sbbb/base/ory/vault-secrets.yaml

---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: vso-auth
  namespace: ory
spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: vso
    serviceAccount: default
---
# Hydra app secrets (non-rotating). DSN comes from VaultDynamicSecret hydra-db-creds.
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: hydra
  namespace: ory
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: hydra
  refreshAfter: 30s
  destination:
    name: hydra
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        secretsSystem:
          text: "{{ index .Secrets \"system-secret\" }}"
        secretsCookie:
          text: "{{ index .Secrets \"cookie-secret\" }}"
        "pairwise-salt":
          text: "{{ index .Secrets \"pairwise-salt\" }}"
---
# Kratos non-rotating encryption keys. DSN comes from VaultDynamicSecret kratos-db-creds.
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: kratos-app-secrets
  namespace: ory
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: kratos
  refreshAfter: 30s
  destination:
    name: kratos-app-secrets
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        secretsDefault:
          text: "{{ index .Secrets \"secrets-default\" }}"
        secretsCookie:
          text: "{{ index .Secrets \"secrets-cookie\" }}"
        smtpConnectionURI:
          text: "{{ index .Secrets \"smtp-connection-uri\" }}"
---
# Kratos DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: kratos-db-creds
  namespace: ory
spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/kratos
  allowStaticCreds: true
  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: Deployment
      name: kratos
    - kind: StatefulSet
      name: kratos-courier
  destination:
    name: kratos-db-creds
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        dsn:
          text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/kratos_db?sslmode=disable"
---
# Login UI session cookie + CSRF protection secrets.
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: login-ui-secrets
  namespace: ory
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: login-ui
  refreshAfter: 30s
  destination:
    name: login-ui-secrets
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        cookie-secret:
          text: "{{ index .Secrets \"cookie-secret\" }}"
        csrf-cookie-secret:
          text: "{{ index .Secrets \"csrf-cookie-secret\" }}"
---
# Hydra DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: hydra-db-creds
  namespace: ory
spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/hydra
  allowStaticCreds: true
  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: Deployment
      name: hydra
  destination:
    name: hydra-db-creds
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        dsn:
          text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/hydra_db?sslmode=disable"
---
# Kratos Admin UI secrets.
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: kratos-admin-ui-secrets
  namespace: ory
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: kratos-admin
  refreshAfter: 30s
  destination:
    name: kratos-admin-ui-secrets
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        cookie-secret:
          text: "{{ index .Secrets \"cookie-secret\" }}"
        csrf-cookie-secret:
          text: "{{ index .Secrets \"csrf-cookie-secret\" }}"
        admin-identity-ids:
          text: "{{ index .Secrets \"admin-identity-ids\" }}"