Sienna Meridian Satterwhite
527b3b0246
Database secrets engine (_configure_db_engine): - Creates a dedicated `vault` PostgreSQL user via CNPG peer auth (psql exec). CNPG enableSuperuserAccess=false blocks remote auth for the postgres superuser, so we create vault with CREATEROLE and grant ADMIN OPTION on each service role (required by PG 16+ to rotate passwords). - Configures the OpenBao postgresql plugin (cnpg-postgres connection) and creates static roles for all PG_USERS with 24h rotation_period. - All bao/psql calls now raise RuntimeError on non-zero exit — no more silent failures. Credential seeding (_seed_openbao): - Added secret/login-ui path (cookie-secret, csrf-cookie-secret) so the login UI no longer needs hardcoded values in its Deployment manifest. - Removed all DB password fields from KV; passwords are now managed exclusively by the database secrets engine. Lifecycle: - pre_apply_cleanup() prunes stale VaultStaticSecrets that have been superseded by VaultDynamicSecrets of the same name, preventing the "not the owner" ownerRef conflict that blocked secret updates. - status_check() no longer marks Completed/Succeeded pods as unhealthy. - _vso_sync_status() added to status output: shows sync state (secretMAC for VSS, lastRenewalTime for VDS) across all managed namespaces. Verification (--verify): - New verify_vso() function writes a random sentinel to OpenBao, creates a VaultAuth + VaultStaticSecret in the ory namespace, waits up to 60s for VSO to sync, decodes the K8s Secret, and asserts the value matches. Cleans up all test resources unconditionally. Replaces the unreliable Helm test pod for integration testing.