fix DB password rotation desync in 5 stacks

Vault DB engine rotates passwords weekly but 5 stacks baked passwords at Terraform plan time, causing stale credentials until next apply. - real-estate-crawler: add vault-database ESO, use secret_key_ref in 3 deployments - nextcloud: switch Helm chart to existingSecret for DB password - grafana: add vault-database ESO, use envFromSecrets in Helm values - woodpecker: use extraSecretNamesForEnvFrom, remove plan-time data source chain - affine: add vault-database ESO, use secret_key_ref in deployment + init container
2026-03-17 07:39:29 +00:00 · 2026-03-17 07:39:29 +00:00 · 94717dcd32
commit 94717dcd32
parent 6656743968
10 changed files with 166 additions and 41 deletions
--- a/stacks/platform/modules/monitoring/grafana.tf
+++ b/stacks/platform/modules/monitoring/grafana.tf
@ -67,6 +67,41 @@ resource "kubernetes_persistent_volume" "alertmanager_pv" {
 #   }
 # }

+# DB credentials from Vault database engine (rotated automatically)
+# Provides GF_DATABASE_PASSWORD that auto-updates when password rotates
+resource "kubernetes_manifest" "grafana_db_creds" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1beta1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "grafana-db-creds"
+      namespace = kubernetes_namespace.monitoring.metadata[0].name
+    }
+    spec = {
+      refreshInterval = "15m"
+      secretStoreRef = {
+        name = "vault-database"
+        kind = "ClusterSecretStore"
+      }
+      target = {
+        name = "grafana-db-creds"
+        template = {
+          data = {
+            GF_DATABASE_PASSWORD = "{{ .password }}"
+          }
+        }
+      }
+      data = [{
+        secretKey = "password"
+        remoteRef = {
+          key      = "static-creds/mysql-grafana"
+          property = "password"
+        }
+      }]
+    }
+  }
+}
+
 resource "kubernetes_config_map" "grafana_dashboards" {
  for_each = fileset("${path.module}/dashboards", "*.json")

@ -92,5 +127,6 @@ resource "helm_release" "grafana" {
  repository = "https://grafana.github.io/helm-charts"
  chart      = "grafana"

-  values = [templatefile("${path.module}/grafana_chart_values.yaml", { db_password = var.grafana_db_password, grafana_admin_password = var.grafana_admin_password, mysql_host = var.mysql_host })]
+  values     = [templatefile("${path.module}/grafana_chart_values.yaml", { grafana_admin_password = var.grafana_admin_password, mysql_host = var.mysql_host })]
+  depends_on = [kubernetes_manifest.grafana_db_creds]
 }
--- a/stacks/platform/modules/monitoring/grafana_chart_values.yaml
+++ b/stacks/platform/modules/monitoring/grafana_chart_values.yaml
@ -64,8 +64,10 @@ dashboardProviders:
    # editable: "true"
    options:
      path: "/var/lib/grafana/dashboards/default"
+envFromSecrets:
+  - name: grafana-db-creds
+    optional: false
 env:
-  GF_DATABASE_PASSWORD:  "${db_password}"
  GF_SERVER_ROOT_URL: https://grafana.viktorbarzin.me

 grafana.ini:
--- a/stacks/platform/modules/monitoring/main.tf
+++ b/stacks/platform/modules/monitoring/main.tf
@ -23,10 +23,6 @@ variable "pve_password" {
  type      = string
  sensitive = true
 }
-variable "grafana_db_password" {
-  type      = string
-  sensitive = true
-}
 variable "grafana_admin_password" {
  type      = string
  sensitive = true