1 Commits

Author SHA1 Message Date
unkinben f7c738fbc2 Manage the litellm plugin via config/plugins (import existing registration)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Bring the litellm plugin under terraform management like the gpg one. It was
registered manually before terraform owned the catalog, so its state must be
imported before applying, otherwise apply fails creating an entry that already
exists.

- Add config/plugins/vault-plugin-secrets-litellm.yaml (sha256 = released v0.1.1
  openbao binary; verify against the live catalog on import).

Manual pre-step before apply:
  cd environments/au/syd1
  terragrunt import \
    'module.plugin["vault-plugin-secrets-litellm"].vault_plugin.this' \
    secret/vault-plugin-secrets-litellm
2026-07-17 23:16:32 +10:00
26 changed files with 13 additions and 506 deletions
-34
View File
@@ -205,39 +205,5 @@ locals {
})
if startswith(file_path, "plugins/")
}
gpg_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "gpg_secret_backend/")
}
gpg_key = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "gpg_key/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "gpg_key/", ""))
})
if startswith(file_path, "gpg_key/")
}
rancher_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "rancher_secret_backend/")
}
rancher_secret_backend_service_account = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "rancher_secret_backend_service_account/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "rancher_secret_backend_service_account/", ""))
})
if startswith(file_path, "rancher_secret_backend_service_account/")
}
rancher_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "rancher_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "rancher_secret_backend_role/", ""))
})
if startswith(file_path, "rancher_secret_backend_role/")
}
}
}
-7
View File
@@ -1,7 +0,0 @@
# config/gpg_key/gpg/pass.yaml
# An OpenPGP key in the gpg engine for password-store (passv). The private key
# stays in Vault; clients import the exported public key to encrypt and delegate
# decryption to gpg/decrypt/pass. Key name = "pass", backend = "gpg".
algorithm: rsa-4096
identity: "pass <pass@unkin.net>"
exportable: false
-4
View File
@@ -1,4 +0,0 @@
# config/gpg_secret_backend/gpg.yaml
# Mounts the gpg secrets engine at "gpg". The plugin itself is registered in the
# catalog separately (see config/plugins/vault-plugin-secrets-gpg.yaml).
description: "GPG/OpenPGP secrets engine (sign/verify/encrypt/decrypt)"
@@ -0,0 +1,13 @@
# config/plugins/vault-plugin-secrets-litellm.yaml
# Imports (registers) the litellm secrets plugin in the catalog. This plugin was
# registered manually before terraform managed the catalog, so its state must be
# imported before the first apply (see the PR description) — otherwise apply
# tries to create an entry that already exists.
#
# sha256 is the released v0.1.1 openbao binary
# (openbao-plugin-secrets-litellm RPM -> /opt/openbao-plugins/vault-plugin-secrets-litellm),
# which Puppet installs floating. Verify against the live catalog during import
# (`bao read sys/plugins/catalog/secret/vault-plugin-secrets-litellm`).
type: secret
command: vault-plugin-secrets-litellm
sha256: "2263ebcb3498877a87ddcf31a9cbc6efca6b81702a5faecf7fe7e40200ca7a1f"
@@ -1,8 +0,0 @@
# Mounts the rancher token secrets engine at "rancher" and writes its config.
# The plugin is registered in the catalog separately (see
# config/plugins/vault-plugin-secrets-rancher.yaml). Seeded service-account
# tokens live under config/rancher_secret_backend_service_account/rancher/ and
# roles under config/rancher_secret_backend_role/rancher/.
description: "Rancher API token engine (seeded root rotation + dynamic scoped creds)"
rancher_url: "https://rancher.k8s.syd1.au.unkin.net"
request_timeout_seconds: 30
@@ -1,9 +0,0 @@
# A role that mints short-lived Rancher tokens from the "admin" service account.
# Reading rancher/creds/ci returns a lease-bound token deleted from Rancher on
# revoke. Minted tokens inherit the admin service account's RBAC; only cluster
# and TTL are scoped per-token.
---
service_account: admin
description: "CI/CD ephemeral Rancher token"
ttl: 3600 # seconds (1h)
max_ttl: 28800 # seconds (8h)
