Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 3fe5806ff5 | |||
| 933de177fa | |||
| ce1185deba | |||
| 3d59758324 |
@@ -198,5 +198,25 @@ locals {
|
|||||||
})
|
})
|
||||||
if startswith(file_path, "litellm_secret_backend_role/")
|
if startswith(file_path, "litellm_secret_backend_role/")
|
||||||
}
|
}
|
||||||
|
plugins = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(basename(file_path), ".yaml") => merge(content, {
|
||||||
|
name = trimsuffix(basename(file_path), ".yaml")
|
||||||
|
})
|
||||||
|
if startswith(file_path, "plugins/")
|
||||||
|
}
|
||||||
|
gpg_secret_backend = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(basename(file_path), ".yaml") => content
|
||||||
|
if startswith(file_path, "gpg_secret_backend/")
|
||||||
|
}
|
||||||
|
gpg_key = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(replace(file_path, "gpg_key/", ""), ".yaml") => merge(content, {
|
||||||
|
name = trimsuffix(basename(file_path), ".yaml")
|
||||||
|
backend = dirname(replace(file_path, "gpg_key/", ""))
|
||||||
|
})
|
||||||
|
if startswith(file_path, "gpg_key/")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,7 @@
|
|||||||
|
# config/gpg_key/gpg/pass.yaml
|
||||||
|
# An OpenPGP key in the gpg engine for password-store (passv). The private key
|
||||||
|
# stays in Vault; clients import the exported public key to encrypt and delegate
|
||||||
|
# decryption to gpg/decrypt/pass. Key name = "pass", backend = "gpg".
|
||||||
|
algorithm: rsa-4096
|
||||||
|
identity: "pass <pass@unkin.net>"
|
||||||
|
exportable: false
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
# config/gpg_secret_backend/gpg.yaml
|
||||||
|
# Mounts the gpg secrets engine at "gpg". The plugin itself is registered in the
|
||||||
|
# catalog separately (see config/plugins/vault-plugin-secrets-gpg.yaml).
|
||||||
|
description: "GPG/OpenPGP secrets engine (sign/verify/encrypt/decrypt)"
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
# config/plugins/vault-plugin-secrets-gpg.yaml
|
||||||
|
# Imports (registers) the gpg secrets plugin in the catalog. Filename = catalog
|
||||||
|
# name = mount type. The binary is installed on the OpenBao nodes by Puppet
|
||||||
|
# (openbao-plugin-secrets-gpg RPM -> /opt/openbao-plugins/vault-plugin-secrets-gpg).
|
||||||
|
#
|
||||||
|
# sha256 pins the released v0.1.0 binary; bump it in lockstep with any RPM
|
||||||
|
# upgrade or OpenBao will refuse to launch the plugin.
|
||||||
|
type: secret
|
||||||
|
command: vault-plugin-secrets-gpg
|
||||||
|
sha256: "0e92d7408795688badb55789bc1604e8f1dd4d71998656c7f831991fce9a7b20"
