Register + mount the GPG secrets engine at gpg/ (#87)
ci/woodpecker/push/apply Pipeline was successful
ci/woodpecker/push/apply Pipeline was successful
Complete the deploy of the [vault-plugin-secrets-gpg](https://git.unkin.net/unkin/vault-plugin-secrets-gpg) engine. Puppet ([puppet-prod #480](unkin/puppet-prod#480)) installs the `openbao-plugin-secrets-gpg` RPM onto the OpenBao nodes; this registers that binary in the plugin catalog and enables the secrets engine so `gpg/` is actually usable. - Add a `gpg_secret_backend` module using the standard `hashicorp/vault` provider (already required at 5.6.0): `vault_plugin` (catalog register with a pinned sha256) + `vault_mount` (enable at the mount path). - Wire it through `vault_cluster` (new `gpg_secret_backend` variable + module block) and the config discovery (`config.hcl` group + syd1 terragrunt input), mirroring `litellm_secret_backend`. - Add `config/gpg_secret_backend/gpg.yaml` mounting at `gpg/` and pinning the released v0.1.0 binary sha256 (`0e92d740…a7b20`, extracted from the published RPM). Puppet installs the RPM floating, so this sha must be bumped in lockstep on any plugin upgrade or OpenBao rejects the binary. Validated locally with `tofu validate` + `tofu fmt`. Granting non-root access to `gpg/*` (auth roles + policies) is a follow-up scoped to whoever consumes the engine (e.g. passv from CI). Reviewed-on: #87 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
This commit was merged in pull request #87.
This commit is contained in:
@@ -346,6 +346,34 @@ module "plugin" {
|
||||
plugin_version = each.value.version
|
||||
}
|
||||
|
||||
module "gpg_secret_backend" {
|
||||
source = "./modules/gpg_secret_backend"
|
||||
|
||||
for_each = var.gpg_secret_backend
|
||||
|
||||
path = each.key
|
||||
plugin = each.value.plugin
|
||||
description = each.value.description
|
||||
|
||||
depends_on = [module.plugin]
|
||||
}
|
||||
|
||||
module "gpg_key" {
|
||||
source = "./modules/gpg_key"
|
||||
|
||||
for_each = var.gpg_key
|
||||
|
||||
backend = each.value.backend
|
||||
name = each.value.name
|
||||
algorithm = each.value.algorithm
|
||||
identity = each.value.identity
|
||||
exportable = each.value.exportable
|
||||
deletion_allowed = each.value.deletion_allowed
|
||||
min_decryption_version = each.value.min_decryption_version
|
||||
|
||||
depends_on = [module.gpg_secret_backend]
|
||||
}
|
||||
|
||||
module "vault_policy" {
|
||||
source = "./modules/vault_policy"
|
||||
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
# Manages an OpenPGP key inside a gpg secrets engine mount, via the
|
||||
# gpgvaultsecret provider. The private key never leaves Vault; consumers use the
|
||||
# exported public_key to encrypt and delegate decryption back to the engine.
|
||||
resource "gpg_key" "this" {
|
||||
backend = var.backend
|
||||
name = var.name
|
||||
algorithm = var.algorithm
|
||||
identity = var.identity
|
||||
exportable = var.exportable
|
||||
deletion_allowed = var.deletion_allowed
|
||||
min_decryption_version = var.min_decryption_version
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
gpg = {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,39 @@
|
||||
variable "backend" {
|
||||
description = "Mount path of the gpg secrets engine (e.g. \"gpg\")"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
description = "Name of the key"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "algorithm" {
|
||||
description = "Key algorithm: rsa-2048, rsa-3072, rsa-4096 or ed25519"
|
||||
type = string
|
||||
default = "rsa-3072"
|
||||
}
|
||||
|
||||
variable "identity" {
|
||||
description = "OpenPGP User ID (defaults to the key name)"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "exportable" {
|
||||
description = "Allow exporting the private key (enable-only)"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "deletion_allowed" {
|
||||
description = "Whether the key may be deleted"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "min_decryption_version" {
|
||||
description = "Minimum key version usable for decryption/verification"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
# Mounts the gpg secrets engine. The plugin is registered ("imported") in the
|
||||
# catalog separately via the config/plugins/ discovery and the plugin module;
|
||||
# this module just enables a mount of the already-registered plugin type.
|
||||
resource "vault_mount" "this" {
|
||||
path = var.path
|
||||
type = var.plugin
|
||||
description = var.description
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
variable "path" {
|
||||
description = "Mount path of the GPG secrets engine (e.g. \"gpg\")"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "plugin" {
|
||||
description = "Registered plugin name to mount (the catalog name = mount type)"
|
||||
type = string
|
||||
default = "vault-plugin-secrets-gpg"
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "Human-friendly description of the mount"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
@@ -327,6 +327,29 @@ variable "plugins" {
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "gpg_secret_backend" {
|
||||
description = "Map of GPG/OpenPGP secret engines to mount (path => registered plugin + description). The plugin is registered separately via config/plugins."
|
||||
type = map(object({
|
||||
plugin = optional(string, "vault-plugin-secrets-gpg")
|
||||
description = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "gpg_key" {
|
||||
description = "Map of OpenPGP keys to manage in a gpg engine mount"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
algorithm = optional(string, "rsa-3072")
|
||||
identity = optional(string)
|
||||
exportable = optional(bool, false)
|
||||
deletion_allowed = optional(bool, false)
|
||||
min_decryption_version = optional(number)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "policy_auth_map" {
|
||||
description = "Map of auth mounts -> auth roles -> policy names"
|
||||
type = map(map(list(string)))
|
||||
|
||||
Reference in New Issue
Block a user