3 Commits

Author SHA1 Message Date
unkinben ea8daea587 Make gpg_secret_backend mount-only; plugin import split out
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Plugin catalog registration now lives in its own module + config/plugins (see
the split-out PR), so this module no longer registers the plugin.

- Drop the vault_plugin resource and the sha256/command inputs; the mount now
  references the already-registered plugin type directly.
- Simplify config/gpg_secret_backend/gpg.yaml to just the mount description.
2026-07-17 23:00:21 +10:00
unkinben e90070b9a0 Add a gpg_key module and a 'pass' key for password-store
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Manage OpenPGP keys in the gpg engine from Terraform using the new
gpgvaultsecret provider, and create the first key ('pass') for passv.

- Add a gpg_key module wrapping the gpg_key resource; wire it through
  vault_cluster (variable + module, depends_on the mount) and config discovery
  (config.hcl group keyed <backend>/<name>, syd1 terragrunt input), mirroring
  the *_secret_backend_role modules.
- Register the gpg provider in root.hcl (provider block + required_providers,
  v0.1.0 from the terraform-unkin registry), alongside litellm.
- Add config/gpg_key/gpg/pass.yaml: an rsa-4096 key 'pass' in the gpg mount for
  password-store. Private key stays in Vault; clients import the public key and
  delegate decryption to gpg/decrypt/pass.
2026-07-16 23:45:01 +10:00
unkinben 0c188118a5 Register and mount the GPG secrets engine at gpg/
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Puppet installs the openbao-plugin-secrets-gpg RPM onto the OpenBao nodes; this
registers that binary in the plugin catalog and enables the secrets engine so
gpg/ is actually usable (encrypt/decrypt/sign/verify).

- Add a gpg_secret_backend module using the standard vault provider:
  vault_plugin (catalog register with a pinned sha256) + vault_mount.
- Wire it through vault_cluster (variable + module) and the config discovery
  (config.hcl + syd1 terragrunt input), mirroring litellm_secret_backend.
- Add config/gpg_secret_backend/gpg.yaml pinning the released v0.1.0 binary
  sha256 (0e92d740...a7b20). Puppet installs the RPM floating, so this sha
  must be bumped in lockstep on any plugin upgrade.

