REFACTOR(k8s): move secrets to Vault

- Migrate secrets to HashiCorp Vault - Use ExternalSecrets operator
2025-12-23 22:42:05 +09:00
parent 346b0c79ef
commit e54811c09b
7 changed files with 82 additions and 11 deletions
--- a/deploy/k8s/deployment.yaml
+++ b/deploy/k8s/deployment.yaml
@@ -45,10 +45,12 @@ spec:
        - name: GROQ_API_BASE
          value: "https://api.groq.com/openai/v1"
        - name: DATABASE_URL
+          value: "postgresql+asyncpg://mas_user:$(POSTGRES_PASSWORD)@postgresql.postgresql.svc.cluster.local:5432/mas"
+        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mas-postgres
-              key: database-url
+              key: password
        - name: REDIS_URL
          value: "redis://redis:6379/0"
        resources:
--- a/deploy/k8s/kustomization.yaml
+++ b/deploy/k8s/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
  - namespace.yaml
  - ../vault/mas-api-keys.yaml
  - ../vault/mas-postgres.yaml
+  - ../vault/postgresql-root-password.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml