migrate consuming stacks to ESO + remove k8s-dashboard static token

Phase 9: ExternalSecret migration across 26 stacks: Fully migrated (vault data source removed, ESO delivers secrets): - speedtest, shadowsocks, wealthfolio, plotting-book, f1-stream, tandoor - n8n, dawarich, diun, netbox, onlyoffice, tuya-bridge - hackmd (ESO template for DB URL), health (ESO template for DB URL) - trading-bot (ESO template for DATABASE_URL + 7 secret env vars) - forgejo (removed unused vault data source) Partially migrated (vault kept for plan-time, ESO added for runtime): - immich, linkwarden, nextcloud, paperless-ngx (jsondecode for homepage) - claude-memory, rybbit, url, webhook_handler (plan-time in locals/jobs) - woodpecker, openclaw, resume (plan-time in helm values/jobs/modules) 17 stacks unchanged (all plan-time: homepage annotations, configmaps, module inputs) — vault data source works with OIDC auth. Phase 17a: Remove k8s-dashboard static admin token secret. Users now get tokens via: vault write kubernetes/creds/dashboard-admin
2026-03-15 19:05:04 +00:00 · 2026-03-15 19:05:04 +00:00 · 1acf8cc4e8
commit 1acf8cc4e8
parent cfc30b62e8
41 changed files with 1278 additions and 265 deletions
--- a/stacks/nextcloud/main.tf
+++ b/stacks/nextcloud/main.tf
@ -34,6 +34,33 @@ resource "kubernetes_namespace" "nextcloud" {
  }
 }

+resource "kubernetes_manifest" "external_secret" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1beta1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "nextcloud-secrets"
+      namespace = "nextcloud"
+    }
+    spec = {
+      refreshInterval = "15m"
+      secretStoreRef = {
+        name = "vault-kv"
+        kind = "ClusterSecretStore"
+      }
+      target = {
+        name = "nextcloud-secrets"
+      }
+      dataFrom = [{
+        extract = {
+          key = "nextcloud"
+        }
+      }]
+    }
+  }
+  depends_on = [kubernetes_namespace.nextcloud]
+}
+
 resource "kubernetes_resource_quota" "nextcloud" {
  metadata {
    name      = "nextcloud-quota"
@ -182,8 +209,13 @@ resource "kubernetes_deployment" "whiteboard" {
            value = "http://nextcloud:8080"
          }
          env {
-            name  = "JWT_SECRET_KEY"
-            value = data.vault_kv_secret_v2.secrets.data["db_password"] # anything secret is fine
+            name = "JWT_SECRET_KEY"
+            value_from {
+              secret_key_ref {
+                name = "nextcloud-secrets"
+                key  = "db_password"
+              }
+            }
          }
        }
      }