remove SOPS pipeline, deploy ESO + Vault DB/K8s engines
Vault is now the sole source of truth for secrets. SOPS pipeline removed entirely — auth via `vault login -method=oidc`. Part A: SOPS removal - vault/main.tf: delete 990 lines (93 vars + 43 KV write resources), add self-read data source for OIDC creds from secret/vault - terragrunt.hcl: remove SOPS var loading, vault_root_token, check_secrets hook - scripts/tg: remove SOPS decryption, keep -auto-approve logic - .woodpecker/default.yml: replace SOPS with Vault K8s auth via curl - Delete secrets.sops.json, .sops.yaml Part B: External Secrets Operator - New stack stacks/external-secrets/ with Helm chart + 2 ClusterSecretStores (vault-kv for KV v2, vault-database for DB engine) Part C: Database secrets engine (in vault/main.tf) - MySQL + PostgreSQL connections with static role rotation (24h) - 6 MySQL roles (speedtest, wrongmove, codimd, nextcloud, shlink, grafana) - 6 PostgreSQL roles (trading, health, linkwarden, affine, woodpecker, claude_memory) Part D: Kubernetes secrets engine (in vault/main.tf) - RBAC for Vault SA to manage K8s tokens - Roles: dashboard-admin, ci-deployer, openclaw, local-admin - New scripts/vault-kubeconfig helper for dynamic kubeconfig K8s auth method with scoped policies for CI, ESO, OpenClaw, Woodpecker sync.
This commit is contained in:
Viktor Barzin
Viktor Barzin
parent
75577d800b
commit
afe3a8bf8d
25 changed files with 680 additions and 1357 deletions
18
scripts/tg
18
scripts/tg
|
|
@ -1,24 +1,10 @@
|
|||
#!/usr/bin/env bash
|
||||
# scripts/tg — wrapper: decrypt secrets then run terragrunt
|
||||
# scripts/tg — wrapper: inject -auto-approve for non-interactive apply
|
||||
# Usage: scripts/tg apply --non-interactive
|
||||
# scripts/tg run --all -- plan
|
||||
# Auth: `vault login -method=oidc` (token at ~/.vault-token)
|
||||
set -euo pipefail
|
||||
|
||||
REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
||||
SOPS_FILE="$REPO_ROOT/secrets.sops.json"
|
||||
OUT_FILE="$REPO_ROOT/secrets.auto.tfvars.json"
|
||||
|
||||
# Decrypt if needed (skips if already decrypted and up-to-date)
|
||||
if [ -f "$SOPS_FILE" ]; then
|
||||
if [ ! -f "$OUT_FILE" ] || [ "$SOPS_FILE" -nt "$OUT_FILE" ]; then
|
||||
TEMP=$(mktemp "$OUT_FILE.XXXXXX")
|
||||
trap "rm -f '$TEMP'" EXIT
|
||||
sops -d "$SOPS_FILE" > "$TEMP"
|
||||
mv "$TEMP" "$OUT_FILE"
|
||||
echo "Decrypted secrets.sops.json → secrets.auto.tfvars.json"
|
||||
fi
|
||||
fi
|
||||
|
||||
# If running apply with --non-interactive, add -auto-approve for Terraform
|
||||
args=("$@")
|
||||
has_apply=false
|
||||
|
|
|
|||
10
scripts/vault-kubeconfig
Executable file
10
scripts/vault-kubeconfig
Executable file
|
|
@ -0,0 +1,10 @@
|
|||
#!/usr/bin/env bash
|
||||
# Generate a short-lived kubeconfig from Vault K8s secrets engine.
|
||||
# Requires: vault login -method=oidc (or VAULT_TOKEN set)
|
||||
set -euo pipefail
|
||||
|
||||
TOKEN=$(vault write -format=json kubernetes/creds/local-admin kubernetes_namespace=default | jq -r .data.service_account_token)
|
||||
kubectl config set-credentials vault-admin --token="$TOKEN"
|
||||
kubectl config set-context vault --cluster=kubernetes --user=vault-admin
|
||||
kubectl config use-context vault
|
||||
echo "Kubeconfig set with 1h token"
|
||||
Loading…
Add table
Add a link
Reference in a new issue