Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| f887489193 | |||
| 933de177fa |
@@ -205,5 +205,39 @@ locals {
|
||||
})
|
||||
if startswith(file_path, "plugins/")
|
||||
}
|
||||
gpg_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "gpg_secret_backend/")
|
||||
}
|
||||
gpg_key = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "gpg_key/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "gpg_key/", ""))
|
||||
})
|
||||
if startswith(file_path, "gpg_key/")
|
||||
}
|
||||
rancher_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "rancher_secret_backend/")
|
||||
}
|
||||
rancher_secret_backend_service_account = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "rancher_secret_backend_service_account/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "rancher_secret_backend_service_account/", ""))
|
||||
})
|
||||
if startswith(file_path, "rancher_secret_backend_service_account/")
|
||||
}
|
||||
rancher_secret_backend_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "rancher_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "rancher_secret_backend_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "rancher_secret_backend_role/")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
# config/gpg_key/gpg/pass.yaml
|
||||
# An OpenPGP key in the gpg engine for password-store (passv). The private key
|
||||
# stays in Vault; clients import the exported public key to encrypt and delegate
|
||||
# decryption to gpg/decrypt/pass. Key name = "pass", backend = "gpg".
|
||||
algorithm: rsa-4096
|
||||
identity: "pass <pass@unkin.net>"
|
||||
exportable: false
|
||||
@@ -0,0 +1,4 @@
|
||||
# config/gpg_secret_backend/gpg.yaml
|
||||
# Mounts the gpg secrets engine at "gpg". The plugin itself is registered in the
|
||||
# catalog separately (see config/plugins/vault-plugin-secrets-gpg.yaml).
|
||||
description: "GPG/OpenPGP secrets engine (sign/verify/encrypt/decrypt)"
|
||||
@@ -1,13 +0,0 @@
|
||||
# config/plugins/vault-plugin-secrets-litellm.yaml
|
||||
# Imports (registers) the litellm secrets plugin in the catalog. This plugin was
|
||||
# registered manually before terraform managed the catalog, so its state must be
|
||||
# imported before the first apply (see the PR description) — otherwise apply
|
||||
# tries to create an entry that already exists.
|
||||
#
|
||||
# sha256 is the released v0.1.1 openbao binary
|
||||
# (openbao-plugin-secrets-litellm RPM -> /opt/openbao-plugins/vault-plugin-secrets-litellm),
|
||||
# which Puppet installs floating. Verify against the live catalog during import
|
||||
# (`bao read sys/plugins/catalog/secret/vault-plugin-secrets-litellm`).
|
||||
type: secret
|
||||
command: vault-plugin-secrets-litellm
|
||||
sha256: "2263ebcb3498877a87ddcf31a9cbc6efca6b81702a5faecf7fe7e40200ca7a1f"
|
||||
@@ -0,0 +1,8 @@
|
||||
# Mounts the rancher token secrets engine at "rancher" and writes its config.
|
||||
# The plugin is registered in the catalog separately (see
|
||||
# config/plugins/vault-plugin-secrets-rancher.yaml). Seeded service-account
|
||||
# tokens live under config/rancher_secret_backend_service_account/rancher/ and
|
||||
# roles under config/rancher_secret_backend_role/rancher/.
|
||||
description: "Rancher API token engine (seeded root rotation + dynamic scoped creds)"
|
||||
rancher_url: "https://rancher.k8s.syd1.au.unkin.net"
|
||||
request_timeout_seconds: 30
|
||||
@@ -0,0 +1,9 @@
|
||||
# A role that mints short-lived Rancher tokens from the "admin" service account.
|
||||
# Reading rancher/creds/ci returns a lease-bound token deleted from Rancher on
|
||||
# revoke. Minted tokens inherit the admin service account's RBAC; only cluster
|
||||
# and TTL are scoped per-token.
|
||||
---
|
||||
service_account: admin
|
||||
description: "CI/CD ephemeral Rancher token"
|
||||
ttl: 3600 # seconds (1h)
|
||||
max_ttl: 28800 # seconds (8h)
|
||||
@@ -0,0 +1,8 @@
|
||||
# A seeded, auto-rotated Rancher service-account token on the "rancher" engine.
|
||||
# The seed token itself is sensitive and read from KV (not stored here):
|
||||
# kv/service/vault/au/syd1/secret_backend/rancher/service_account/admin
|
||||
# -> keys: token (required), token_name (optional)
|
||||
# Populate that KV path with a live Rancher admin token BEFORE applying; the
|
||||
# engine then rotates it (mints a fresh 90d token every 45d) so it never lapses.
|
||||
token_ttl: 7776000 # 90d in seconds
|
||||
rotation_period: 3888000 # 45d in seconds
|
||||
@@ -71,6 +71,12 @@ inputs = {
|
||||
litellm_secret_backend = local.config.litellm_secret_backend
|
||||
litellm_secret_backend_role = local.config.litellm_secret_backend_role
|
||||
plugins = local.config.plugins
|
||||
gpg_secret_backend = local.config.gpg_secret_backend
|
||||
gpg_key = local.config.gpg_key
|
||||
|
||||
rancher_secret_backend = local.config.rancher_secret_backend
|
||||
rancher_secret_backend_service_account = local.config.rancher_secret_backend_service_account
|
||||
rancher_secret_backend_role = local.config.rancher_secret_backend_role
|
||||
|
||||
# Pass policy maps to vault_cluster module
|
||||
policy_auth_map = local.policies.policy_auth_map
|
||||
|
||||
@@ -17,6 +17,18 @@ provider "litellm" {
|
||||
address = local.vault_addr
|
||||
}
|
||||
|
||||
# The gpg secrets engine's keys are managed through its own provider (same Vault
|
||||
# server; token falls back to VAULT_TOKEN).
|
||||
provider "gpg" {
|
||||
address = local.vault_addr
|
||||
}
|
||||
|
||||
# The rancher token secrets engine is managed through its own provider (same
|
||||
# Vault server; token falls back to VAULT_TOKEN).
|
||||
provider "rancher" {
|
||||
address = local.vault_addr
|
||||
}
|
||||
|
||||
terraform {
|
||||
backend "consul" {
|
||||
address = "https://consul.service.consul"
|
||||
@@ -39,6 +51,14 @@ terraform {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
gpg = {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
rancher = {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/ranchervaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
@@ -346,6 +346,81 @@ module "plugin" {
|
||||
plugin_version = each.value.version
|
||||
}
|
||||
|
||||
module "gpg_secret_backend" {
|
||||
source = "./modules/gpg_secret_backend"
|
||||
|
||||
for_each = var.gpg_secret_backend
|
||||
|
||||
path = each.key
|
||||
plugin = each.value.plugin
|
||||
description = each.value.description
|
||||
|
||||
depends_on = [module.plugin]
|
||||
}
|
||||
|
||||
module "gpg_key" {
|
||||
source = "./modules/gpg_key"
|
||||
|
||||
for_each = var.gpg_key
|
||||
|
||||
backend = each.value.backend
|
||||
name = each.value.name
|
||||
algorithm = each.value.algorithm
|
||||
identity = each.value.identity
|
||||
exportable = each.value.exportable
|
||||
deletion_allowed = each.value.deletion_allowed
|
||||
min_decryption_version = each.value.min_decryption_version
|
||||
|
||||
depends_on = [module.gpg_secret_backend]
|
||||
}
|
||||
|
||||
module "rancher_secret_backend" {
|
||||
source = "./modules/rancher_secret_backend"
|
||||
|
||||
for_each = var.rancher_secret_backend
|
||||
|
||||
path = each.key
|
||||
plugin = each.value.plugin
|
||||
description = each.value.description
|
||||
rancher_url = each.value.rancher_url
|
||||
ca_cert = each.value.ca_cert
|
||||
tls_skip_verify = each.value.tls_skip_verify
|
||||
request_timeout_seconds = each.value.request_timeout_seconds
|
||||
|
||||
depends_on = [module.plugin]
|
||||
}
|
||||
|
||||
module "rancher_secret_backend_service_account" {
|
||||
source = "./modules/rancher_secret_backend_service_account"
|
||||
|
||||
for_each = var.rancher_secret_backend_service_account
|
||||
|
||||
backend = each.value.backend
|
||||
name = each.value.name
|
||||
country = var.country
|
||||
region = var.region
|
||||
token_ttl = each.value.token_ttl
|
||||
rotation_period = each.value.rotation_period
|
||||
|
||||
depends_on = [module.rancher_secret_backend]
|
||||
}
|
||||
|
||||
module "rancher_secret_backend_role" {
|
||||
source = "./modules/rancher_secret_backend_role"
|
||||
|
||||
for_each = var.rancher_secret_backend_role
|
||||
|
||||
backend = each.value.backend
|
||||
name = each.value.name
|
||||
service_account = each.value.service_account
|
||||
cluster_name = each.value.cluster_name
|
||||
description = each.value.description
|
||||
ttl = each.value.ttl
|
||||
max_ttl = each.value.max_ttl
|
||||
|
||||
depends_on = [module.rancher_secret_backend_service_account]
|
||||
}
|
||||
|
||||
module "vault_policy" {
|
||||
source = "./modules/vault_policy"