Granting non-root access to gpg/* (auth roles + policies) is a follow-up,
scoped to whoever consumes the engine.
2026-07-16 22:54:27 +10:00
10 changed files with 0 additions and 182 deletions
-7
View File
@@ -198,13 +198,6 @@ locals {
}) })
if startswith(file_path, "litellm_secret_backend_role/") if startswith(file_path, "litellm_secret_backend_role/")
} }
plugins = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
})
if startswith(file_path, "plugins/")
}
gpg_secret_backend = { gpg_secret_backend = {
for file_path, content in local.all_configs : for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content trimsuffix(basename(file_path), ".yaml") => content
@@ -1,10 +0,0 @@
# config/plugins/vault-plugin-secrets-gpg.yaml
# Imports (registers) the gpg secrets plugin in the catalog. Filename = catalog
# name = mount type. The binary is installed on the OpenBao nodes by Puppet
# (openbao-plugin-secrets-gpg RPM -> /opt/openbao-plugins/vault-plugin-secrets-gpg).
#
# sha256 pins the released v0.1.0 binary; bump it in lockstep with any RPM
# upgrade or OpenBao will refuse to launch the plugin.
type: secret
command: vault-plugin-secrets-gpg
sha256: "0e92d7408795688badb55789bc1604e8f1dd4d71998656c7f831991fce9a7b20"
-1
View File
@@ -70,7 +70,6 @@ inputs = {
pki_mount_only = local.config.pki_mount_only pki_mount_only = local.config.pki_mount_only
litellm_secret_backend = local.config.litellm_secret_backend litellm_secret_backend = local.config.litellm_secret_backend
litellm_secret_backend_role = local.config.litellm_secret_backend_role litellm_secret_backend_role = local.config.litellm_secret_backend_role
plugins = local.config.plugins
gpg_secret_backend = local.config.gpg_secret_backend gpg_secret_backend = local.config.gpg_secret_backend
gpg_key = local.config.gpg_key gpg_key = local.config.gpg_key
-14
View File
@@ -334,18 +334,6 @@ module "litellm_secret_backend_role" {
depends_on = [module.litellm_secret_backend] depends_on = [module.litellm_secret_backend]
} }
module "plugin" {
source = "./modules/plugin"
for_each = var.plugins
name = each.value.name
type = each.value.type
command = each.value.command
sha256 = each.value.sha256
plugin_version = each.value.version
}
module "gpg_secret_backend" { module "gpg_secret_backend" {
source = "./modules/gpg_secret_backend" source = "./modules/gpg_secret_backend"
@@ -354,8 +342,6 @@ module "gpg_secret_backend" {
path = each.key path = each.key
plugin = each.value.plugin plugin = each.value.plugin
description = each.value.description description = each.value.description
depends_on = [module.plugin]
} }
module "gpg_key" { module "gpg_key" {
@@ -1,12 +0,0 @@
# Registers ("imports") a plugin binary in the Vault/OpenBao plugin catalog so
# it can be mounted. The binary must already exist in the server
# plugin_directory (installed out of band, e.g. by Puppet); `command` is its
# filename there. The sha256 must match the on-disk binary or the server refuses
# to launch the plugin.
resource "vault_plugin" "this" {
type = var.type
name = var.name
command = coalesce(var.command, var.name)
sha256 = var.sha256
version = var.plugin_version
}
@@ -1,9 +0,0 @@
terraform {
required_version = ">= 1.10"
required_providers {
vault = {
source = "hashicorp/vault"
version = "5.6.0"
}
}
}
@@ -1,27 +0,0 @@
variable "name" {
description = "Name to register the plugin under in the catalog (also the mount type)"
type = string
}
variable "type" {
description = "Plugin type: secret, auth or database"
type = string
default = "secret"
}
variable "command" {
description = "Plugin binary filename relative to the server plugin_directory. Defaults to the plugin name."
type = string
default = null
}
variable "sha256" {
description = "SHA-256 of the installed plugin binary; must match the on-disk binary"
type = string
}
variable "plugin_version" {
description = "Optional plugin version to register the catalog entry under"
type = string
default = null
}
-12
View File
@@ -315,18 +315,6 @@ variable "litellm_secret_backend_role" {
default = {} default = {}
} }
variable "plugins" {
description = "Map of plugins to import (register) in the catalog, keyed by catalog name"
type = map(object({
name = string
type = optional(string, "secret")
command = optional(string)
sha256 = string
version = optional(string)
}))
default = {}
}
variable "gpg_secret_backend" { variable "gpg_secret_backend" {
description = "Map of GPG/OpenPGP secret engines to mount (path => registered plugin + description). The plugin is registered separately via config/plugins." description = "Map of GPG/OpenPGP secret engines to mount (path => registered plugin + description). The plugin is registered separately via config/plugins."
type = map(object({ type = map(object({
-35
View File
@@ -1,35 +0,0 @@
# Allow the vault deployer to import the gpg plugin and manage its OpenPGP keys.
#
# terraform-vault registers the plugin itself (vault_plugin -> sys/plugins/catalog,
# a sudo-protected path) and manages keys via the gpgvaultsecret provider, so the
# deployer needs catalog access on top of the mount access it already has
# (sys/mounts/*). Without this, apply 403s on the plugin registration and on
# gpg/keys writes.
---
rules:
# Import / register (and deregister) the gpg plugin in the catalog.
- path: "sys/plugins/catalog/secret/vault-plugin-secrets-gpg"
capabilities:
- create
- read
- update
- delete
- sudo
# Manage keys (create/rotate/config/delete) in the gpg mount.
- path: "gpg/keys/*"
capabilities:
- create
- read
- update
- delete
- list
- path: "gpg/keys"
capabilities:
- read
- list
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
-55
View File
@@ -1,55 +0,0 @@
# Allow the vault deployer to import the rancher plugin and manage its engine
# (config, seeded service accounts, and roles).
#
# terraform-vault registers the plugin itself (vault_plugin -> sys/plugins/catalog,
# a sudo-protected path) and manages the engine via the ranchervaultsecret
# provider, so the deployer needs catalog access on top of the mount access it
# already has (sys/mounts/*). Without this, apply 403s on the plugin
# registration and on rancher/{config,service-accounts,roles} writes.
---
rules:
# Import / register (and deregister) the rancher plugin in the catalog.
- path: "sys/plugins/catalog/secret/vault-plugin-secrets-rancher"
capabilities:
- create
- read
- update
- delete
- sudo
# Engine connection config.
- path: "rancher/config"
capabilities:
- create
- read
- update
- delete
# Seeded, auto-rotated service-account tokens (+ manual rotate).
- path: "rancher/service-accounts/*"
capabilities:
- create
- read
- update
- delete
- list
- path: "rancher/service-accounts"
capabilities:
- read
- list
# Token-minting roles.
- path: "rancher/roles/*"
capabilities:
- create
- read
- update
- delete
- list
- path: "rancher/roles"
capabilities:
- read
- list
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault