veza/k8s/secrets/vault-integration.yaml

# HashiCorp Vault Integration Guide
# This file contains example configurations for integrating Vault with Veza

# Note: This is a reference file. Actual Vault installation should be done via Helm:
# helm repo add hashicorp https://helm.releases.hashicorp.com
# helm install vault hashicorp/vault -n vault-system --create-namespace

---
# Example: Vault Policy for Veza
# Create this policy in Vault:
# vault policy write veza-production - <<EOF
# path "secret/data/veza/production/*" {
#   capabilities = ["read", "list"]
# }
# path "secret/metadata/veza/production/*" {
#   capabilities = ["list", "read"]
# }
# EOF

---
# Example: Vault Kubernetes Auth Role
# vault write auth/kubernetes/role/veza-external-secrets \
#   bound_service_account_names=external-secrets \
#   bound_service_account_namespaces=veza-production \
#   policies=veza-production \
#   ttl=1h

---
# Example: Vault Database Dynamic Secrets
# This enables automatic rotation of database credentials
# vault write database/config/veza \
#   plugin_name=postgresql-database-plugin \
#   allowed_roles="veza-role" \
#   connection_url="postgresql://{{username}}:{{password}}@postgres:5432/veza" \
#   username="vault" \
#   password="vault-password"
#
# vault write database/roles/veza-role \
#   db_name=veza \
#   creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
#     GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
#   default_ttl="1h" \
#   max_ttl="24h"

---
# Example: Vault Secret Structure
# vault kv put secret/veza/production \
#   database-url="postgresql://user:pass@host:5432/veza" \
#   redis-url="redis://host:6379/0" \
#   jwt-secret="your-jwt-secret-key-min-32-chars" \
#   stripe-api-key="sk_live_..." \
#   stripe-webhook-secret="whsec_..." \
#   smtp-password="password" \
#   s3-access-key="AKIA..." \
#   s3-secret-key="..."