Sienna Meridian Satterwhite
302b7ba56b
People (desk chart v0.0.7): - Add people-values.yaml with all env vars wired to ConfigMaps and Secrets. DB password, S3 credentials, OIDC client, and Django secret key all come from VSO-managed K8s Secrets via secretKeyRef — nothing hardcoded. - Add Helm chart entry to kustomization.yaml (repo: suitenumerique/people). La Suite VSO secrets (vault-secrets.yaml): - seaweedfs-s3-credentials VSS (shared S3 creds → S3_ACCESS_KEY / S3_SECRET_KEY) - hive-db-url VDS (database/static-creds/hive → postgresql:// DSN, 24h rotation) - hive-oidc VSS (secret/hive → client-id / client-secret) - people-db-credentials VDS (database/static-creds/people → password, 24h rotation) - people-django-secret VSS (secret/people → DJANGO_SECRET_KEY)
132 lines
3.0 KiB
YAML
132 lines
3.0 KiB
YAML
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultAuth
|
|
metadata:
|
|
name: vso-auth
|
|
namespace: lasuite
|
|
spec:
|
|
method: kubernetes
|
|
mount: kubernetes
|
|
kubernetes:
|
|
role: vso
|
|
serviceAccount: default
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: seaweedfs-s3-credentials
|
|
namespace: lasuite
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: secret
|
|
type: kv-v2
|
|
path: seaweedfs
|
|
refreshAfter: 30s
|
|
destination:
|
|
name: seaweedfs-s3-credentials
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
S3_ACCESS_KEY:
|
|
text: "{{ index .Secrets \"access-key\" }}"
|
|
S3_SECRET_KEY:
|
|
text: "{{ index .Secrets \"secret-key\" }}"
|
|
---
|
|
# Hive DB credentials from OpenBao database secrets engine (static role, 24h rotation).
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultDynamicSecret
|
|
metadata:
|
|
name: hive-db-url
|
|
namespace: lasuite
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: database
|
|
path: static-creds/hive
|
|
refreshAfter: 1h
|
|
rolloutRestartTargets:
|
|
- kind: Deployment
|
|
name: hive
|
|
destination:
|
|
name: hive-db-url
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
url:
|
|
text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/hive_db"
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: hive-oidc
|
|
namespace: lasuite
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: secret
|
|
type: kv-v2
|
|
path: hive
|
|
refreshAfter: 30s
|
|
destination:
|
|
name: hive-oidc
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
"client-id":
|
|
text: "{{ index .Secrets \"oidc-client-id\" }}"
|
|
"client-secret":
|
|
text: "{{ index .Secrets \"oidc-client-secret\" }}"
|
|
---
|
|
# People DB credentials from OpenBao database secrets engine (static role, 24h rotation).
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultDynamicSecret
|
|
metadata:
|
|
name: people-db-credentials
|
|
namespace: lasuite
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: database
|
|
path: static-creds/people
|
|
refreshAfter: 1h
|
|
rolloutRestartTargets:
|
|
- kind: Deployment
|
|
name: people-backend
|
|
- kind: Deployment
|
|
name: people-celery-worker
|
|
- kind: Deployment
|
|
name: people-celery-beat
|
|
destination:
|
|
name: people-db-credentials
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
password:
|
|
text: "{{ index .Secrets \"password\" }}"
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: people-django-secret
|
|
namespace: lasuite
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: secret
|
|
type: kv-v2
|
|
path: people
|
|
refreshAfter: 30s
|
|
destination:
|
|
name: people-django-secret
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
DJANGO_SECRET_KEY:
|
|
text: "{{ index .Secrets \"django-secret-key\" }}"
|