|
||||
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
# Manages an OpenPGP key inside a gpg secrets engine mount, via the
|
||||
# gpgvaultsecret provider. The private key never leaves Vault; consumers use the
|
||||
# exported public_key to encrypt and delegate decryption back to the engine.
|
||||
resource "gpg_key" "this" {
|
||||
backend = var.backend
|
||||
name = var.name
|
||||
algorithm = var.algorithm
|
||||
identity = var.identity
|
||||
exportable = var.exportable
|
||||
deletion_allowed = var.deletion_allowed
|
||||
min_decryption_version = var.min_decryption_version
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
gpg = {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,39 @@
|
||||
variable "backend" {
|
||||
description = "Mount path of the gpg secrets engine (e.g. \"gpg\")"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
description = "Name of the key"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "algorithm" {
|
||||
description = "Key algorithm: rsa-2048, rsa-3072, rsa-4096 or ed25519"
|
||||
type = string
|
||||
default = "rsa-3072"
|
||||
}
|
||||
|
||||
variable "identity" {
|
||||
description = "OpenPGP User ID (defaults to the key name)"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "exportable" {
|
||||
description = "Allow exporting the private key (enable-only)"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "deletion_allowed" {
|
||||
description = "Whether the key may be deleted"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "min_decryption_version" {
|
||||
description = "Minimum key version usable for decryption/verification"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
# Mounts the gpg secrets engine. The plugin is registered ("imported") in the
|
||||
# catalog separately via the config/plugins/ discovery and the plugin module;
|
||||
# this module just enables a mount of the already-registered plugin type.
|
||||
resource "vault_mount" "this" {
|
||||
path = var.path
|
||||
type = var.plugin
|
||||
description = var.description
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
variable "path" {
|
||||
description = "Mount path of the GPG secrets engine (e.g. \"gpg\")"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "plugin" {
|
||||
description = "Registered plugin name to mount (the catalog name = mount type)"
|
||||
type = string
|
||||
default = "vault-plugin-secrets-gpg"
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "Human-friendly description of the mount"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
# Mounts the rancher secrets engine and writes its connection config via the
|
||||
# ranchervaultsecret provider. The plugin is registered ("imported") in the
|
||||
# catalog separately (config/plugins/vault-plugin-secrets-rancher.yaml). Seeded
|
||||
# service-account tokens and roles are managed by the sibling modules.
|
||||
resource "rancher_secret_backend" "this" {
|
||||
path = var.path
|
||||
plugin = var.plugin
|
||||
description = var.description
|
||||
rancher_url = var.rancher_url
|
||||
ca_cert = var.ca_cert
|
||||
tls_skip_verify = var.tls_skip_verify
|
||||
request_timeout_seconds = var.request_timeout_seconds
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
rancher = {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/ranchervaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,39 @@
|
||||
variable "path" {
|
||||
description = "Mount path of the rancher secrets engine (e.g. \"rancher\")"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "plugin" {
|
||||
description = "Registered plugin name to mount (the catalog name = mount type)"
|
||||
type = string
|
||||
default = "vault-plugin-secrets-rancher"
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "Human-friendly description of the mount"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "rancher_url" {
|
||||
description = "Base URL of the Rancher server (e.g. https://rancher.k8s.syd1.au.unkin.net)"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "ca_cert" {
|
||||
description = "PEM CA certificate that signed the Rancher server's TLS cert (optional; omit to use the system trust store)"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "tls_skip_verify" {
|
||||
description = "Skip TLS verification of the Rancher server (not recommended)"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "request_timeout_seconds" {
|
||||
description = "HTTP timeout in seconds for calls from the plugin to Rancher"
