try vault postgres secret engine

.gitea/workflows/vault.yaml

@@ -0,0 +1,57 @@
+---
+# template source: https://github.com/bretfisher/docker-build-workflow/blob/main/templates/call-docker-build.yaml
+name: Hashicorp Vault
+
+on: #[push,pull_request]
+  push: &vaultPaths
+    paths:
+      - 'iac/*.tf'
+  pull_request: *vaultPaths
+
+# cancel any previously-started, yet still active runs of this workflow on the same branch
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+.vault_step: &vault_step
+  name: read vault secret
+  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
+  id: vault-secrets
+  with:
+    url: https://vault.arcodange.duckdns.org
+    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+    role: gitea_cicd_webapp
+    method: jwt
+    path: gitea_jwt
+    secrets: |
+        kvv1/google/credentials credentials | GOOGLE_BACKEND_CREDENTIALS ;
+
+jobs:
+  gitea_vault_auth:
+    name: Auth with gitea for vault
+    runs-on: ubuntu-latest
+    outputs:
+      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
+    steps:
+
+      - name: Auth with gitea for vault
+        id: gitea_vault_jwt
+        run: |
+          echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash
+
+  tofu:
+    name: Tofu - Vault
+    needs:
+      - gitea_vault_auth
+    runs-on: ubuntu-latest
+    env:
+      OPENTOFU_VERSION: 1.8.2
+      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+    steps:
+      - *vault_step
+      - uses: actions/checkout@v4
+      - name: terraform apply
+        uses: dflook/terraform-apply@v1
+        with:
+          path: iac
+          auto_approve: true

chart/templates/deployment.yaml

@@ -5,6 +5,7 @@ metadata:
   labels:
     {{- include "webapp.labels" . | nindent 4 }}
 spec:
+  revisionHistoryLimit: 3
   {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
   {{- end }}

chart/templates/vaultauth.yaml

@@ -1,7 +1,7 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
-  name: static-auth
+  name: auth
   namespace: {{ .Release.Namespace }}
 spec:
   method: kubernetes

chart/templates/vaultdynamicsecret.yaml

@@ -0,0 +1,25 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: vso-db
+  namespace: {{ .Release.Namespace }}
+spec:
+
+  # Mount path of the secrets backend
+  mount: postgres
+
+  # Path to the secret
+  path: creds/webapp
+
+  # Where to store the secrets, VSO will create the secret
+  destination:
+    create: true
+    name: vso-db-credentials
+
+  # Restart these pods when secrets rotated
+  rolloutRestartTargets:
+  - kind: Deployment
+    name: {{ include "webapp.fullname" . }}
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: auth

chart/templates/vaultsecret.yaml

@@ -21,4 +21,4 @@ spec:
   refreshAfter: 30s
 
   # Name of the CRD to authenticate to Vault
-  vaultAuthRef: static-auth
+  vaultAuthRef: auth

iac/backend.tf

@@ -0,0 +1,6 @@
+terraform {
+  backend "gcs" {
+    bucket  = "arcodange-tf"
+    prefix  = "webapp/main"
+  }
+}

iac/main.tf

@@ -0,0 +1,58 @@
+data "vault_auth_backend" "kubernetes" {
+  path = "kubernetes"
+}
+variable "name" {
+  type = string
+  default = "webapp"
+}
+variable "database" {
+  type = string
+  nullable = true
+  default = null
+}
+locals {
+  name = lower(var.name)
+  database = var.database == null ? local.name : var.database
+
+  vault_mount_postgres = { path = "postgres" }
+  vault_mount_kvv2 = { path = "kvv2" }
+}
+
+resource "vault_database_secret_backend_role" "role" {
+  backend             = local.vault_mount_postgres.path
+  name                = "${local.name}"
+  db_name             = "postgres"
+  creation_statements = [
+    "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
+    "GRANT ${local.name}_role TO \"{{name}}\";",
+  ] 
+  revocation_statements = [
+    "REVOKE ALL ON DATABASE ${local.database} FROM  \"{{name}}\";" # should we drop the role ?
+  ]
+  renew_statements=[]
+  rollback_statements=[]
+}
+
+resource "vault_kv_secret_v2" "webapp_config" {
+  mount                      = local.vault_mount_kvv2.path
+  name                       = "webapp/config"
+  cas                        = 1
+#   delete_all_versions        = true
+  data_json                  = jsonencode(
+  {
+    zip       = "zap",
+    foo       = "bar"
+  }
+  )
+}
+
+resource "vault_kubernetes_auth_backend_role" "role" {
+  backend                          = data.vault_auth_backend.kubernetes.path
+  role_name                        = local.name
+  bound_service_account_names      = [local.name]
+  bound_service_account_namespaces = [local.name]
+  token_ttl                        = 3600
+  token_policies                   = ["default", local.name]
+  audience                         = "vault"
+  alias_name_source                = "serviceaccount_name"
+}

iac/providers.tf

@@ -0,0 +1,16 @@
+terraform {
+    required_providers {
+      vault = {
+        source = "vault"
+        version = "4.4.0"
+      }
+    }
+}
+
+provider vault {
+    address = "https://vault.arcodange.duckdns.org"
+    auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+        mount = "gitea_jwt"
+        role = "gitea_cicd_webapp"
+    }
+}