Vault & VSO Secret Management

Setting	Value
Helm Chart	`hashicorp/vault` v0.31.0
Namespace	`vault`
Sync Wave	4
URL	`https://vault.homelab.vyanh.uk`
Access	LAN-only (`local-only` ipAllowList middleware)
HA Mode	3-pod Raft cluster
Unseal	Transit auto-unseal via vault-transit on NAS
KV Engine	v2, mounted at `kv/`, max 10 versions per secret
Audit Log	File at `/vault/audit/vault-audit.log` (auditStorage PVC)
Metrics	Prometheus via `/v1/sys/metrics` (unauthenticated, pod annotations)

Setting	Value
Helm Chart	`hashicorp/vault-secrets-operator` v1.0.1
Namespace	`vso-system`
Sync Wave	5 (after Vault)

Setting	Value
Image	`hashicorp/vault:1.18`
Port	`192.168.88.19:8201` (LAN-only)
TLS	Self-signed cert with IP SAN 192.168.88.19
Storage	File at `/volume1/docker/vault-transit/data/`
Token	Periodic 720h token stored in `/vault/data/transit-token`
Transit key	`vault-unseal` on `transit/` mount

Application	Authentik Path	App Path	Purpose
ArgoCD	`kv/authentik/argocd-oidc`	`kv/argocd/oidc`	OIDC client secret
Grafana	`kv/authentik/grafana-oidc`	`kv/monitoring/grafana-oidc`	OIDC client secret
Harbor	`kv/authentik/harbor-oidc`	`kv/harbor/oidc`	OIDC client secret

Vault Path	K8s Namespace	K8s Secret Name	Refresh
`kv/monitoring/grafana/admin`	monitoring	grafana-admin	1h
`kv/monitoring/grafana-oidc`	monitoring	grafana-oidc-secret	1h
`kv/monitoring/alertmanager/telegram`	monitoring	alertmanager-telegram	60s
`kv/monitoring/alertmanager/ntfy`	monitoring	alertmanager-ntfy	60s
`kv/monitoring/tempo-minio`	monitoring	tempo-minio	1h
`kv/cloudflared-connector/tunnel`	cloudflared-connector	cloudflared-connector-secrets	60s
`kv/authentik/secrets`	authentik	authentik-secrets	60s
`kv/authentik/postgresql`	authentik	authentik-postgresql	60s
`kv/authentik/argocd-oidc`	authentik	argocd-oidc-client-secret	1h
`kv/authentik/grafana-oidc`	authentik	grafana-oidc-client-secret	1h
`kv/authentik/harbor-oidc`	authentik	harbor-oidc-client-secret	1h
`kv/authentik/db-backup-minio`	authentik	db-backup-minio	1h
`kv/argocd/oidc`	argocd	argocd-oidc-secret	1h
`kv/argocd/repos/lifeops`	argocd	lifeops-repo	1h
`kv/harbor/oidc`	harbor	harbor-oidc-secret	1h
`kv/harbor/registry-s3`	harbor	harbor-registry-s3	1h
`kv/harbor/db-backup-minio`	harbor	db-backup-minio	1h
`kv/nextcloud/admin`	nextcloud	nextcloud-admin	60s
`kv/nextcloud/db-backup-minio`	nextcloud	db-backup-minio	1h
`kv/technitium/admin`	technitium	technitium-admin	60s
`kv/technitium/tsig`	technitium	technitium-tsig	1h
`kv/external-dns/tsig`	external-dns	technitium-tsig	1h
`kv/life-ops/secrets`	life-ops	lifeops-secrets	1h
`kv/life-ops/db-backup-minio`	life-ops	db-backup-minio	1h
`kv/crowdsec/bouncer`	crowdsec	crowdsec-bouncer-key	1h
`kv/crowdsec/ntfy`	crowdsec	crowdsec-ntfy	60s
`kv/traefik/crowdsec-bouncer`	traefik	crowdsec-bouncer-key	1h
`kv/velero/minio`	velero	velero-minio	1h
`kv/nas-ingress/vaultwarden-minio`	nas-ingress	vaultwarden-minio	1h
`kv/nas-ingress/vaultwarden-smtp`	nas-ingress	vaultwarden-smtp	1h
`kv/ops/terraform-cloud`	—	(reference only, not VSO)	—

¶ Vault & VSO Secret Management

¶ Overview

¶ Vault Deployment

¶ VSO Deployment

¶ Security Hardening (2026-03-18)

¶ Audit Logging

¶ Transit Unseal TLS

¶ Scoped Terraform Token

¶ LAN-Only Ingress

¶ Raft DB Permissions

¶ Metrics Access

¶ vault-transit (NAS Docker)

¶ Generate Root Token (Emergency Procedure)

¶ Per-Namespace Pattern

¶ 1. ServiceAccount (`sa.yaml`)

¶ 2. VaultAuth (`vault-auth.yaml`)

¶ 3. VaultStaticSecret (`<name>-vaultstaticsecret.yaml`)

¶ Secret Sync Flow

¶ OIDC Dual-Path Pattern

¶ Template Transformations

¶ All Secret Paths

¶ Adding a New Secret

¶ Vault & VSO Secret Management

¶ Overview

¶ Vault Deployment

¶ VSO Deployment

¶ Security Hardening (2026-03-18)

¶ Audit Logging

¶ Transit Unseal TLS

¶ Scoped Terraform Token

¶ LAN-Only Ingress

¶ Raft DB Permissions

¶ Metrics Access

¶ vault-transit (NAS Docker)

¶ Generate Root Token (Emergency Procedure)

¶ Per-Namespace Pattern

¶ 1. ServiceAccount (sa.yaml)

¶ 2. VaultAuth (vault-auth.yaml)

¶ 3. VaultStaticSecret (<name>-vaultstaticsecret.yaml)

¶ Secret Sync Flow

¶ OIDC Dual-Path Pattern

¶ Template Transformations

¶ All Secret Paths

¶ Adding a New Secret

¶ 1. ServiceAccount (`sa.yaml`)

¶ 2. VaultAuth (`vault-auth.yaml`)

¶ 3. VaultStaticSecret (`<name>-vaultstaticsecret.yaml`)