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
# config/plugins/vault-plugin-secrets-rancher.yaml
|
||||||
|
# Imports (registers) the rancher secrets plugin in the catalog. Filename =
|
||||||
|
# catalog name = mount type. The binary is installed on the OpenBao nodes by
|
||||||
|
# Puppet (openbao-plugin-secrets-rancher RPM ->
|
||||||
|
# /opt/openbao-plugins/vault-plugin-secrets-rancher).
|
||||||
|
#
|
||||||
|
# sha256 pins the released v0.1.0 binary; bump it in lockstep with any RPM
|
||||||
|
# upgrade or OpenBao will refuse to launch the plugin.
|
||||||
|
type: secret
|
||||||
|
command: vault-plugin-secrets-rancher
|
||||||
|
sha256: "d2b17f45b5fa9e6549443fec3ba22f17ef575d2d811c14324187dc9904ec574a"
|
||||||
@@ -70,6 +70,9 @@ inputs = {
|
|||||||
pki_mount_only = local.config.pki_mount_only
|
pki_mount_only = local.config.pki_mount_only
|
||||||
litellm_secret_backend = local.config.litellm_secret_backend
|
litellm_secret_backend = local.config.litellm_secret_backend
|
||||||
litellm_secret_backend_role = local.config.litellm_secret_backend_role
|
litellm_secret_backend_role = local.config.litellm_secret_backend_role
|
||||||
|
plugins = local.config.plugins
|
||||||
|
gpg_secret_backend = local.config.gpg_secret_backend
|
||||||
|
gpg_key = local.config.gpg_key
|
||||||
|
|
||||||
# Pass policy maps to vault_cluster module
|
# Pass policy maps to vault_cluster module
|
||||||
policy_auth_map = local.policies.policy_auth_map
|
policy_auth_map = local.policies.policy_auth_map
|
||||||
|
|||||||
@@ -17,6 +17,12 @@ provider "litellm" {
|
|||||||
address = local.vault_addr
|
address = local.vault_addr
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# The gpg secrets engine's keys are managed through its own provider (same Vault
|
||||||
|
# server; token falls back to VAULT_TOKEN).
|
||||||
|
provider "gpg" {
|
||||||
|
address = local.vault_addr
|
||||||
|
}
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
backend "consul" {
|
backend "consul" {
|
||||||
address = "https://consul.service.consul"
|
address = "https://consul.service.consul"
|
||||||
@@ -39,6 +45,10 @@ terraform {
|
|||||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
|
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
|
||||||
version = "0.1.0"
|
version = "0.1.0"
|
||||||
}
|
}
|
||||||
|
gpg = {
|
||||||
|
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
|
||||||
|
version = "0.1.0"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|||||||
@@ -334,6 +334,46 @@ module "litellm_secret_backend_role" {
|
|||||||
depends_on = [module.litellm_secret_backend]
|
depends_on = [module.litellm_secret_backend]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module "plugin" {
|
||||||
|
source = "./modules/plugin"
|
||||||
|
|
||||||
|
for_each = var.plugins
|
||||||
|
|
||||||
|
name = each.value.name
|
||||||
|
type = each.value.type
|
||||||
|
command = each.value.command
|
||||||
|
sha256 = each.value.sha256
|
||||||
|
plugin_version = each.value.version
|
||||||
|
}
|
||||||
|
|
||||||
|
module "gpg_secret_backend" {
|
||||||
|
source = "./modules/gpg_secret_backend"
|
||||||
|
|
||||||
|
for_each = var.gpg_secret_backend
|
||||||
|
|
||||||
|
path = each.key
|
||||||
|
plugin = each.value.plugin
|
||||||
|
description = each.value.description
|
||||||
|
|
||||||
|
depends_on = [module.plugin]
|
||||||
|
}
|
||||||
|
|
||||||
|
module "gpg_key" {
|
||||||
|
source = "./modules/gpg_key"
|
||||||
|
|
||||||
|
for_each = var.gpg_key
|
||||||
|
|
||||||
|
backend = each.value.backend
|
||||||
|
name = each.value.name
|
||||||
|
algorithm = each.value.algorithm
|
||||||
|
identity = each.value.identity
|
||||||
|
exportable = each.value.exportable
|
||||||
|
deletion_allowed = each.value.deletion_allowed
|
||||||
|
min_decryption_version = each.value.min_decryption_version
|
||||||
|
|
||||||
|
depends_on = [module.gpg_secret_backend]
|
||||||
|
}
|
||||||
|
|
||||||
module "vault_policy" {
|
module "vault_policy" {
|
||||||
source = "./modules/vault_policy"
|
source = "./modules/vault_policy"
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,12 @@
|
|||||||
|
# Manages an OpenPGP key inside a gpg secrets engine mount, via the
|
||||||
|
# gpgvaultsecret provider. The private key never leaves Vault; consumers use the
|
||||||
|
# exported public_key to encrypt and delegate decryption back to the engine.
|
||||||
|
resource "gpg_key" "this" {
|
||||||
|
backend = var.backend
|
||||||
|
name = var.name
|
||||||
|
algorithm = var.algorithm
|
||||||
|
identity = var.identity
|
||||||
|
exportable = var.exportable
|
||||||
|
deletion_allowed = var.deletion_allowed
|
||||||
|
min_decryption_version = var.min_decryption_version
|
||||||
|
}
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
terraform {
|
||||||
|
required_version = ">= 1.10"
|
||||||
|
required_providers {
|
||||||
|
gpg = {
|
||||||
|
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
|
||||||
|
version = "0.1.0"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,39 @@
|
|||||||
|
variable "backend" {
|
||||||
|
description = "Mount path of the gpg secrets engine (e.g. \"gpg\")"
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "name" {
|
||||||
|
description = "Name of the key"
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "algorithm" {
|
||||||
|
description = "Key algorithm: rsa-2048, rsa-3072, rsa-4096 or ed25519"
|
||||||
|
type = string
|
||||||
|
default = "rsa-3072"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "identity" {
|
||||||
|
description = "OpenPGP User ID (defaults to the key name)"
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "exportable" {
|
||||||
|
description = "Allow exporting the private key (enable-only)"
|
||||||
|
type = bool
|
||||||
|
default = false
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "deletion_allowed" {
|
||||||
|
description = "Whether the key may be deleted"
|
||||||
|
type = bool
|
||||||
|
default = false
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "min_decryption_version" {
|
||||||
|
description = "Minimum key version usable for decryption/verification"
|
||||||
|
type = number
|
||||||
|
default = null
|
||||||
|
}
|
||||||
@@ -0,0 +1,8 @@
|
|||||||
|
# Mounts the gpg secrets engine. The plugin is registered ("imported") in the
|
||||||
|
# catalog separately via the config/plugins/ discovery and the plugin module;
|
||||||
|
# this module just enables a mount of the already-registered plugin type.
|
||||||
|
resource "vault_mount" "this" {
|
||||||
|
path = var.path
|
||||||
|
type = var.plugin
|
||||||
|
description = var.description
|
||||||
|
}
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
terraform {
|
||||||
|
required_version = ">= 1.10"
|
||||||
|
required_providers {
|
||||||
|
vault = {
|
||||||
|
source = "hashicorp/vault"
|
||||||
|
version = "5.6.0"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
variable "path" {
|
||||||
|
description = "Mount path of the GPG secrets engine (e.g. \"gpg\")"
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "plugin" {
|
||||||
|
description = "Registered plugin name to mount (the catalog name = mount type)"
|
||||||
|
type = string
|
||||||
|
default = "vault-plugin-secrets-gpg"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "description" {
|
||||||
|
description = "Human-friendly description of the mount"
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
@@ -0,0 +1,12 @@
|
|||||||
|
# Registers ("imports") a plugin binary in the Vault/OpenBao plugin catalog so
|
||||||
|
# it can be mounted. The binary must already exist in the server
|
||||||
|
# plugin_directory (installed out of band, e.g. by Puppet); `command` is its
|
||||||
|
# filename there. The sha256 must match the on-disk binary or the server refuses
|
||||||
|
# to launch the plugin.
|
||||||
|
resource "vault_plugin" "this" {
|
||||||
|
type = var.type
|
||||||
|
name = var.name
|
||||||
|
command = coalesce(var.command, var.name)
|
||||||
|
sha256 = var.sha256
|
||||||
|
version = var.plugin_version
|
||||||
|
}
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
terraform {
|
||||||
|
required_version = ">= 1.10"
|
||||||
|
required_providers {
|
||||||
|
vault = {
|
||||||
|
source = "hashicorp/vault"
|
||||||
|
version = "5.6.0"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,27 @@
|
|||||||
|
variable "name" {
|
||||||
|
description = "Name to register the plugin under in the catalog (also the mount type)"
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "type" {
|
||||||
|
description = "Plugin type: secret, auth or database"
|
||||||
|
type = string
|
||||||
|
default = "secret"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "command" {
|
||||||
|
description = "Plugin binary filename relative to the server plugin_directory. Defaults to the plugin name."
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "sha256" {
|
||||||
|
description = "SHA-256 of the installed plugin binary; must match the on-disk binary"
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "plugin_version" {
|
||||||
|
description = "Optional plugin version to register the catalog entry under"
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
@@ -315,6 +315,41 @@ variable "litellm_secret_backend_role" {
|
|||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "plugins" {
|
||||||
|
description = "Map of plugins to import (register) in the catalog, keyed by catalog name"
|
||||||
|
type = map(object({
|
||||||
|
name = string
|
||||||
|
type = optional(string, "secret")
|
||||||
|
command = optional(string)
|
||||||
|
sha256 = string
|
||||||
|
version = optional(string)
|
||||||
|
}))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "gpg_secret_backend" {
|
||||||
|
description = "Map of GPG/OpenPGP secret engines to mount (path => registered plugin + description). The plugin is registered separately via config/plugins."
|
||||||
|
type = map(object({
|
||||||
|
plugin = optional(string, "vault-plugin-secrets-gpg")
|
||||||
|
description = optional(string)
|
||||||
|
}))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "gpg_key" {
|
||||||
|
description = "Map of OpenPGP keys to manage in a gpg engine mount"
|
||||||
|
type = map(object({
|
||||||
|
name = string
|
||||||
|
backend = string
|
||||||
|
algorithm = optional(string, "rsa-3072")
|
||||||
|
identity = optional(string)
|
||||||
|
exportable = optional(bool, false)
|
||||||
|
deletion_allowed = optional(bool, false)
|
||||||
|
min_decryption_version = optional(number)
|
||||||
|
}))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
variable "policy_auth_map" {
|
variable "policy_auth_map" {
|
||||||
description = "Map of auth mounts -> auth roles -> policy names"
|
description = "Map of auth mounts -> auth roles -> policy names"
|
||||||
type = map(map(list(string)))
|
type = map(map(list(string)))
|
||||||
|
|||||||
@@ -0,0 +1,35 @@
|
|||||||
|
# Allow the vault deployer to import the gpg plugin and manage its OpenPGP keys.
|
||||||
|
#
|
||||||
|
# terraform-vault registers the plugin itself (vault_plugin -> sys/plugins/catalog,
|
||||||
|
# a sudo-protected path) and manages keys via the gpgvaultsecret provider, so the
|
||||||
|
# deployer needs catalog access on top of the mount access it already has
|
||||||
|
# (sys/mounts/*). Without this, apply 403s on the plugin registration and on
|
||||||
|
# gpg/keys writes.
|
||||||
|
---
|
||||||
|
rules:
|
||||||
|
# Import / register (and deregister) the gpg plugin in the catalog.
|
||||||
|
- path: "sys/plugins/catalog/secret/vault-plugin-secrets-gpg"
|
||||||
|
capabilities:
|
||||||
|
- create
|
||||||
|
- read
|
||||||
|
- update
|
||||||
|
- delete
|
||||||
|
- sudo
|
||||||
|
# Manage keys (create/rotate/config/delete) in the gpg mount.
|
||||||
|
- path: "gpg/keys/*"
|
||||||
|
capabilities:
|
||||||
|
- create
|
||||||
|
- read
|
||||||
|
- update
|
||||||
|
- delete
|
||||||
|
- list
|
||||||
|
- path: "gpg/keys"
|
||||||
|
capabilities:
|
||||||
|
- read
|
||||||
|
- list
|
||||||
|
|
||||||
|
auth:
|
||||||
|
approle:
|
||||||
|
- tf_vault
|
||||||
|
k8s/au/syd1:
|
||||||
|
- woodpecker_terraform_vault
|
||||||
Reference in New Issue
Block a user