@@ -1,8 +0,0 @@
# A seeded, auto-rotated Rancher service-account token on the "rancher" engine.
# The seed token itself is sensitive and read from KV (not stored here):
# kv/service/vault/au/syd1/secret_backend/rancher/service_account/admin
# -> keys: token (required), token_name (optional)
# Populate that KV path with a live Rancher admin token BEFORE applying; the
# engine then rotates it (mints a fresh 90d token every 45d) so it never lapses.
token_ttl: 7776000 # 90d in seconds
rotation_period: 3888000 # 45d in seconds
-6
View File
@@ -71,12 +71,6 @@ inputs = {
litellm_secret_backend = local.config.litellm_secret_backend
litellm_secret_backend_role = local.config.litellm_secret_backend_role
plugins = local.config.plugins
gpg_secret_backend = local.config.gpg_secret_backend
gpg_key = local.config.gpg_key
rancher_secret_backend = local.config.rancher_secret_backend
rancher_secret_backend_service_account = local.config.rancher_secret_backend_service_account
rancher_secret_backend_role = local.config.rancher_secret_backend_role
# Pass policy maps to vault_cluster module
policy_auth_map = local.policies.policy_auth_map
-20
View File
@@ -17,18 +17,6 @@ provider "litellm" {
address = local.vault_addr
}
# The gpg secrets engine's keys are managed through its own provider (same Vault
# server; token falls back to VAULT_TOKEN).
provider "gpg" {
address = local.vault_addr
}
# The rancher token secrets engine is managed through its own provider (same
# Vault server; token falls back to VAULT_TOKEN).
provider "rancher" {
address = local.vault_addr
}
terraform {
backend "consul" {
address = "https://consul.service.consul"
@@ -51,14 +39,6 @@ terraform {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
version = "0.1.0"
}
gpg = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
version = "0.1.0"
}
rancher = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/ranchervaultsecret"
version = "0.1.0"
}
}
}
EOF
-75
View File
@@ -346,81 +346,6 @@ module "plugin" {
plugin_version = each.value.version
}
module "gpg_secret_backend" {
source = "./modules/gpg_secret_backend"
for_each = var.gpg_secret_backend
path = each.key
plugin = each.value.plugin
description = each.value.description
depends_on = [module.plugin]
}
module "gpg_key" {
source = "./modules/gpg_key"
for_each = var.gpg_key
backend = each.value.backend
name = each.value.name
algorithm = each.value.algorithm
identity = each.value.identity
exportable = each.value.exportable
deletion_allowed = each.value.deletion_allowed
min_decryption_version = each.value.min_decryption_version
depends_on = [module.gpg_secret_backend]
}
module "rancher_secret_backend" {
source = "./modules/rancher_secret_backend"
for_each = var.rancher_secret_backend
path = each.key
plugin = each.value.plugin
description = each.value.description
rancher_url = each.value.rancher_url
ca_cert = each.value.ca_cert
tls_skip_verify = each.value.tls_skip_verify
request_timeout_seconds = each.value.request_timeout_seconds
depends_on = [module.plugin]
}
module "rancher_secret_backend_service_account" {
source = "./modules/rancher_secret_backend_service_account"
for_each = var.rancher_secret_backend_service_account
backend = each.value.backend
name = each.value.name
country = var.country
region = var.region
token_ttl = each.value.token_ttl
rotation_period = each.value.rotation_period
depends_on = [module.rancher_secret_backend]
}
module "rancher_secret_backend_role" {
source = "./modules/rancher_secret_backend_role"
for_each = var.rancher_secret_backend_role
backend = each.value.backend
name = each.value.name
service_account = each.value.service_account
cluster_name = each.value.cluster_name
description = each.value.description
ttl = each.value.ttl
max_ttl = each.value.max_ttl
depends_on = [module.rancher_secret_backend_service_account]
}
module "vault_policy" {
source = "./modules/vault_policy"
@@ -1,12 +0,0 @@
# Manages an OpenPGP key inside a gpg secrets engine mount, via the
# gpgvaultsecret provider. The private key never leaves Vault; consumers use the
# exported public_key to encrypt and delegate decryption back to the engine.
resource "gpg_key" "this" {
backend = var.backend
name = var.name
algorithm = var.algorithm
identity = var.identity
exportable = var.exportable
deletion_allowed = var.deletion_allowed
min_decryption_version = var.min_decryption_version
}
@@ -1,9 +0,0 @@
terraform {
required_version = ">= 1.10"
required_providers {
gpg = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
version = "0.1.0"
}
}
}
@@ -1,39 +0,0 @@
variable "backend" {
description = "Mount path of the gpg secrets engine (e.g. \"gpg\")"
type = string
}
variable "name" {
description = "Name of the key"
type = string
}
variable "algorithm" {
description = "Key algorithm: rsa-2048, rsa-3072, rsa-4096 or ed25519"
type = string
default = "rsa-3072"
}
variable "identity" {
description = "OpenPGP User ID (defaults to the key name)"
type = string
default = null
}
variable "exportable" {
description = "Allow exporting the private key (enable-only)"
type = bool
default = false
}
variable "deletion_allowed" {
description = "Whether the key may be deleted"
type = bool
default = false
}
variable "min_decryption_version" {
description = "Minimum key version usable for decryption/verification"
type = number
default = null
}
@@ -1,8 +0,0 @@
# Mounts the gpg secrets engine. The plugin is registered ("imported") in the
# catalog separately via the config/plugins/ discovery and the plugin module;
# this module just enables a mount of the already-registered plugin type.
resource "vault_mount" "this" {
path = var.path
type = var.plugin
description = var.description
}
@@ -1,9 +0,0 @@
terraform {
required_version = ">= 1.10"
required_providers {
vault = {
source = "hashicorp/vault"
version = "5.6.0"
}
}
}
@@ -1,16 +0,0 @@
variable "path" {
description = "Mount path of the GPG secrets engine (e.g. \"gpg\")"
type = string
}
variable "plugin" {
description = "Registered plugin name to mount (the catalog name = mount type)"
type = string
default = "vault-plugin-secrets-gpg"
}
variable "description" {
description = "Human-friendly description of the mount"
type = string
default = null
}
@@ -1,13 +0,0 @@
# Mounts the rancher secrets engine and writes its connection config via the
# ranchervaultsecret provider. The plugin is registered ("imported") in the
# catalog separately (config/plugins/vault-plugin-secrets-rancher.yaml). Seeded
# service-account tokens and roles are managed by the sibling modules.
resource "rancher_secret_backend" "this" {
path = var.path
plugin = var.plugin
description = var.description
rancher_url = var.rancher_url
ca_cert = var.ca_cert
tls_skip_verify = var.tls_skip_verify
request_timeout_seconds = var.request_timeout_seconds
}
@@ -1,9 +0,0 @@
terraform {
required_version = ">= 1.10"
required_providers {
rancher = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/ranchervaultsecret"
version = "0.1.0"
}
}
}
@@ -1,39 +0,0 @@
variable "path" {
description = "Mount path of the rancher secrets engine (e.g. \"rancher\")"
type = string
}
variable "plugin" {
description = "Registered plugin name to mount (the catalog name = mount type)"
type = string
default = "vault-plugin-secrets-rancher"
}
variable "description" {
description = "Human-friendly description of the mount"
type = string
default = null
}
variable "rancher_url" {
description = "Base URL of the Rancher server (e.g. https://rancher.k8s.syd1.au.unkin.net)"
type = string
}
variable "ca_cert" {
description = "PEM CA certificate that signed the Rancher server's TLS cert (optional; omit to use the system trust store)"
type = string
default = null
}
variable "tls_skip_verify" {
description = "Skip TLS verification of the Rancher server (not recommended)"
type = bool
default = false
}
variable "request_timeout_seconds" {
description = "HTTP timeout in seconds for calls from the plugin to Rancher"
