2026-03-07 13:57:42 +00:00
|
|
|
#!/usr/bin/env bash
|
2026-03-17 22:37:56 +00:00
|
|
|
# scripts/tg — wrapper: decrypt state before, encrypt+commit after mutating ops
|
2026-03-07 13:57:42 +00:00
|
|
|
# Usage: scripts/tg apply --non-interactive
|
|
|
|
|
# scripts/tg run --all -- plan
|
remove SOPS pipeline, deploy ESO + Vault DB/K8s engines
Vault is now the sole source of truth for secrets. SOPS pipeline
removed entirely — auth via `vault login -method=oidc`.
Part A: SOPS removal
- vault/main.tf: delete 990 lines (93 vars + 43 KV write resources),
add self-read data source for OIDC creds from secret/vault
- terragrunt.hcl: remove SOPS var loading, vault_root_token, check_secrets hook
- scripts/tg: remove SOPS decryption, keep -auto-approve logic
- .woodpecker/default.yml: replace SOPS with Vault K8s auth via curl
- Delete secrets.sops.json, .sops.yaml
Part B: External Secrets Operator
- New stack stacks/external-secrets/ with Helm chart + 2 ClusterSecretStores
(vault-kv for KV v2, vault-database for DB engine)
Part C: Database secrets engine (in vault/main.tf)
- MySQL + PostgreSQL connections with static role rotation (24h)
- 6 MySQL roles (speedtest, wrongmove, codimd, nextcloud, shlink, grafana)
- 6 PostgreSQL roles (trading, health, linkwarden, affine, woodpecker, claude_memory)
Part D: Kubernetes secrets engine (in vault/main.tf)
- RBAC for Vault SA to manage K8s tokens
- Roles: dashboard-admin, ci-deployer, openclaw, local-admin
- New scripts/vault-kubeconfig helper for dynamic kubeconfig
K8s auth method with scoped policies for CI, ESO, OpenClaw, Woodpecker sync.
2026-03-15 16:37:38 +00:00
|
|
|
# Auth: `vault login -method=oidc` (token at ~/.vault-token)
|
2026-03-07 13:57:42 +00:00
|
|
|
set -euo pipefail
|
|
|
|
|
|
2026-03-17 22:37:56 +00:00
|
|
|
REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
|
|
|
|
SYNC="$REPO_ROOT/scripts/state-sync"
|
|
|
|
|
|
|
|
|
|
# Determine stack name from cwd (relative to stacks/)
|
|
|
|
|
STACK_NAME=""
|
|
|
|
|
cwd="$(pwd)"
|
|
|
|
|
stacks_dir="$REPO_ROOT/stacks"
|
|
|
|
|
if [[ "$cwd" == "$stacks_dir"/* ]]; then
|
|
|
|
|
# Get first path component relative to stacks/
|
|
|
|
|
rel="${cwd#$stacks_dir/}"
|
|
|
|
|
STACK_NAME="${rel%%/*}"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Decrypt state before any operation
|
|
|
|
|
if [ -n "$STACK_NAME" ] && [ -f "$REPO_ROOT/state/stacks/$STACK_NAME/terraform.tfstate.enc" ]; then
|
|
|
|
|
"$SYNC" decrypt "$STACK_NAME"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Detect if this is a mutating operation
|
|
|
|
|
is_mutating=false
|
|
|
|
|
for arg in "$@"; do
|
|
|
|
|
case "$arg" in
|
|
|
|
|
apply|destroy|import|state) is_mutating=true ;;
|
|
|
|
|
esac
|
|
|
|
|
done
|
|
|
|
|
|
2026-03-14 23:42:08 +00:00
|
|
|
# If running apply with --non-interactive, add -auto-approve for Terraform
|
|
|
|
|
args=("$@")
|
|
|
|
|
has_apply=false
|
|
|
|
|
has_non_interactive=false
|
|
|
|
|
for arg in "${args[@]}"; do
|
|
|
|
|
case "$arg" in
|
|
|
|
|
apply) has_apply=true ;;
|
|
|
|
|
--non-interactive) has_non_interactive=true ;;
|
|
|
|
|
esac
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
if $has_apply && $has_non_interactive; then
|
|
|
|
|
# Rebuild args: insert -auto-approve after apply
|
|
|
|
|
new_args=()
|
|
|
|
|
for arg in "${args[@]}"; do
|
|
|
|
|
new_args+=("$arg")
|
|
|
|
|
if [ "$arg" = "apply" ]; then
|
|
|
|
|
new_args+=("-auto-approve")
|
|
|
|
|
fi
|
|
|
|
|
done
|
2026-03-17 22:37:56 +00:00
|
|
|
terragrunt "${new_args[@]}"
|
2026-03-14 23:42:08 +00:00
|
|
|
else
|
2026-03-17 22:37:56 +00:00
|
|
|
terragrunt "$@"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# After mutating operations, encrypt and commit
|
|
|
|
|
if $is_mutating && [ -n "$STACK_NAME" ]; then
|
|
|
|
|
"$SYNC" encrypt "$STACK_NAME"
|
|
|
|
|
cd "$REPO_ROOT"
|
|
|
|
|
git add "state/stacks/$STACK_NAME/terraform.tfstate.enc"
|
|
|
|
|
if ! git diff --cached --quiet; then
|
|
|
|
|
git commit -m "state($STACK_NAME): update encrypted state"
|
|
|
|
|
fi
|
2026-03-14 23:42:08 +00:00
|
|
|
fi
|