
APPLICATION_JWT_SECRET_KEY:
text: "{{ index .Secrets \"application-jwt-secret-key\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: meet-livekit
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: livekit
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: meet-backend
- kind: Deployment
name: meet-celery-worker
destination:
name: meet-livekit
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
LIVEKIT_API_KEY:
text: "{{ index .Secrets \"api-key\" }}"
LIVEKIT_API_SECRET:
text: "{{ index .Secrets \"api-secret\" }}"
---
# Drive DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: drive-db-credentials
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: database
path: static-creds/drive
allowStaticCreds: true
refreshAfter: 5m
rolloutRestartTargets:
- kind: Deployment
name: drive-backend
- kind: Deployment
name: drive-backend-celery-default
destination:
name: drive-db-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
password:
text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: drive-django-secret
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: drive
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: drive-backend
- kind: Deployment
name: drive-backend-celery-default
destination:
name: drive-django-secret
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
DJANGO_SECRET_KEY:
text: "{{ index .Secrets \"django-secret-key\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: collabora-credentials
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: collabora
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: collabora
destination:
name: collabora-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
username:
text: "{{ index .Secrets \"username\" }}"
password:
text: "{{ index .Secrets \"password\" }}"
---
# Messages DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: messages-db-credentials
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: database
path: static-creds/messages
allowStaticCreds: true
refreshAfter: 5m
rolloutRestartTargets:
- kind: Deployment
name: messages-backend
- kind: Deployment
name: messages-worker
destination:
name: messages-db-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
password:
text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: messages-django-secret
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: messages
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: messages-backend
- kind: Deployment
name: messages-worker
- kind: Deployment
name: messages-mta-in
destination:
name: messages-django-secret
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
DJANGO_SECRET_KEY:
text: "{{ index .Secrets \"django-secret-key\" }}"
SALT_KEY:
text: "{{ index .Secrets \"salt-key\" }}"
MDA_API_SECRET:
text: "{{ index .Secrets \"mda-api-secret\" }}"
OIDC_STORE_REFRESH_TOKEN_KEY:
text: "{{ index .Secrets \"oidc-refresh-token-key\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: messages-dkim-key
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: messages
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: messages-mpa
destination:
name: messages-dkim-key
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
dkim-private-key:
text: "{{ index .Secrets \"dkim-private-key\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: messages-mpa-credentials
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: messages
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: messages-mpa
destination:
name: messages-mpa-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
RSPAMD_password:
text: "{{ index .Secrets \"rspamd-password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: messages-socks-credentials
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: messages
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: messages-socks-proxy
destination:
name: messages-socks-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
PROXY_USERS:
text: "{{ index .Secrets \"socks-proxy-users\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: messages-mta-out-credentials
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: messages
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: messages-mta-out
destination:
name: messages-mta-out-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
SMTP_USERNAME:
text: "{{ index .Secrets \"mta-out-smtp-username\" }}"
SMTP_PASSWORD:
text: "{{ index .Secrets \"mta-out-smtp-password\" }}"
---
# Calendars DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: calendars-db-credentials
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: database
path: static-creds/calendars
allowStaticCreds: true
refreshAfter: 5m
rolloutRestartTargets:
- kind: Deployment
name: calendars-backend
- kind: Deployment
name: calendars-worker
- kind: Deployment
name: calendars-caldav
destination:
name: calendars-db-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
password:
text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: calendars-django-secret
namespace: lasuite
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: calendars
refreshAfter: 30s
rolloutRestartTargets:
- kind: Deployment
name: calendars-backend
- kind: Deployment
name: calendars-worker
- kind: Deployment
name: calendars-caldav
destination:
name: calendars-django-secret
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
DJANGO_SECRET_KEY:
text: "{{ index .Secrets \"django-secret-key\" }}"
SALT_KEY:
text: "{{ index .Secrets \"salt-key\" }}"
CALDAV_INBOUND_API_KEY:
text: "{{ index .Secrets \"caldav-inbound-api-key\" }}"
CALDAV_OUTBOUND_API_KEY:
text: "{{ index .Secrets \"caldav-outbound-api-key\" }}"
CALDAV_INTERNAL_API_KEY:
text: "{{ index .Secrets \"caldav-internal-api-key\" }}"
Reference in New Issue View Git Blame Copy Permalink