remove SOPS pipeline, deploy ESO + Vault DB/K8s engines
Vault is now the sole source of truth for secrets. SOPS pipeline removed entirely — auth via `vault login -method=oidc`. Part A: SOPS removal - vault/main.tf: delete 990 lines (93 vars + 43 KV write resources), add self-read data source for OIDC creds from secret/vault - terragrunt.hcl: remove SOPS var loading, vault_root_token, check_secrets hook - scripts/tg: remove SOPS decryption, keep -auto-approve logic - .woodpecker/default.yml: replace SOPS with Vault K8s auth via curl - Delete secrets.sops.json, .sops.yaml Part B: External Secrets Operator - New stack stacks/external-secrets/ with Helm chart + 2 ClusterSecretStores (vault-kv for KV v2, vault-database for DB engine) Part C: Database secrets engine (in vault/main.tf) - MySQL + PostgreSQL connections with static role rotation (24h) - 6 MySQL roles (speedtest, wrongmove, codimd, nextcloud, shlink, grafana) - 6 PostgreSQL roles (trading, health, linkwarden, affine, woodpecker, claude_memory) Part D: Kubernetes secrets engine (in vault/main.tf) - RBAC for Vault SA to manage K8s tokens - Roles: dashboard-admin, ci-deployer, openclaw, local-admin - New scripts/vault-kubeconfig helper for dynamic kubeconfig K8s auth method with scoped policies for CI, ESO, OpenClaw, Woodpecker sync.
This commit is contained in:
Viktor Barzin
parent
d17a6e2fd3
commit
3aba29e7a3
25 changed files with 680 additions and 1357 deletions
|
|
@ -13,9 +13,8 @@ remote_state {
|
|||
}
|
||||
}
|
||||
|
||||
# Load config.tfvars (plaintext) + secrets.auto.tfvars.json (SOPS-decrypted).
|
||||
# Run `scripts/tg` instead of raw `terragrunt` — it decrypts secrets first.
|
||||
# Falls back to terraform.tfvars if it exists (migration compatibility).
|
||||
# Load config.tfvars (plaintext) + terraform.tfvars (git-crypt encrypted, migration).
|
||||
# Secrets come from Vault KV — authenticate via `vault login -method=oidc`.
|
||||
terraform {
|
||||
extra_arguments "common_vars" {
|
||||
commands = get_terraform_commands_that_need_vars()
|
||||
|
|
@ -23,8 +22,7 @@ terraform {
|
|||
"${get_repo_root()}/config.tfvars"
|
||||
]
|
||||
optional_var_files = [
|
||||
"${get_repo_root()}/terraform.tfvars",
|
||||
"${get_repo_root()}/secrets.auto.tfvars.json"
|
||||
"${get_repo_root()}/terraform.tfvars"
|
||||
]
|
||||
}
|
||||
|
||||
|
|
@ -34,12 +32,6 @@ terraform {
|
|||
"-var", "kube_config_path=${get_repo_root()}/config"
|
||||
]
|
||||
}
|
||||
|
||||
# Safety: fail if neither secrets source exists
|
||||
before_hook "check_secrets" {
|
||||
commands = ["apply", "plan", "destroy"]
|
||||
execute = ["sh", "-c", "test -f ${get_repo_root()}/secrets.auto.tfvars.json || test -f ${get_repo_root()}/terraform.tfvars || (echo 'ERROR: No secrets file found. Run scripts/tg instead of terragrunt directly.' && exit 1)"]
|
||||
}
|
||||
}
|
||||
|
||||
# Generate kubernetes + helm providers for K8s stacks.
|
||||
|
|
@ -62,12 +54,6 @@ variable "kube_config_path" {
|
|||
default = "~/.kube/config"
|
||||
}
|
||||
|
||||
variable "vault_root_token" {
|
||||
type = string
|
||||
sensitive = true
|
||||
default = ""
|
||||
}
|
||||
|
||||
provider "kubernetes" {
|
||||
config_path = var.kube_config_path
|
||||
}
|
||||
|
|
@ -80,7 +66,6 @@ provider "helm" {
|
|||
|
||||
provider "vault" {
|
||||
address = "https://vault.viktorbarzin.me"
|
||||
token = var.vault_root_token
|
||||
skip_child_token = true
|
||||
}
|
||||
EOF
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue