fix DB password desync + migrate remaining tfvars to Vault

DB desync fix: Stacks with Vault DB engine rotation (24h) now read
the password from vault-database ClusterSecretStore instead of vault-kv.
9 stacks updated with db ExternalSecrets reading from static-creds/*.

Stacks fixed: speedtest, hackmd, health, trading-bot, claude-memory,
woodpecker, linkwarden, nextcloud, url.

terraform.tfvars migration:
- plotting-book: google_client_id/secret → Vault KV + secret_key_ref
- tandoor: email_password var removed (was default="", now optional ESO)
- infra: ssh_private_key, vm_wizard_password, dockerhub_registry_password
  → Vault KV at secret/infra + data source
This commit is contained in:
Viktor Barzin 2026-03-15 21:39:45 +00:00
parent 06a0d0599a
commit 745e43c983
12 changed files with 385 additions and 83 deletions

View file

@ -50,6 +50,42 @@ resource "kubernetes_manifest" "external_secret" {
depends_on = [kubernetes_namespace.linkwarden]
}
# DB credentials from Vault database engine (rotated every 24h)
resource "kubernetes_manifest" "db_external_secret" {
manifest = {
apiVersion = "external-secrets.io/v1beta1"
kind = "ExternalSecret"
metadata = {
name = "linkwarden-db-creds"
namespace = "linkwarden"
}
spec = {
refreshInterval = "15m"
secretStoreRef = {
name = "vault-database"
kind = "ClusterSecretStore"
}
target = {
name = "linkwarden-db-creds"
template = {
data = {
DATABASE_URL = "postgresql://linkwarden:{{ .password }}@${var.postgresql_host}:5432/linkwarden"
DB_PASSWORD = "{{ .password }}"
}
}
}
data = [{
secretKey = "password"
remoteRef = {
key = "static-creds/pg-linkwarden"
property = "password"
}
}]
}
}
depends_on = [kubernetes_namespace.linkwarden]
}
module "tls_secret" {
source = "../../modules/kubernetes/setup_tls_secret"
namespace = kubernetes_namespace.linkwarden.metadata[0].name
@ -87,9 +123,9 @@ resource "kubernetes_deployment" "linkwarden" {
app = "linkwarden"
}
annotations = {
"diun.enable" = "false"
"diun.include_tags" = "latest"
"dependency.kyverno.io/wait-for" = "postgresql.dbaas:5432"
"diun.enable" = "false"
"diun.include_tags" = "latest"
"dependency.kyverno.io/wait-for" = "postgresql.dbaas:5432"
}
}
spec {
@ -101,8 +137,13 @@ resource "kubernetes_deployment" "linkwarden" {
container_port = 3000
}
env {
name = "DATABASE_URL"
value = "postgresql://linkwarden:${data.vault_kv_secret_v2.secrets.data["db_password"]}@${var.postgresql_host}:5432/linkwarden"
name = "DATABASE_URL"
value_from {
secret_key_ref {
name = "linkwarden-db-creds"
key = "DATABASE_URL"
}
}
}
env {
name = "NEXT_PUBLIC_AUTHENTIK_ENABLED"