remove SOPS pipeline, deploy ESO + Vault DB/K8s engines

Vault is now the sole source of truth for secrets. SOPS pipeline removed entirely — auth via `vault login -method=oidc`. Part A: SOPS removal - vault/main.tf: delete 990 lines (93 vars + 43 KV write resources), add self-read data source for OIDC creds from secret/vault - terragrunt.hcl: remove SOPS var loading, vault_root_token, check_secrets hook - scripts/tg: remove SOPS decryption, keep -auto-approve logic - .woodpecker/default.yml: replace SOPS with Vault K8s auth via curl - Delete secrets.sops.json, .sops.yaml Part B: External Secrets Operator - New stack stacks/external-secrets/ with Helm chart + 2 ClusterSecretStores (vault-kv for KV v2, vault-database for DB engine) Part C: Database secrets engine (in vault/main.tf) - MySQL + PostgreSQL connections with static role rotation (24h) - 6 MySQL roles (speedtest, wrongmove, codimd, nextcloud, shlink, grafana) - 6 PostgreSQL roles (trading, health, linkwarden, affine, woodpecker, claude_memory) Part D: Kubernetes secrets engine (in vault/main.tf) - RBAC for Vault SA to manage K8s tokens - Roles: dashboard-admin, ci-deployer, openclaw, local-admin - New scripts/vault-kubeconfig helper for dynamic kubeconfig K8s auth method with scoped policies for CI, ESO, OpenClaw, Woodpecker sync.
2026-03-15 16:37:38 +00:00 · 2026-03-15 16:37:38 +00:00 · 3aba29e7a3
commit 3aba29e7a3
parent d17a6e2fd3
25 changed files with 680 additions and 1357 deletions
--- a/.woodpecker/default.yml
+++ b/.woodpecker/default.yml
@ -18,12 +18,13 @@ steps:
      - |
        curl -k https://10.0.20.100:6443/api/v1/namespaces/woodpecker/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key
      - "git-crypt unlock /tmp/key && rm /tmp/key"
-      # SOPS: download to workspace (shared across steps), decrypt secrets
-      - "wget -qO ./sops https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 && chmod +x ./sops"
-      - "echo \"$SOPS_AGE_KEY\" > /tmp/age.key && SOPS_AGE_KEY_FILE=/tmp/age.key ./sops -d secrets.sops.json > secrets.auto.tfvars.json && rm -f /tmp/age.key"
-    environment:
-      SOPS_AGE_KEY:
-        from_secret: sops_age_key
+      # Vault: authenticate via K8s service account JWT
+      - |
+        SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+        VAULT_TOKEN=$(curl -s -X POST http://vault-active.vault.svc.cluster.local:8200/v1/auth/kubernetes/login \
+          -d "{\"role\":\"ci\",\"jwt\":\"$SA_TOKEN\"}" | jq -r .auth.client_token)
+        echo "export VAULT_TOKEN=$VAULT_TOKEN" > .vault-env
+        echo "export VAULT_ADDR=http://vault-active.vault.svc.cluster.local:8200" >> .vault-env

  - name: terragrunt-apply
    image: alpine
@ -35,13 +36,15 @@ steps:
      # Install Terragrunt
      - "wget -qO /usr/local/bin/terragrunt https://github.com/gruntwork-io/terragrunt/releases/download/v0.99.4/terragrunt_linux_amd64"
      - "chmod 755 /usr/local/bin/terragrunt"
+      # Source Vault token
+      - "source .vault-env"
      # Apply platform stack (core infrastructure services)
      - "cd stacks/platform && terragrunt apply --non-interactive -auto-approve"

  - name: cleanup-and-push
    image: alpine
    commands:
-      - "rm -f secrets.auto.tfvars.json secrets.auto.tfvars.json.*"
+      - "rm -f .vault-env"
      - "apk update && apk add openssh-client git git-crypt"
      - "mkdir -p ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts"
      - "chmod 400 secrets/deploy_key"