viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix DB password desync + migrate remaining tfvars to Vault

Browse source 
DB desync fix: Stacks with Vault DB engine rotation (24h) now read
the password from vault-database ClusterSecretStore instead of vault-kv.
9 stacks updated with db ExternalSecrets reading from static-creds/*.

Stacks fixed: speedtest, hackmd, health, trading-bot, claude-memory,
woodpecker, linkwarden, nextcloud, url.

terraform.tfvars migration:
- plotting-book: google_client_id/secret → Vault KV + secret_key_ref
- tandoor: email_password var removed (was default="", now optional ESO)
- infra: ssh_private_key, vm_wizard_password, dockerhub_registry_password
  → Vault KV at secret/infra + data source
This commit is contained in:
Viktor Barzin 2026-03-15 21:39:45 +00:00 committed by Viktor Barzin
parent 19e0aef67b
commit fca99fd418
12 changed files with 385 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

98
stacks/trading-bot/main.tf
View file

@ -61,21 +61,18 @@ resource "kubernetes_manifest" "external_secret" {
name = "trading-bot-secrets"
template = {
data = {
TRADING_DATABASE_URL = "postgresql+asyncpg://trading:{{ .db_password }}@${var.postgresql_host}:5432/trading"
TRADING_ALPACA_API_KEY = "{{ .alpaca_api_key }}"
TRADING_ALPACA_SECRET_KEY = "{{ .alpaca_secret_key }}"
TRADING_JWT_SECRET_KEY = "{{ .jwt_secret }}"
TRADING_REDDIT_CLIENT_ID = "{{ .reddit_client_id }}"
TRADING_REDDIT_CLIENT_SECRET = "{{ .reddit_client_secret }}"
TRADING_ALPACA_API_KEY = "{{ .alpaca_api_key }}"
TRADING_ALPACA_SECRET_KEY = "{{ .alpaca_secret_key }}"
TRADING_JWT_SECRET_KEY = "{{ .jwt_secret }}"
TRADING_REDDIT_CLIENT_ID = "{{ .reddit_client_id }}"
TRADING_REDDIT_CLIENT_SECRET = "{{ .reddit_client_secret }}"
TRADING_ALPHA_VANTAGE_API_KEY = "{{ .alpha_vantage_api_key }}"
TRADING_FMP_API_KEY = "{{ .fmp_api_key }}"
DBAAS_ROOT_PASSWORD = "{{ .dbaas_root_password }}"
DB_PASSWORD = "{{ .db_password }}"
TRADING_FMP_API_KEY = "{{ .fmp_api_key }}"
DBAAS_ROOT_PASSWORD = "{{ .dbaas_root_password }}"
}
}
}
data = [
{ secretKey = "db_password", remoteRef = { key = "trading-bot", property = "db_password" } },
{ secretKey = "alpaca_api_key", remoteRef = { key = "trading-bot", property = "alpaca_api_key" } },
{ secretKey = "alpaca_secret_key", remoteRef = { key = "trading-bot", property = "alpaca_secret_key" } },
{ secretKey = "jwt_secret", remoteRef = { key = "trading-bot", property = "jwt_secret" } },
@ -90,6 +87,42 @@ resource "kubernetes_manifest" "external_secret" {
depends_on = [kubernetes_namespace.trading-bot]
}
# DB credentials from Vault database engine (rotated every 24h)
resource "kubernetes_manifest" "db_external_secret" {
manifest = {
apiVersion = "external-secrets.io/v1beta1"
kind = "ExternalSecret"
metadata = {
name = "trading-bot-db-creds"
namespace = "trading-bot"
}
spec = {
refreshInterval = "15m"
secretStoreRef = {
name = "vault-database"
kind = "ClusterSecretStore"
}
target = {
name = "trading-bot-db-creds"
template = {
data = {
TRADING_DATABASE_URL = "postgresql+asyncpg://trading:{{ .password }}@${var.postgresql_host}:5432/trading"
DB_PASSWORD = "{{ .password }}"
}
}
}
data = [{
secretKey = "password"
remoteRef = {
key = "static-creds/pg-trading"
property = "password"
}
}]
}
}
depends_on = [kubernetes_namespace.trading-bot]
}
# Database init job - creates the trading database and user in PostgreSQL
resource "kubernetes_job" "db_init" {
metadata {
@ -125,6 +158,11 @@ resource "kubernetes_job" "db_init" {
name = "trading-bot-secrets"
}
}
env_from {
secret_ref {
name = "trading-bot-db-creds"
}
}
}
restart_policy = "Never"
}
@ -161,6 +199,11 @@ resource "kubernetes_job" "migrations" {
name = "trading-bot-secrets"
}
}
env_from {
secret_ref {
name = "trading-bot-db-creds"
}
}
}
restart_policy = "Never"
}
@ -251,6 +294,11 @@ resource "kubernetes_deployment" "trading-bot-frontend" {
name = "trading-bot-secrets"
}
}
env_from {
secret_ref {
name = "trading-bot-db-creds"
}
}
resources {
requests = {
cpu = "50m"
@ -328,6 +376,11 @@ resource "kubernetes_deployment" "trading-bot-workers" {
name = "trading-bot-secrets"
}
}
env_from {
secret_ref {
name = "trading-bot-db-creds"
}
}
resources {
requests = {
cpu = "10m"
@ -359,6 +412,11 @@ resource "kubernetes_deployment" "trading-bot-workers" {
name = "trading-bot-secrets"
}
}
env_from {
secret_ref {
name = "trading-bot-db-creds"
}
}
resources {
requests = {
cpu = "100m"
@ -390,6 +448,11 @@ resource "kubernetes_deployment" "trading-bot-workers" {
name = "trading-bot-secrets"
}
}
env_from {
secret_ref {
name = "trading-bot-db-creds"
}
}
resources {
requests = {
cpu = "10m"
@ -421,6 +484,11 @@ resource "kubernetes_deployment" "trading-bot-workers" {
name = "trading-bot-secrets"
}
}
env_from {
secret_ref {
name = "trading-bot-db-creds"
}
}
resources {
requests = {
cpu = "10m"
@ -452,6 +520,11 @@ resource "kubernetes_deployment" "trading-bot-workers" {
name = "trading-bot-secrets"
}
}
env_from {
secret_ref {
name = "trading-bot-db-creds"
}
}
resources {
requests = {
cpu = "10m"
@ -483,6 +556,11 @@ resource "kubernetes_deployment" "trading-bot-workers" {
name = "trading-bot-secrets"
}
}
env_from {
secret_ref {
name = "trading-bot-db-creds"
}
}
resources {
requests = {
cpu = "10m"