fix DB password rotation desync in 5 stacks

Vault DB engine rotates passwords weekly but 5 stacks baked passwords at Terraform plan time, causing stale credentials until next apply. - real-estate-crawler: add vault-database ESO, use secret_key_ref in 3 deployments - nextcloud: switch Helm chart to existingSecret for DB password - grafana: add vault-database ESO, use envFromSecrets in Helm values - woodpecker: use extraSecretNamesForEnvFrom, remove plan-time data source chain - affine: add vault-database ESO, use secret_key_ref in deployment + init container
2026-03-17 07:39:29 +00:00 · 2026-03-17 07:39:29 +00:00 · 94717dcd32
commit 94717dcd32
parent 6656743968
10 changed files with 166 additions and 41 deletions
--- a/stacks/nextcloud/chart_values.yaml
+++ b/stacks/nextcloud/chart_values.yaml
@ -61,8 +61,10 @@ externalDatabase:
  type: mysql
  host: ${mysql_host}
  user: nextcloud
-  password: ${db_password}
  database: nextcloud
+  existingSecret:
+    secretName: nextcloud-db-creds
+    passwordKey: DB_PASSWORD

 persistence:
  enabled: true
--- a/stacks/nextcloud/main.tf
+++ b/stacks/nextcloud/main.tf
@ -62,10 +62,7 @@ resource "kubernetes_manifest" "external_secret" {
 }

 # DB credentials from Vault database engine (rotated every 24h)
-# NOTE: Nextcloud Helm values use plan-time db_password from KV — the Helm
-# release will use the KV snapshot until the next terragrunt apply. This
-# ExternalSecret provides runtime-refreshed credentials for any future
-# migration to envFrom-based secret injection.
+# Nextcloud Helm chart reads password at runtime via existingSecret reference
 resource "kubernetes_manifest" "db_external_secret" {
  manifest = {
    apiVersion = "external-secrets.io/v1beta1"
@ -146,8 +143,9 @@ resource "helm_release" "nextcloud" {
  atomic     = true
  version    = "8.8.1"

-  values  = [templatefile("${path.module}/chart_values.yaml", { tls_secret_name = var.tls_secret_name, db_password = data.vault_kv_secret_v2.secrets.data["db_password"], redis_host = var.redis_host, mysql_host = var.mysql_host })]
-  timeout = 6000
+  values     = [templatefile("${path.module}/chart_values.yaml", { tls_secret_name = var.tls_secret_name, redis_host = var.redis_host, mysql_host = var.mysql_host })]
+  timeout    = 6000
+  depends_on = [kubernetes_manifest.db_external_secret]
 }

 resource "kubernetes_config_map" "apache_tuning" {