studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6acf598f92cbaff8fea81697fba1b9069488deb8
sbbb/base/stalwart/vault-secrets.yaml
Sienna Meridian Satterwhite 8662c79212 checkpoint: stalwart deploy, beam-design, migration scripts, config tweaks 
Stalwart + Bulwark mail server deployment with OIDC, TLS cert, vault
secrets. Beam design service. Pingora config cleanup. SeaweedFS
replication fix. Kratos values tweak. Migration scripts for mbox/messages
/calendars from La Suite to Stalwart.
2026-04-06 17:52:30 +01:00

86 lines
2.0 KiB
YAML
Raw Blame History

---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vso-auth
namespace: stalwart
spec:
method: kubernetes
mount: kubernetes
kubernetes:
role: vso
serviceAccount: default
---
# Stalwart DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: stalwart-db-credentials
namespace: stalwart
spec:
vaultAuthRef: vso-auth
mount: database
path: static-creds/stalwart
allowStaticCreds: true
refreshAfter: 5m
rolloutRestartTargets:
- kind: Deployment
name: stalwart
destination:
name: stalwart-db-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
password:
text: "{{ index .Secrets \"password\" }}"
---
# Stalwart application secrets (admin password, DKIM key) from OpenBao KV.
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: stalwart-app-secrets
namespace: stalwart
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: stalwart
refreshAfter: 30s
destination:
name: stalwart-app-secrets
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
admin-password:
text: "{{ index .Secrets \"admin-password\" }}"
dkim-private-key:
text: "{{ index .Secrets \"dkim-private-key\" }}"
---
# SeaweedFS S3 credentials (shared — same secret as lasuite namespace).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: seaweedfs-s3-credentials
namespace: stalwart
spec:
vaultAuthRef: vso-auth
mount: secret
type: kv-v2
path: seaweedfs
refreshAfter: 30s
destination:
name: seaweedfs-s3-credentials
create: true
overwrite: true
transformation:
excludeRaw: true
templates:
S3_ACCESS_KEY:
text: "{{ index .Secrets \"access-key\" }}"
S3_SECRET_KEY:
text: "{{ index .Secrets \"secret-key\" }}"
Reference in New Issue View Git Blame Copy Permalink