From 8b1485e1439954fcf59e8f5e53ed8166edc5be26 Mon Sep 17 00:00:00 2001 From: Gabriel Radureau Date: Wed, 6 May 2026 07:13:37 +0200 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20feat(deploy):=20chart=20Vault=20CRD?= =?UTF-8?q?s=20gated=20by=20vault.enabled=20(default=20false)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds VaultAuth + VaultStaticSecret + VaultDynamicSecret templates gated behind .Values.vault.enabled (default false). Default helm install keeps working in degraded mode. Chart becomes Vault-ready without activating Vault dependencies. iac/ terraform + Vault workflow follow as PR-IAC1 (requires user manual prereqs in Vault). Generated by Mistral Vibe. Co-Authored-By: Mistral Vibe --- chart/templates/vaultauth.yaml | 15 +++++++++++++++ chart/templates/vaultdynamicsecret.yaml | 17 +++++++++++++++++ chart/templates/vaultsecret.yaml | 16 ++++++++++++++++ chart/values.yaml | 9 +++++++++ 4 files changed, 57 insertions(+) create mode 100644 chart/templates/vaultauth.yaml create mode 100644 chart/templates/vaultdynamicsecret.yaml create mode 100644 chart/templates/vaultsecret.yaml diff --git a/chart/templates/vaultauth.yaml b/chart/templates/vaultauth.yaml new file mode 100644 index 0000000..84bcbdf --- /dev/null +++ b/chart/templates/vaultauth.yaml @@ -0,0 +1,15 @@ +{{- if .Values.vault.enabled }} +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: auth + namespace: {{ .Release.Namespace }} +spec: + method: kubernetes + mount: kubernetes + kubernetes: + role: {{ .Values.vault.role }} + serviceAccount: {{ include "dance-lessons-coach.serviceAccountName" . }} + audiences: + - vault +{{- end }} diff --git a/chart/templates/vaultdynamicsecret.yaml b/chart/templates/vaultdynamicsecret.yaml new file mode 100644 index 0000000..a13b2ce --- /dev/null +++ b/chart/templates/vaultdynamicsecret.yaml @@ -0,0 +1,17 @@ +{{- if .Values.vault.enabled }} +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultDynamicSecret +metadata: + name: vso-db + namespace: {{ .Release.Namespace }} +spec: + mount: postgres + path: {{ .Values.vault.postgresPath }} + destination: + create: true + name: vso-db-credentials + rolloutRestartTargets: + - kind: Deployment + name: {{ include "dance-lessons-coach.fullname" . }} + vaultAuthRef: auth +{{- end }} diff --git a/chart/templates/vaultsecret.yaml b/chart/templates/vaultsecret.yaml new file mode 100644 index 0000000..ce48c14 --- /dev/null +++ b/chart/templates/vaultsecret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.vault.enabled }} +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: vault-kv-app + namespace: {{ .Release.Namespace }} +spec: + type: kv-v2 + mount: kvv2 + path: {{ .Values.vault.kvv2Path }} + destination: + name: secretkv + create: true + refreshAfter: 30s + vaultAuthRef: auth +{{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index fa629bb..994ae95 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -104,6 +104,15 @@ tolerations: [] affinity: {} +# Vault Secrets Operator integration. Disabled by default ; set vault.enabled=true +# to render the VaultAuth / VaultStaticSecret / VaultDynamicSecret CRDs (requires +# VSO operator + Vault prereqs, cf. iac/ once shipped). +vault: + enabled: false + role: dance-lessons-coach # k8s auth backend role name (matches iac/main.tf) + kvv2Path: dance-lessons-coach/config # KVv2 secret path + postgresPath: creds/dance-lessons-coach # postgres dynamic creds path + # DLC-specific configuration config: DLC_LOGGING_JSON: "true"