fix DB password desync + migrate remaining tfvars to Vault
DB desync fix: Stacks with Vault DB engine rotation (24h) now read the password from vault-database ClusterSecretStore instead of vault-kv. 9 stacks updated with db ExternalSecrets reading from static-creds/*. Stacks fixed: speedtest, hackmd, health, trading-bot, claude-memory, woodpecker, linkwarden, nextcloud, url. terraform.tfvars migration: - plotting-book: google_client_id/secret → Vault KV + secret_key_ref - tandoor: email_password var removed (was default="", now optional ESO) - infra: ssh_private_key, vm_wizard_password, dockerhub_registry_password → Vault KV at secret/infra + data source
This commit is contained in:
parent
06a0d0599a
commit
745e43c983
12 changed files with 385 additions and 83 deletions
|
|
@ -2,11 +2,6 @@ variable "tls_secret_name" {
|
|||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "tandoor_email_password" {
|
||||
type = string
|
||||
default = ""
|
||||
sensitive = true
|
||||
}
|
||||
variable "nfs_server" { type = string }
|
||||
variable "postgresql_host" { type = string }
|
||||
variable "mail_host" { type = string }
|
||||
|
|
@ -158,8 +153,14 @@ resource "kubernetes_deployment" "tandoor" {
|
|||
value = "info@viktorbarzin.me"
|
||||
}
|
||||
env {
|
||||
name = "EMAIL_HOST_PASSWORD"
|
||||
value = var.tandoor_email_password
|
||||
name = "EMAIL_HOST_PASSWORD"
|
||||
value_from {
|
||||
secret_key_ref {
|
||||
name = "tandoor-secrets"
|
||||
key = "email_password"
|
||||
optional = true
|
||||
}
|
||||
}
|
||||
}
|
||||
env {
|
||||
name = "EMAIL_USE_TLS"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue