All Ory service credentials now flow from OpenBao through VSO instead
of being hardcoded in Helm values or Deployment env vars.
Kratos:
- Remove config.dsn; flip secret.enabled=false with nameOverride pointing
at kratos-app-secrets (a VSO-managed Secret with secretsDefault,
secretsCookie, smtpConnectionURI).
- Inject DSN at runtime via deployment.extraEnv from kratos-db-creds
(VaultDynamicSecret backed by OpenBao database static role, 24h rotation).
Hydra:
- Remove config.dsn; inject DSN via deployment.extraEnv from hydra-db-creds
(VaultDynamicSecret, same rotation scheme).
Login UI:
- Replace hardcoded COOKIE_SECRET/CSRF_COOKIE_SECRET env var values with
secretKeyRef reads from login-ui-secrets (VaultStaticSecret → secret/login-ui).
vault-secrets.yaml adds: VaultAuth, Hydra VSS, kratos-app-secrets VSS,
login-ui-secrets VSS, kratos-db-creds VDS, hydra-db-creds VDS.
Sienna Meridian Satterwhite
c7b812dde8
