Compare commits
6 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| e90070b9a0 | |||
| 0c188118a5 | |||
| 8bb071ae46 | |||
| 0dba5e00a6 | |||
| a400e5dc7e | |||
| 95e7a81b2e |
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-rancher
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -198,5 +198,18 @@ locals {
|
||||
})
|
||||
if startswith(file_path, "litellm_secret_backend_role/")
|
||||
}
|
||||
gpg_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "gpg_secret_backend/")
|
||||
}
|
||||
gpg_key = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "gpg_key/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "gpg_key/", ""))
|
||||
})
|
||||
if startswith(file_path, "gpg_key/")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-rancher
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,7 @@
|
||||
# config/gpg_key/gpg/pass.yaml
|
||||
# An OpenPGP key in the gpg engine for password-store (passv). The private key
|
||||
# stays in Vault; clients import the exported public key to encrypt and delegate
|
||||
# decryption to gpg/decrypt/pass. Key name = "pass", backend = "gpg".
|
||||
algorithm: rsa-4096
|
||||
identity: "pass <pass@unkin.net>"
|
||||
exportable: false
|
||||
@@ -0,0 +1,9 @@
|
||||
# config/gpg_secret_backend/gpg.yaml
|
||||
# Registers the vault-plugin-secrets-gpg plugin and mounts it at "gpg".
|
||||
# The binary is installed on the OpenBao nodes by Puppet
|
||||
# (openbao-plugin-secrets-gpg RPM -> /opt/openbao-plugins/vault-plugin-secrets-gpg).
|
||||
#
|
||||
# sha256 pins the released v0.1.0 binary; bump it in lockstep with any RPM
|
||||
# upgrade or OpenBao will refuse to launch the plugin.
|
||||
description: "GPG/OpenPGP secrets engine (sign/verify/encrypt/decrypt)"
|
||||
sha256: "0e92d7408795688badb55789bc1604e8f1dd4d71998656c7f831991fce9a7b20"
|
||||
@@ -2,5 +2,5 @@
|
||||
# The master key is sensitive and read from KV, not stored here:
|
||||
# kv/service/vault/au/syd1/secret_backend/litellm -> key "master_key"
|
||||
description: "LiteLLM dynamic virtual keys"
|
||||
base_url: "http://litellm.litellm.svc:4000"
|
||||
base_url: "https://litellm.k8s.syd1.au.unkin.net"
|
||||
request_timeout_seconds: 30
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
---
|
||||
models:
|
||||
- claude-opus-4-7
|
||||
max_budget: 5
|
||||
ttl: 3600 # seconds (1h)
|
||||
max_ttl: 86400 # seconds (24h)
|
||||
metadata:
|
||||
team: testuser
|
||||
env: prod
|
||||
@@ -70,6 +70,8 @@ inputs = {
|
||||
pki_mount_only = local.config.pki_mount_only
|
||||
litellm_secret_backend = local.config.litellm_secret_backend
|
||||
litellm_secret_backend_role = local.config.litellm_secret_backend_role
|
||||
gpg_secret_backend = local.config.gpg_secret_backend
|
||||
gpg_key = local.config.gpg_key
|
||||
|
||||
# Pass policy maps to vault_cluster module
|
||||
policy_auth_map = local.policies.policy_auth_map
|
||||
|
||||
@@ -17,6 +17,12 @@ provider "litellm" {
|
||||
address = local.vault_addr
|
||||
}
|
||||
|
||||
# The gpg secrets engine's keys are managed through its own provider (same Vault
|
||||
# server; token falls back to VAULT_TOKEN).
|
||||
provider "gpg" {
|
||||
address = local.vault_addr
|
||||
}
|
||||
|
||||
terraform {
|
||||
backend "consul" {
|
||||
address = "https://consul.service.consul"
|
||||
@@ -39,6 +45,10 @@ terraform {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
gpg = {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
@@ -334,6 +334,34 @@ module "litellm_secret_backend_role" {
|
||||
depends_on = [module.litellm_secret_backend]
|
||||
}
|
||||
|
||||
module "gpg_secret_backend" {
|
||||
source = "./modules/gpg_secret_backend"
|
||||
|
||||
for_each = var.gpg_secret_backend
|
||||
|
||||
path = each.key
|
||||
plugin = each.value.plugin
|
||||
command = each.value.command
|
||||
sha256 = each.value.sha256
|
||||
description = each.value.description
|
||||
}
|
||||
|
||||
module "gpg_key" {
|
||||
source = "./modules/gpg_key"
|
||||
|
||||
for_each = var.gpg_key
|
||||
|
||||
backend = each.value.backend
|
||||
name = each.value.name
|
||||
algorithm = each.value.algorithm
|
||||
identity = each.value.identity
|
||||
exportable = each.value.exportable
|
||||
deletion_allowed = each.value.deletion_allowed
|
||||
min_decryption_version = each.value.min_decryption_version
|
||||
|
||||
depends_on = [module.gpg_secret_backend]
|
||||
}
|
||||
|
||||
module "vault_policy" {
|
||||
source = "./modules/vault_policy"
|
||||
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
# Manages an OpenPGP key inside a gpg secrets engine mount, via the
|
||||
# gpgvaultsecret provider. The private key never leaves Vault; consumers use the
|
||||
# exported public_key to encrypt and delegate decryption back to the engine.
|
||||
resource "gpg_key" "this" {
|
||||
backend = var.backend
|
||||
name = var.name
|
||||
algorithm = var.algorithm
|
||||
identity = var.identity
|
||||
exportable = var.exportable
|
||||
deletion_allowed = var.deletion_allowed
|
||||
min_decryption_version = var.min_decryption_version
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
gpg = {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,39 @@
|
||||
variable "backend" {
|
||||
description = "Mount path of the gpg secrets engine (e.g. \"gpg\")"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
description = "Name of the key"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "algorithm" {
|
||||
description = "Key algorithm: rsa-2048, rsa-3072, rsa-4096 or ed25519"
|
||||
type = string
|
||||
default = "rsa-3072"
|
||||
}
|
||||
|
||||
variable "identity" {
|
||||
description = "OpenPGP User ID (defaults to the key name)"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "exportable" {
|
||||
description = "Allow exporting the private key (enable-only)"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "deletion_allowed" {
|
||||
description = "Whether the key may be deleted"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "min_decryption_version" {
|
||||
description = "Minimum key version usable for decryption/verification"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
@@ -0,0 +1,20 @@
|
||||
# Registers the GPG/OpenPGP secrets plugin in the catalog and mounts it. The
|
||||
# plugin binary is installed on the OpenBao nodes by Puppet
|
||||
# (openbao-plugin-secrets-gpg RPM -> /opt/openbao-plugins/vault-plugin-secrets-gpg);
|
||||
# `command` is that filename, resolved relative to the server's plugin_directory.
|
||||
#
|
||||
# The sha256 is pinned here to the released binary. Puppet installs the RPM
|
||||
# floating, so on a plugin upgrade this sha256 must be bumped in lockstep or
|
||||
# OpenBao will refuse to launch the plugin.
|
||||
resource "vault_plugin" "this" {
|
||||
type = "secret"
|
||||
name = var.plugin
|
||||
command = var.command
|
||||
sha256 = var.sha256
|
||||
}
|
||||
|
||||
resource "vault_mount" "this" {
|
||||
path = var.path
|
||||
type = vault_plugin.this.name
|
||||
description = var.description
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,27 @@
|
||||
variable "path" {
|
||||
description = "Mount path of the GPG secrets engine (e.g. \"gpg\")"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "plugin" {
|
||||
description = "Name to register the plugin under in the catalog (also the mount type)"
|
||||
type = string
|
||||
default = "vault-plugin-secrets-gpg"
|
||||
}
|
||||
|
||||
variable "command" {
|
||||
description = "Plugin binary filename, relative to the server plugin_directory"
|
||||
type = string
|
||||
default = "vault-plugin-secrets-gpg"
|
||||
}
|
||||
|
||||
variable "sha256" {
|
||||
description = "SHA-256 of the installed plugin binary; must match the on-disk binary or OpenBao rejects it"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "Human-friendly description of the mount"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
@@ -315,6 +315,31 @@ variable "litellm_secret_backend_role" {
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "gpg_secret_backend" {
|
||||
description = "Map of GPG/OpenPGP secret engines to register + mount (path => plugin sha256 + config)"
|
||||
type = map(object({
|
||||
plugin = optional(string, "vault-plugin-secrets-gpg")
|
||||
command = optional(string, "vault-plugin-secrets-gpg")
|
||||
sha256 = string
|
||||
description = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "gpg_key" {
|
||||
description = "Map of OpenPGP keys to manage in a gpg engine mount"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
algorithm = optional(string, "rsa-3072")
|
||||
identity = optional(string)
|
||||
exportable = optional(bool, false)
|
||||
deletion_allowed = optional(bool, false)
|
||||
min_decryption_version = optional(number)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "policy_auth_map" {
|
||||
description = "Map of auth mounts -> auth roles -> policy names"
|
||||
type = map(map(list(string)))
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
---
|
||||
rules:
|
||||
- path: "consul_root/au/syd1/creds/terraform-rancher"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- terraform_rancher
|
||||
k8s/au/syd1:
|
||||
- woodpecker_terraform_rancher
|
||||
@@ -0,0 +1,18 @@
|
||||
# Allow the Terraform Rancher runner to read:
|
||||
# - its own Rancher admin API token (rancher2 provider auth), and
|
||||
# - the OAuth2/OIDC client secret backing the Rancher keycloakoidc AuthConfig
|
||||
# (same secret Authentik sets on the provider).
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/terraform/rancher"
|
||||
capabilities:
|
||||
- read
|
||||
- path: "kv/data/kubernetes/namespace/cattle-system/default/oauth-credentials"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- terraform_rancher
|
||||
k8s/au/syd1:
|
||||
- woodpecker_terraform_rancher
|
||||
@@ -0,0 +1,7 @@
|
||||
key_prefix "infra/terraform/rancher/" {
|
||||
policy = "write"
|
||||
}
|
||||
|
||||
session_prefix "" {
|
||||
policy = "write"
|
||||
}
|
||||
Reference in New Issue
Block a user