try vault postgres secret engine

This commit is contained in:
2024-10-18 15:42:31 +02:00
parent 5da0f2150b
commit 3bb67fc2c1
8 changed files with 165 additions and 2 deletions

View File

@@ -5,6 +5,7 @@ metadata:
labels:
{{- include "webapp.labels" . | nindent 4 }}
spec:
revisionHistoryLimit: 3
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}

View File

@@ -1,7 +1,7 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: static-auth
name: auth
namespace: {{ .Release.Namespace }}
spec:
method: kubernetes

View File

@@ -0,0 +1,25 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: vso-db
namespace: {{ .Release.Namespace }}
spec:
# Mount path of the secrets backend
mount: postgres
# Path to the secret
path: creds/webapp
# Where to store the secrets, VSO will create the secret
destination:
create: true
name: vso-db-credentials
# Restart these pods when secrets rotated
rolloutRestartTargets:
- kind: Deployment
name: {{ include "webapp.fullname" . }}
# Name of the CRD to authenticate to Vault
vaultAuthRef: auth

View File

@@ -21,4 +21,4 @@ spec:
refreshAfter: 30s
# Name of the CRD to authenticate to Vault
vaultAuthRef: static-auth
vaultAuthRef: auth