Secrets Management¶
All secrets managed by OpenBao (self-hosted Vault fork) at http://192.168.1.15:30820.
Layout¶
- KV engine:
secret/(KV v2) - Secret paths:
secret/data/production/heezy/<name> - Auth: Kubernetes auth method (ESO ServiceAccount)
- ESO policy:
eso-readonly— read/list onsecret/data/*
Key Paths¶
| Path | Contents |
|---|---|
production/heezy/postgres/heezy-credentials |
heezy_app DB password |
production/heezy/gitea/runner-pat |
Gitea runner PAT |
production/heezy/github_runner/aws_credentials |
AWS creds for ECR push |
production/heezy/k8s/kubeconfig |
Cluster kubeconfig |
production/heezy/receipts/aws-credentials |
Textract IAM creds |
production/heezy/gmail/oauth-credentials |
Gmail OAuth tokens |
Auto-unseal¶
CronJob openbao-unseal runs every 5min — reads openbao-init-keys secret and unseals if needed.