|
||||
type = number
|
||||
default = 30
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
# A role that mints short-lived, optionally cluster-scoped rancher tokens from a
|
||||
# service account. Reading rancher/creds/<name> produces a lease-bound token.
|
||||
resource "rancher_secret_backend_role" "this" {
|
||||
backend = var.backend
|
||||
name = var.name
|
||||
service_account = var.service_account
|
||||
cluster_name = var.cluster_name
|
||||
description = var.description
|
||||
ttl = var.ttl
|
||||
max_ttl = var.max_ttl
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
rancher = {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/ranchervaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,38 @@
|
||||
variable "backend" {
|
||||
description = "Mount path of the rancher secrets engine this role lives on"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
description = "Role name"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "service_account" {
|
||||
description = "Service account (seeded token) used to mint credentials; its user's RBAC is inherited by minted tokens"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "cluster_name" {
|
||||
description = "Downstream cluster to scope minted tokens to (empty = full Rancher-server scope)"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "Description applied to each minted Rancher token"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "ttl" {
|
||||
description = "Default lease TTL in seconds for tokens minted from this role"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "max_ttl" {
|
||||
description = "Maximum lease TTL in seconds for tokens minted from this role"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
# Seeds an auto-rotated rancher service-account token. The seed token is
|
||||
# sensitive and read from KV, not stored in git:
|
||||
# kv/service/vault/<country>/<region>/secret_backend/<backend>/service_account/<name>
|
||||
# Expected keys: token (required), token_name (optional, the ext.cattle.io Token
|
||||
# metadata.name so the engine can delete the seed after the first rotation).
|
||||
data "vault_kv_secret_v2" "seed" {
|
||||
mount = "kv"
|
||||
name = "service/vault/${var.country}/${var.region}/secret_backend/${var.backend}/service_account/${var.name}"
|
||||
}
|
||||
|
||||
resource "rancher_secret_backend_service_account" "this" {
|
||||
backend = var.backend
|
||||
name = var.name
|
||||
token = data.vault_kv_secret_v2.seed.data["token"]
|
||||
token_name = lookup(data.vault_kv_secret_v2.seed.data, "token_name", null)
|
||||
token_ttl = var.token_ttl
|
||||
rotation_period = var.rotation_period
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
rancher = {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/ranchervaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,31 @@
|
||||
variable "backend" {
|
||||
description = "Mount path of the rancher secrets engine this service account lives on"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
description = "Service-account name"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "country" {
|
||||
description = "Country code, used to locate the seed token in KV"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Region code, used to locate the seed token in KV"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "token_ttl" {
|
||||
description = "Lifetime in seconds requested for each rotated replacement token (default: engine default, 90d)"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "rotation_period" {
|
||||
description = "Seconds a token is used before rotation (default: engine default, 45d). Must be < token_ttl"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
@@ -327,6 +327,67 @@ variable "plugins" {
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "gpg_secret_backend" {
|
||||
description = "Map of GPG/OpenPGP secret engines to mount (path => registered plugin + description). The plugin is registered separately via config/plugins."
|
||||
type = map(object({
|
||||
plugin = optional(string, "vault-plugin-secrets-gpg")
|
||||
description = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "gpg_key" {
|
||||
description = "Map of OpenPGP keys to manage in a gpg engine mount"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
algorithm = optional(string, "rsa-3072")
|
||||
identity = optional(string)
|
||||
exportable = optional(bool, false)
|
||||
deletion_allowed = optional(bool, false)
|
||||
min_decryption_version = optional(number)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "rancher_secret_backend" {
|
||||
description = "Map of rancher token secret engines to create (mount + config)"
|
||||
type = map(object({
|
||||
plugin = optional(string, "vault-plugin-secrets-rancher")
|
||||
description = optional(string)
|
||||
rancher_url = string
|
||||
ca_cert = optional(string)
|
||||
tls_skip_verify = optional(bool, false)
|
||||
request_timeout_seconds = optional(number, 30)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "rancher_secret_backend_service_account" {
|
||||
description = "Map of seeded, auto-rotated rancher service-account tokens (seed token read from KV)"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
token_ttl = optional(number)
|
||||
rotation_period = optional(number)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "rancher_secret_backend_role" {
|
||||
description = "Map of rancher token-minting roles to create"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
service_account = string
|
||||
cluster_name = optional(string)
|
||||
description = optional(string)
|
||||
ttl = optional(number)
|
||||
max_ttl = optional(number)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "policy_auth_map" {
|
||||
description = "Map of auth mounts -> auth roles -> policy names"
|
||||
type = map(map(list(string)))
|
||||
|
||||
Reference in New Issue
Block a user