4 Commits

Author SHA1 Message Date
Ben Vincent f887489193 Mount the rancher secrets engine + seed a service account + roles
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Deploys the Rancher token secrets engine into the cluster, mirroring the litellm
and gpg wiring. The plugin is registered separately (config/plugins) and the
deployer policy is granted separately; this mounts and configures the engine.

- Add rancher_secret_backend module (mount + config via the ranchervaultsecret
  provider): rancher_url https://rancher.k8s.syd1.au.unkin.net.
- Add rancher_secret_backend_service_account module: seeds an auto-rotated token
  (90d TTL / 45d rotation), reading the seed token from KV at
  secret_backend/rancher/service_account/<name> (keys: token, token_name).
- Add rancher_secret_backend_role module + a 'ci' role (1h/8h scoped creds).
- Wire config.hcl discovery, module variables, main.tf module blocks, the
  terragrunt inputs, and the rancher provider in root.hcl.

Prereq: populate kv/service/vault/au/syd1/secret_backend/rancher/service_account/admin
with a live Rancher admin token before apply.
2026-07-17 23:45:48 +10:00
unkinben 933de177fa Register + mount the GPG secrets engine at gpg/ (#87)
ci/woodpecker/push/apply Pipeline was successful
Complete the deploy of the [vault-plugin-secrets-gpg](https://git.unkin.net/unkin/vault-plugin-secrets-gpg) engine. Puppet ([puppet-prod #480](unkin/puppet-prod#480)) installs the `openbao-plugin-secrets-gpg` RPM onto the OpenBao nodes; this registers that binary in the plugin catalog and enables the secrets engine so `gpg/` is actually usable.

- Add a `gpg_secret_backend` module using the standard `hashicorp/vault` provider (already required at 5.6.0): `vault_plugin` (catalog register with a pinned sha256) + `vault_mount` (enable at the mount path).
- Wire it through `vault_cluster` (new `gpg_secret_backend` variable + module block) and the config discovery (`config.hcl` group + syd1 terragrunt input), mirroring `litellm_secret_backend`.
- Add `config/gpg_secret_backend/gpg.yaml` mounting at `gpg/` and pinning the released v0.1.0 binary sha256 (`0e92d740…a7b20`, extracted from the published RPM). Puppet installs the RPM floating, so this sha must be bumped in lockstep on any plugin upgrade or OpenBao rejects the binary.

Validated locally with `tofu validate` + `tofu fmt`. Granting non-root access to `gpg/*` (auth roles + policies) is a follow-up scoped to whoever consumes the engine (e.g. passv from CI).

Reviewed-on: #87
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-17 23:19:38 +10:00
unkinben ce1185deba Grant vault deployer access to import + manage the gpg engine (#88)
ci/woodpecker/push/apply Pipeline was successful
## Why
Applying the gpg mount (#87) needs two grants the deployer (`tf_vault` approle / `woodpecker_terraform_vault` k8s role) doesn't have. terraform-vault **registers the plugin itself** (`vault_plugin` → `sys/plugins/catalog`, a sudo-protected path) and **manages keys** via the gpgvaultsecret provider (`gpg/keys/*`). The deployer already has `sys/mounts/*` but neither of these, so apply would 403 on the plugin registration and on `gpg/keys` writes — the same failure mode as #84.

## Changes
- Add `policies/gpg/admin.yaml` granting:
  - `create/read/update/delete/sudo` on `sys/plugins/catalog/secret/vault-plugin-secrets-gpg` — to **import** (register/deregister) the plugin.
  - full management of `gpg/keys/*` (+ `gpg/keys` list) — to **manage keys**.
  - assigned to `tf_vault` (approle) + `woodpecker_terraform_vault` (k8s/au/syd1), mirroring `policies/litellm/admin.yaml` (#84).

Should merge/apply **before** #87 so the deployer can register the plugin and create the `pass` key.

Reviewed-on: #88
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-17 23:09:31 +10:00
unkinben 3d59758324 Add a plugin-import module + config/plugins for catalog registration (#89)
ci/woodpecker/push/apply Pipeline was canceled
Split plugin catalog registration out of the per-engine backend modules into its own concern (previously bundled into #87's gpg_secret_backend).

## Changes
- New generic `plugin` module (`vault_plugin`: type/name/command/sha256/plugin_version) that imports a binary into the catalog.
- New `config/plugins/` discovery group (filename = catalog name = mount type), wired through `vault_cluster` (`plugins` variable + module) and the syd1 environment.
- `config/plugins/vault-plugin-secrets-gpg.yaml` pins the released v0.1.0 binary sha256 (`0e92d740…a7b20`, from the published RPM). Puppet installs the RPM floating, so bump this in lockstep on upgrade.

Any engine now registers its plugin by dropping a file in `config/plugins/`; its `*_secret_backend` module just mounts the registered type.

Needs the deployer's plugin-catalog access (#88). Merge order: **#88 → this → #87**.

Reviewed-on: #89
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-17 23:08:04 +10:00
22 changed files with 453 additions and 0 deletions
+28
View File
@@ -198,6 +198,13 @@ locals {
}) })
if startswith(file_path, "litellm_secret_backend_role/") if startswith(file_path, "litellm_secret_backend_role/")
} }
plugins = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
})
if startswith(file_path, "plugins/")
}
gpg_secret_backend = { gpg_secret_backend = {
for file_path, content in local.all_configs : for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content trimsuffix(basename(file_path), ".yaml") => content
@@ -211,5 +218,26 @@ locals {
}) })
if startswith(file_path, "gpg_key/") if startswith(file_path, "gpg_key/")
} }
rancher_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "rancher_secret_backend/")
}
rancher_secret_backend_service_account = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "rancher_secret_backend_service_account/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "rancher_secret_backend_service_account/", ""))
})
if startswith(file_path, "rancher_secret_backend_service_account/")
}
rancher_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "rancher_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "rancher_secret_backend_role/", ""))
})
if startswith(file_path, "rancher_secret_backend_role/")
}
} }
} }
@@ -0,0 +1,10 @@
# config/plugins/vault-plugin-secrets-gpg.yaml
# Imports (registers) the gpg secrets plugin in the catalog. Filename = catalog
# name = mount type. The binary is installed on the OpenBao nodes by Puppet
# (openbao-plugin-secrets-gpg RPM -> /opt/openbao-plugins/vault-plugin-secrets-gpg).
#
# sha256 pins the released v0.1.0 binary; bump it in lockstep with any RPM
# upgrade or OpenBao will refuse to launch the plugin.
type: secret
command: vault-plugin-secrets-gpg
sha256: "0e92d7408795688badb55789bc1604e8f1dd4d71998656c7f831991fce9a7b20"
@@ -0,0 +1,8 @@
# Mounts the rancher token secrets engine at "rancher" and writes its config.
# The plugin is registered in the catalog separately (see
# config/plugins/vault-plugin-secrets-rancher.yaml). Seeded service-account
# tokens live under config/rancher_secret_backend_service_account/rancher/ and
# roles under config/rancher_secret_backend_role/rancher/.
description: "Rancher API token engine (seeded root rotation + dynamic scoped creds)"
rancher_url: "https://rancher.k8s.syd1.au.unkin.net"
request_timeout_seconds: 30
@@ -0,0 +1,9 @@
# A role that mints short-lived Rancher tokens from the "admin" service account.
# Reading rancher/creds/ci returns a lease-bound token deleted from Rancher on
# revoke. Minted tokens inherit the admin service account's RBAC; only cluster
# and TTL are scoped per-token.
---
service_account: admin
description: "CI/CD ephemeral Rancher token"
ttl: 3600 # seconds (1h)
max_ttl: 28800 # seconds (8h)
@@ -0,0 +1,8 @@
# A seeded, auto-rotated Rancher service-account token on the "rancher" engine.
# The seed token itself is sensitive and read from KV (not stored here):
# kv/service/vault/au/syd1/secret_backend/rancher/service_account/admin
# -> keys: token (required), token_name (optional)
# Populate that KV path with a live Rancher admin token BEFORE applying; the
# engine then rotates it (mints a fresh 90d token every 45d) so it never lapses.
token_ttl: 7776000 # 90d in seconds
rotation_period: 3888000 # 45d in seconds
+5
View File
@@ -70,9 +70,14 @@ inputs = {
pki_mount_only = local.config.pki_mount_only pki_mount_only = local.config.pki_mount_only
litellm_secret_backend = local.config.litellm_secret_backend litellm_secret_backend = local.config.litellm_secret_backend
litellm_secret_backend_role = local.config.litellm_secret_backend_role litellm_secret_backend_role = local.config.litellm_secret_backend_role
plugins = local.config.plugins
gpg_secret_backend = local.config.gpg_secret_backend gpg_secret_backend = local.config.gpg_secret_backend
gpg_key = local.config.gpg_key gpg_key = local.config.gpg_key
rancher_secret_backend = local.config.rancher_secret_backend
rancher_secret_backend_service_account = local.config.rancher_secret_backend_service_account
rancher_secret_backend_role = local.config.rancher_secret_backend_role
# Pass policy maps to vault_cluster module # Pass policy maps to vault_cluster module
policy_auth_map = local.policies.policy_auth_map policy_auth_map = local.policies.policy_auth_map
policy_rules_map = local.policies.policy_rules_map policy_rules_map = local.policies.policy_rules_map
+10
View File
@@ -23,6 +23,12 @@ provider "gpg" {
address = local.vault_addr address = local.vault_addr
} }
# The rancher token secrets engine is managed through its own provider (same
# Vault server; token falls back to VAULT_TOKEN).
provider "rancher" {
address = local.vault_addr
}
terraform { terraform {
backend "consul" { backend "consul" {
address = "https://consul.service.consul" address = "https://consul.service.consul"
@@ -49,6 +55,10 @@ terraform {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret" source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
version = "0.1.0" version = "0.1.0"
} }
rancher = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/ranchervaultsecret"
version = "0.1.0"
}
} }
} }
EOF EOF
+61
View File
@@ -334,6 +334,18 @@ module "litellm_secret_backend_role" {
depends_on = [module.litellm_secret_backend] depends_on = [module.litellm_secret_backend]
} }
module "plugin" {
source = "./modules/plugin"
for_each = var.plugins
name = each.value.name
type = each.value.type
command = each.value.command
sha256 = each.value.sha256
plugin_version = each.value.version
}
module "gpg_secret_backend" { module "gpg_secret_backend" {
source = "./modules/gpg_secret_backend" source = "./modules/gpg_secret_backend"
@@ -342,6 +354,8 @@ module "gpg_secret_backend" {
path = each.key path = each.key
plugin = each.value.plugin plugin = each.value.plugin
description = each.value.description description = each.value.description
depends_on = [module.plugin]
} }
module "gpg_key" { module "gpg_key" {
@@ -360,6 +374,53 @@ module "gpg_key" {
depends_on = [module.gpg_secret_backend] depends_on = [module.gpg_secret_backend]
} }
module "rancher_secret_backend" {
source = "./modules/rancher_secret_backend"
for_each = var.rancher_secret_backend
path = each.key
plugin = each.value.plugin
description = each.value.description
rancher_url = each.value.rancher_url
ca_cert = each.value.ca_cert
tls_skip_verify = each.value.tls_skip_verify
request_timeout_seconds = each.value.request_timeout_seconds
depends_on = [module.plugin]
}
module "rancher_secret_backend_service_account" {
source = "./modules/rancher_secret_backend_service_account"
for_each = var.rancher_secret_backend_service_account
backend = each.value.backend
name = each.value.name
country = var.country
region = var.region
token_ttl = each.value.token_ttl
rotation_period = each.value.rotation_period
depends_on = [module.rancher_secret_backend]
}
module "rancher_secret_backend_role" {
source = "./modules/rancher_secret_backend_role"
for_each = var.rancher_secret_backend_role
backend = each.value.backend
name = each.value.name
service_account = each.value.service_account
cluster_name = each.value.cluster_name
description = each.value.description
ttl = each.value.ttl
max_ttl = each.value.max_ttl
depends_on = [module.rancher_secret_backend_service_account]
}
module "vault_policy" { module "vault_policy" {
source = "./modules/vault_policy" source = "./modules/vault_policy"
@@ -0,0 +1,12 @@
# Registers ("imports") a plugin binary in the Vault/OpenBao plugin catalog so
# it can be mounted. The binary must already exist in the server
# plugin_directory (installed out of band, e.g. by Puppet); `command` is its
# filename there. The sha256 must match the on-disk binary or the server refuses
# to launch the plugin.
resource "vault_plugin" "this" {
type = var.type
name = var.name
command = coalesce(var.command, var.name)
sha256 = var.sha256
version = var.plugin_version
}
@@ -0,0 +1,9 @@
terraform {
required_version = ">= 1.10"
required_providers {
vault = {
source = "hashicorp/vault"
version = "5.6.0"
}
}
}
@@ -0,0 +1,27 @@
variable "name" {
description = "Name to register the plugin under in the catalog (also the mount type)"
type = string
}
variable "type" {
description = "Plugin type: secret, auth or database"
type = string
default = "secret"
}
variable "command" {
description = "Plugin binary filename relative to the server plugin_directory. Defaults to the plugin name."
type = string
default = null
}
variable "sha256" {
description = "SHA-256 of the installed plugin binary; must match the on-disk binary"
type = string
}
variable "plugin_version" {
description = "Optional plugin version to register the catalog entry under"
type = string
default = null
}
@@ -0,0 +1,13 @@
# Mounts the rancher secrets engine and writes its connection config via the
# ranchervaultsecret provider. The plugin is registered ("imported") in the
# catalog separately (config/plugins/vault-plugin-secrets-rancher.yaml). Seeded
# service-account tokens and roles are managed by the sibling modules.
resource "rancher_secret_backend" "this" {
path = var.path
plugin = var.plugin
description = var.description
rancher_url = var.rancher_url
ca_cert = var.ca_cert
tls_skip_verify = var.tls_skip_verify
request_timeout_seconds = var.request_timeout_seconds
}
@@ -0,0 +1,9 @@
terraform {
required_version = ">= 1.10"
required_providers {
rancher = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/ranchervaultsecret"
version = "0.1.0"
}
}
}
@@ -0,0 +1,39 @@
variable "path" {
description = "Mount path of the rancher secrets engine (e.g. \"rancher\")"
type = string
}
variable "plugin" {
description = "Registered plugin name to mount (the catalog name = mount type)"
type = string
default = "vault-plugin-secrets-rancher"
}
variable "description" {
description = "Human-friendly description of the mount"
type = string
default = null
}
variable "rancher_url" {
description = "Base URL of the Rancher server (e.g. https://rancher.k8s.syd1.au.unkin.net)"
type = string
}
variable "ca_cert" {
description = "PEM CA certificate that signed the Rancher server's TLS cert (optional; omit to use the system trust store)"
type = string
default = null
}
variable "tls_skip_verify" {
description = "Skip TLS verification of the Rancher server (not recommended)"
type = bool
default = false
}
variable "request_timeout_seconds" {
description = "HTTP timeout in seconds for calls from the plugin to Rancher"
type = number
default = 30
}
@@ -0,0 +1,11 @@
# A role that mints short-lived, optionally cluster-scoped rancher tokens from a
# service account. Reading rancher/creds/<name> produces a lease-bound token.
resource "rancher_secret_backend_role" "this" {
backend = var.backend
name = var.name
service_account = var.service_account
cluster_name = var.cluster_name
description = var.description
ttl = var.ttl
max_ttl = var.max_ttl
}
@@ -0,0 +1,9 @@
terraform {
required_version = ">= 1.10"
required_providers {
rancher = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/ranchervaultsecret"
version = "0.1.0"
}
}
}
@@ -0,0 +1,38 @@
variable "backend" {
description = "Mount path of the rancher secrets engine this role lives on"
type = string
}
variable "name" {
description = "Role name"
type = string
}
variable "service_account" {
description = "Service account (seeded token) used to mint credentials; its user's RBAC is inherited by minted tokens"
type = string
}
variable "cluster_name" {
description = "Downstream cluster to scope minted tokens to (empty = full Rancher-server scope)"
type = string
default = null
}
variable "description" {
description = "Description applied to each minted Rancher token"
type = string
default = null
}
variable "ttl" {
description = "Default lease TTL in seconds for tokens minted from this role"
type = number
default = null
}
variable "max_ttl" {
description = "Maximum lease TTL in seconds for tokens minted from this role"
type = number
default = null
}
@@ -0,0 +1,18 @@
# Seeds an auto-rotated rancher service-account token. The seed token is
# sensitive and read from KV, not stored in git:
# kv/service/vault/<country>/<region>/secret_backend/<backend>/service_account/<name>
# Expected keys: token (required), token_name (optional, the ext.cattle.io Token
# metadata.name so the engine can delete the seed after the first rotation).
data "vault_kv_secret_v2" "seed" {