type = number
default = 30
}
@@ -1,11 +0,0 @@
# A role that mints short-lived, optionally cluster-scoped rancher tokens from a
# service account. Reading rancher/creds/<name> produces a lease-bound token.
resource "rancher_secret_backend_role" "this" {
backend = var.backend
name = var.name
service_account = var.service_account
cluster_name = var.cluster_name
description = var.description
ttl = var.ttl
max_ttl = var.max_ttl
}
@@ -1,9 +0,0 @@
terraform {
required_version = ">= 1.10"
required_providers {
rancher = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/ranchervaultsecret"
version = "0.1.0"
}
}
}
@@ -1,38 +0,0 @@
variable "backend" {
description = "Mount path of the rancher secrets engine this role lives on"
type = string
}
variable "name" {
description = "Role name"
type = string
}
variable "service_account" {
description = "Service account (seeded token) used to mint credentials; its user's RBAC is inherited by minted tokens"
type = string
}
variable "cluster_name" {
description = "Downstream cluster to scope minted tokens to (empty = full Rancher-server scope)"
type = string
default = null
}
variable "description" {
description = "Description applied to each minted Rancher token"
type = string
default = null
}
variable "ttl" {
description = "Default lease TTL in seconds for tokens minted from this role"
type = number
default = null
}
variable "max_ttl" {
description = "Maximum lease TTL in seconds for tokens minted from this role"
type = number
default = null
}
@@ -1,18 +0,0 @@
# Seeds an auto-rotated rancher service-account token. The seed token is
# sensitive and read from KV, not stored in git:
# kv/service/vault/<country>/<region>/secret_backend/<backend>/service_account/<name>
# Expected keys: token (required), token_name (optional, the ext.cattle.io Token
# metadata.name so the engine can delete the seed after the first rotation).
data "vault_kv_secret_v2" "seed" {
mount = "kv"
name = "service/vault/${var.country}/${var.region}/secret_backend/${var.backend}/service_account/${var.name}"
}
resource "rancher_secret_backend_service_account" "this" {
backend = var.backend
name = var.name
token = data.vault_kv_secret_v2.seed.data["token"]
token_name = lookup(data.vault_kv_secret_v2.seed.data, "token_name", null)
token_ttl = var.token_ttl
rotation_period = var.rotation_period
}
@@ -1,13 +0,0 @@
terraform {
required_version = ">= 1.10"
required_providers {
vault = {
source = "hashicorp/vault"
version = "5.6.0"
}
rancher = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/ranchervaultsecret"
version = "0.1.0"
}
}
}
@@ -1,31 +0,0 @@
variable "backend" {
description = "Mount path of the rancher secrets engine this service account lives on"
type = string
}
variable "name" {
description = "Service-account name"
type = string
}
variable "country" {
description = "Country code, used to locate the seed token in KV"
type = string
}
variable "region" {
description = "Region code, used to locate the seed token in KV"
type = string
}
variable "token_ttl" {
description = "Lifetime in seconds requested for each rotated replacement token (default: engine default, 90d)"
type = number
default = null
}
variable "rotation_period" {
description = "Seconds a token is used before rotation (default: engine default, 45d). Must be < token_ttl"
type = number
default = null
}
-61
View File
@@ -327,67 +327,6 @@ variable "plugins" {
default = {}
}
variable "gpg_secret_backend" {
description = "Map of GPG/OpenPGP secret engines to mount (path => registered plugin + description). The plugin is registered separately via config/plugins."
type = map(object({
plugin = optional(string, "vault-plugin-secrets-gpg")
description = optional(string)
}))
default = {}
}
variable "gpg_key" {
description = "Map of OpenPGP keys to manage in a gpg engine mount"
type = map(object({
name = string
backend = string
algorithm = optional(string, "rsa-3072")
identity = optional(string)
exportable = optional(bool, false)
deletion_allowed = optional(bool, false)
min_decryption_version = optional(number)
}))
default = {}
}
variable "rancher_secret_backend" {
description = "Map of rancher token secret engines to create (mount + config)"
type = map(object({
plugin = optional(string, "vault-plugin-secrets-rancher")
description = optional(string)
rancher_url = string
ca_cert = optional(string)
tls_skip_verify = optional(bool, false)
request_timeout_seconds = optional(number, 30)
}))
default = {}
}
variable "rancher_secret_backend_service_account" {
description = "Map of seeded, auto-rotated rancher service-account tokens (seed token read from KV)"
type = map(object({
name = string
backend = string
token_ttl = optional(number)
rotation_period = optional(number)
}))
default = {}
}
variable "rancher_secret_backend_role" {
description = "Map of rancher token-minting roles to create"
type = map(object({
name = string
backend = string
service_account = string
cluster_name = optional(string)
description = optional(string)
ttl = optional(number)
max_ttl = optional(number)
}))
default = {}
}
variable "policy_auth_map" {
description = "Map of auth mounts -> auth roles -> policy names"
type = map(map(list(string)))