migrate consuming stacks to ESO + remove k8s-dashboard static token

Phase 9: ExternalSecret migration across 26 stacks: Fully migrated (vault data source removed, ESO delivers secrets): - speedtest, shadowsocks, wealthfolio, plotting-book, f1-stream, tandoor - n8n, dawarich, diun, netbox, onlyoffice, tuya-bridge - hackmd (ESO template for DB URL), health (ESO template for DB URL) - trading-bot (ESO template for DATABASE_URL + 7 secret env vars) - forgejo (removed unused vault data source) Partially migrated (vault kept for plan-time, ESO added for runtime): - immich, linkwarden, nextcloud, paperless-ngx (jsondecode for homepage) - claude-memory, rybbit, url, webhook_handler (plan-time in locals/jobs) - woodpecker, openclaw, resume (plan-time in helm values/jobs/modules) 17 stacks unchanged (all plan-time: homepage annotations, configmaps, module inputs) — vault data source works with OIDC auth. Phase 17a: Remove k8s-dashboard static admin token secret. Users now get tokens via: vault write kubernetes/creds/dashboard-admin
2026-03-15 19:05:04 +00:00 · 2026-03-15 19:05:04 +00:00 · 1acf8cc4e8
commit 1acf8cc4e8
parent cfc30b62e8
41 changed files with 1278 additions and 265 deletions
--- a/stacks/linkwarden/main.tf
+++ b/stacks/linkwarden/main.tf
@ -23,6 +23,33 @@ resource "kubernetes_namespace" "linkwarden" {
  }
 }

+resource "kubernetes_manifest" "external_secret" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1beta1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "linkwarden-secrets"
+      namespace = "linkwarden"
+    }
+    spec = {
+      refreshInterval = "15m"
+      secretStoreRef = {
+        name = "vault-kv"
+        kind = "ClusterSecretStore"
+      }
+      target = {
+        name = "linkwarden-secrets"
+      }
+      dataFrom = [{
+        extract = {
+          key = "linkwarden"
+        }
+      }]
+    }
+  }
+  depends_on = [kubernetes_namespace.linkwarden]
+}
+
 module "tls_secret" {
  source          = "../../modules/kubernetes/setup_tls_secret"
  namespace       = kubernetes_namespace.linkwarden.metadata[0].name
@ -93,12 +120,22 @@ resource "kubernetes_deployment" "linkwarden" {
            value = "https://authentik.viktorbarzin.me/application/o/linkwarden"
          }
          env {
-            name  = "AUTHENTIK_CLIENT_ID"
-            value = data.vault_kv_secret_v2.secrets.data["authentik_client_id"]
+            name = "AUTHENTIK_CLIENT_ID"
+            value_from {
+              secret_key_ref {
+                name = "linkwarden-secrets"
+                key  = "authentik_client_id"
+              }
+            }
          }
          env {
-            name  = "AUTHENTIK_CLIENT_SECRET"
-            value = data.vault_kv_secret_v2.secrets.data["authentik_client_secret"]
+            name = "AUTHENTIK_CLIENT_SECRET"
+            value_from {
+              secret_key_ref {
+                name = "linkwarden-secrets"
+                key  = "authentik_client_secret"
+              }
+            }
          }
          resources {
            requests = {
--- a/stacks/linkwarden/providers.tf
+++ b/stacks/linkwarden/providers.tf
@ -13,12 +13,6 @@ variable "kube_config_path" {
  default = "~/.kube/config"
 }

-variable "vault_root_token" {
-  type      = string
-  sensitive = true
-  default   = ""
-}
-
 provider "kubernetes" {
  config_path = var.kube_config_path
 }
@ -31,6 +25,5 @@ provider "helm" {

 provider "vault" {
  address          = "https://vault.viktorbarzin.me"
-  token            = var.vault_root_token
  skip_child_token = true
 }