viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix DB password rotation desync in 5 stacks

Browse source 
Vault DB engine rotates passwords weekly but 5 stacks baked passwords
at Terraform plan time, causing stale credentials until next apply.

- real-estate-crawler: add vault-database ESO, use secret_key_ref in 3 deployments
- nextcloud: switch Helm chart to existingSecret for DB password
- grafana: add vault-database ESO, use envFromSecrets in Helm values
- woodpecker: use extraSecretNamesForEnvFrom, remove plan-time data source chain
- affine: add vault-database ESO, use secret_key_ref in deployment + init container
This commit is contained in:
Viktor Barzin 2026-03-17 07:39:29 +00:00 committed by Viktor Barzin
parent 6656743968
commit 94717dcd32
10 changed files with 166 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

1
stacks/platform/main.tf
View file

@ -220,7 +220,6 @@ module "monitoring" {
tiny_tuya_service_secret = data.vault_kv_secret_v2.secrets.data["tiny_tuya_service_secret"]
haos_api_token = data.vault_kv_secret_v2.secrets.data["haos_api_token"]
pve_password = data.vault_kv_secret_v2.secrets.data["pve_password"]
grafana_db_password = data.vault_kv_secret_v2.secrets.data["grafana_db_password"]
grafana_admin_password = data.vault_kv_secret_v2.secrets.data["grafana_admin_password"]
tier = local.tiers.cluster
}