migrate all secrets from SOPS to Vault KV
- Add vault provider to root terragrunt.hcl (generated providers.tf) - Delete stacks/vault/vault_provider.tf (now in generated providers.tf) - Add 124 variable declarations + 43 vault_kv_secret_v2 resources to vault/main.tf to populate Vault KV at secret/<stack-name> - Migrate 43 consuming stacks to read secrets from Vault KV via data "vault_kv_secret_v2" instead of SOPS var-file - Add dependency "vault" to all migrated stacks' terragrunt.hcl - Complex types (maps/lists) stored as JSON strings, decoded with jsondecode() in locals blocks Bootstrap secrets (vault_root_token, vault_authentik_client_id, vault_authentik_client_secret) remain in SOPS permanently. Apply order: vault stack first (populates KV), then all others.
This commit is contained in:
Viktor Barzin
parent
39b7dac1a9
commit
a8d944eb9b
126 changed files with 1635 additions and 817 deletions
|
|
@ -2,30 +2,9 @@ variable "tls_secret_name" {
|
|||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "webhook_handler_secret" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "webhook_handler_fb_verify_token" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "webhook_handler_fb_page_token" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "webhook_handler_fb_app_secret" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "webhook_handler_git_user" { type = string }
|
||||
variable "webhook_handler_git_token" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "webhook_handler_ssh_key" {
|
||||
type = string
|
||||
sensitive = true
|
||||
data "vault_kv_secret_v2" "secrets" {
|
||||
mount = "secret"
|
||||
name = "webhook-handler"
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -85,7 +64,7 @@ resource "kubernetes_secret" "ssh-key" {
|
|||
}
|
||||
}
|
||||
data = {
|
||||
"id_rsa" = var.webhook_handler_ssh_key
|
||||
"id_rsa" = data.vault_kv_secret_v2.secrets.data["ssh_key"]
|
||||
}
|
||||
type = "generic"
|
||||
}
|
||||
|
|
@ -148,19 +127,19 @@ resource "kubernetes_deployment" "webhook_handler" {
|
|||
}
|
||||
env {
|
||||
name = "WEBHOOKSECRET"
|
||||
value = var.webhook_handler_secret
|
||||
value = data.vault_kv_secret_v2.secrets.data["secret"]
|
||||
}
|
||||
env {
|
||||
name = "FB_APP_SECRET"
|
||||
value = var.webhook_handler_fb_app_secret
|
||||
value = data.vault_kv_secret_v2.secrets.data["fb_app_secret"]
|
||||
}
|
||||
env {
|
||||
name = "FB_VERIFY_TOKEN"
|
||||
value = var.webhook_handler_fb_verify_token
|
||||
value = data.vault_kv_secret_v2.secrets.data["fb_verify_token"]
|
||||
}
|
||||
env {
|
||||
name = "FB_PAGE_TOKEN"
|
||||
value = var.webhook_handler_fb_page_token
|
||||
value = data.vault_kv_secret_v2.secrets.data["fb_page_token"]
|
||||
}
|
||||
env {
|
||||
name = "CONFIG"
|
||||
|
|
@ -168,11 +147,11 @@ resource "kubernetes_deployment" "webhook_handler" {
|
|||
}
|
||||
env {
|
||||
name = "GIT_USER"
|
||||
value = var.webhook_handler_git_user
|
||||
value = data.vault_kv_secret_v2.secrets.data["git_user"]
|
||||
}
|
||||
env {
|
||||
name = "GIT_TOKEN"
|
||||
value = var.webhook_handler_git_token
|
||||
value = data.vault_kv_secret_v2.secrets.data["git_token"]
|
||||
}
|
||||
env {
|
||||
name = "SSH_KEY"
|
||||
|
|
|
|||
|
|
@ -6,3 +6,8 @@ dependency "platform" {
|
|||
config_path = "../platform"
|
||||
skip_outputs = true
|
||||
}
|
||||
|
||||
dependency "vault" {
|
||||
config_path = "../vault"
|
||||
skip_outputs = true
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue