REFACTOR(k8s): move secrets to Vault

- Migrate secrets to HashiCorp Vault
- Use ExternalSecrets operator

deploy/argocd/application.yaml

@@ -0,0 +1,37 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mas
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  source:
+    repoURL: https://gitea0213.kro.kr/bluemayne/mas.git
+    targetRevision: main
+    path: deploy/argocd
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+
+    syncOptions:
+      - CreateNamespace=true
+
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  revisionHistoryLimit: 10
+

deploy/argocd/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  # App of Apps Application
+  - application.yaml
+  
+  # MAS Application
+  - mas.yaml
+

deploy/argocd/mas.yaml

@@ -3,11 +3,13 @@ kind: Application
 metadata:
   name: mas
   namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
   source:
     repoURL: https://gitea0213.kro.kr/bluemayne/mas.git
-    targetRevision: HEAD
+    targetRevision: main
     path: deploy/k8s
   destination:
     server: https://kubernetes.default.svc
@@ -16,6 +18,14 @@ spec:
     automated:
       prune: true
       selfHeal: true
+      allowEmpty: false
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+  revisionHistoryLimit: 10
 

deploy/k8s/deployment.yaml

@@ -45,10 +45,12 @@ spec:
         - name: GROQ_API_BASE
           value: "https://api.groq.com/openai/v1"
         - name: DATABASE_URL
+          value: "postgresql+asyncpg://mas_user:$(POSTGRES_PASSWORD)@postgresql.postgresql.svc.cluster.local:5432/mas"
+        - name: POSTGRES_PASSWORD
           valueFrom:
             secretKeyRef:
               name: mas-postgres
-              key: database-url
+              key: password
         - name: REDIS_URL
           value: "redis://redis:6379/0"
         resources:

deploy/k8s/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
   - namespace.yaml
   - ../vault/mas-api-keys.yaml
   - ../vault/mas-postgres.yaml
+  - ../vault/postgresql-root-password.yaml
   - deployment.yaml
   - service.yaml
   - ingress.yaml

deploy/vault/mas-postgres.yaml

@@ -12,14 +12,6 @@ spec:
     name: mas-postgres
     creationPolicy: Owner
   data:
-    - secretKey: database-url
-      remoteRef:
-        key: mas/postgres
-        property: DATABASE_URL
-    - secretKey: username
-      remoteRef:
-        key: mas/postgres
-        property: USERNAME
     - secretKey: password
       remoteRef:
         key: mas/postgres

deploy/vault/postgresql-root-password.yaml

@@ -0,0 +1,19 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: postgresql-root-password
+  namespace: mas
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: postgresql-root-password
+    creationPolicy: Owner
+  data:
+    - secretKey: password
+      remoteRef:
+        key: databases/postgresql
+        property: PASSWORD
+