933de177fa
ci/woodpecker/push/apply Pipeline was successful
Complete the deploy of the [vault-plugin-secrets-gpg](https://git.unkin.net/unkin/vault-plugin-secrets-gpg) engine. Puppet ([puppet-prod #480](unkin/puppet-prod#480)) installs the `openbao-plugin-secrets-gpg` RPM onto the OpenBao nodes; this registers that binary in the plugin catalog and enables the secrets engine so `gpg/` is actually usable. - Add a `gpg_secret_backend` module using the standard `hashicorp/vault` provider (already required at 5.6.0): `vault_plugin` (catalog register with a pinned sha256) + `vault_mount` (enable at the mount path). - Wire it through `vault_cluster` (new `gpg_secret_backend` variable + module block) and the config discovery (`config.hcl` group + syd1 terragrunt input), mirroring `litellm_secret_backend`. - Add `config/gpg_secret_backend/gpg.yaml` mounting at `gpg/` and pinning the released v0.1.0 binary sha256 (`0e92d740…a7b20`, extracted from the published RPM). Puppet installs the RPM floating, so this sha must be bumped in lockstep on any plugin upgrade or OpenBao rejects the binary. Validated locally with `tofu validate` + `tofu fmt`. Granting non-root access to `gpg/*` (auth roles + policies) is a follow-up scoped to whoever consumes the engine (e.g. passv from CI). Reviewed-on: #87 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
56 lines
1.3 KiB
HCL
56 lines
1.3 KiB
HCL
# Generate root backend.tf
|
|
generate "backend" {
|
|
path = "backend.tf"
|
|
if_exists = "overwrite"
|
|
contents = <<EOF
|
|
locals {
|
|
vault_addr = "https://vault.service.consul:8200"
|
|
}
|
|
|
|
provider "vault" {
|
|
address = local.vault_addr
|
|
}
|
|
|
|
# The LiteLLM secrets engine is managed through its own provider, which talks to
|
|
# the same Vault server. Token falls back to the VAULT_TOKEN environment variable.
|
|
provider "litellm" {
|
|
address = local.vault_addr
|
|
}
|
|
|
|
# The gpg secrets engine's keys are managed through its own provider (same Vault
|
|
# server; token falls back to VAULT_TOKEN).
|
|
provider "gpg" {
|
|
address = local.vault_addr
|
|
}
|
|
|
|
terraform {
|
|
backend "consul" {
|
|
address = "https://consul.service.consul"
|
|
path = "infra/terraform/vault/${path_relative_to_include()}/state"
|
|
scheme = "https"
|
|
lock = true
|
|
ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
|
|
}
|
|
required_version = ">= 1.10"
|
|
required_providers {
|
|
vault = {
|
|
source = "hashicorp/vault"
|
|
version = "5.6.0"
|
|
}
|
|
consul = {
|
|
source = "hashicorp/consul"
|
|
version = "2.23.0"
|
|
}
|
|
litellm = {
|
|
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
|
|
version = "0.1.0"
|
|
}
|
|
gpg = {
|
|
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
|
|
version = "0.1.0"
|
|
}
|
|
}
|
|
}
|
|
EOF
|
|
}
|