mount = "kv"
name = "service/vault/${var.country}/${var.region}/secret_backend/${var.backend}/service_account/${var.name}"
}
resource "rancher_secret_backend_service_account" "this" {
backend = var.backend
name = var.name
token = data.vault_kv_secret_v2.seed.data["token"]
token_name = lookup(data.vault_kv_secret_v2.seed.data, "token_name", null)
token_ttl = var.token_ttl
rotation_period = var.rotation_period
}
@@ -0,0 +1,13 @@
terraform {
required_version = ">= 1.10"
required_providers {
vault = {
source = "hashicorp/vault"
version = "5.6.0"
}
rancher = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/ranchervaultsecret"
version = "0.1.0"
}
}
}
@@ -0,0 +1,31 @@
variable "backend" {
description = "Mount path of the rancher secrets engine this service account lives on"
type = string
}
variable "name" {
description = "Service-account name"
type = string
}
variable "country" {
description = "Country code, used to locate the seed token in KV"
type = string
}
variable "region" {
description = "Region code, used to locate the seed token in KV"
type = string
}
variable "token_ttl" {
description = "Lifetime in seconds requested for each rotated replacement token (default: engine default, 90d)"
type = number
default = null
}
variable "rotation_period" {
description = "Seconds a token is used before rotation (default: engine default, 45d). Must be < token_ttl"
type = number
default = null
}
+50
View File
@@ -315,6 +315,18 @@ variable "litellm_secret_backend_role" {
default = {} default = {}
} }
variable "plugins" {
description = "Map of plugins to import (register) in the catalog, keyed by catalog name"
type = map(object({
name = string
type = optional(string, "secret")
command = optional(string)
sha256 = string
version = optional(string)
}))
default = {}
}
variable "gpg_secret_backend" { variable "gpg_secret_backend" {
description = "Map of GPG/OpenPGP secret engines to mount (path => registered plugin + description). The plugin is registered separately via config/plugins." description = "Map of GPG/OpenPGP secret engines to mount (path => registered plugin + description). The plugin is registered separately via config/plugins."
type = map(object({ type = map(object({
@@ -338,6 +350,44 @@ variable "gpg_key" {
default = {} default = {}
} }
variable "rancher_secret_backend" {
description = "Map of rancher token secret engines to create (mount + config)"
type = map(object({
plugin = optional(string, "vault-plugin-secrets-rancher")
description = optional(string)
rancher_url = string
ca_cert = optional(string)
tls_skip_verify = optional(bool, false)
request_timeout_seconds = optional(number, 30)
}))
default = {}
}
variable "rancher_secret_backend_service_account" {
description = "Map of seeded, auto-rotated rancher service-account tokens (seed token read from KV)"
type = map(object({
name = string
backend = string
token_ttl = optional(number)
rotation_period = optional(number)
}))
default = {}
}
variable "rancher_secret_backend_role" {
description = "Map of rancher token-minting roles to create"
type = map(object({
name = string
backend = string
service_account = string
cluster_name = optional(string)
description = optional(string)
ttl = optional(number)
max_ttl = optional(number)
}))
default = {}
}
variable "policy_auth_map" { variable "policy_auth_map" {
description = "Map of auth mounts -> auth roles -> policy names" description = "Map of auth mounts -> auth roles -> policy names"
type = map(map(list(string))) type = map(map(list(string)))
+35
View File
@@ -0,0 +1,35 @@
# Allow the vault deployer to import the gpg plugin and manage its OpenPGP keys.
#
# terraform-vault registers the plugin itself (vault_plugin -> sys/plugins/catalog,
# a sudo-protected path) and manages keys via the gpgvaultsecret provider, so the
# deployer needs catalog access on top of the mount access it already has
# (sys/mounts/*). Without this, apply 403s on the plugin registration and on
# gpg/keys writes.
---
rules:
# Import / register (and deregister) the gpg plugin in the catalog.
- path: "sys/plugins/catalog/secret/vault-plugin-secrets-gpg"
capabilities:
- create
- read
- update
- delete
- sudo
# Manage keys (create/rotate/config/delete) in the gpg mount.
- path: "gpg/keys/*"
capabilities:
- create
- read
- update
- delete
- list
- path: "gpg/keys"
capabilities:
- read
- list
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault