viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

vault-token-renew: version the devvm renewer + user units in the repo

Browse source 
The devvm periodic Vault admin token (token-devvm-wizard, period=768h, policies default+sops-admin+vault-admin) is kept alive by a systemd user timer, but the renewer script + units lived only under ~/.local/bin and ~/.config/systemd/user — lost on a devvm rebuild. Move them into the repo as the source of truth so a rebuild can restore them. (version-only scope: behavior unchanged; no canonical-file/self-heal added.)

- scripts/vault-token-renew.{sh,service,timer}: renewer + user units, refactored into pure drift-guard functions + a guarded main (behavior identical; deployed live and verified still renewing with full write access).

- scripts/test-vault-token-renew.sh: unit-tests the drift guard + lookup-JSON parsing, incl. the 2026-06-05 woodpecker-clobber case (17 assertions).

- docs/runbooks/vault-token-renew-devvm.md: deploy, mint/re-mint, health-check, drift recovery.

- docs/architecture/secrets.md: correct the stale '~/.vault-token = OIDC token' description for devvm.

[ci skip]

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-07 16:26:01 +00:00
parent f9d5cd6243
commit d4ec5768b2
6 changed files with 289 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

11
docs/architecture/secrets.md
View file

@ -77,7 +77,7 @@ graph LR
- Application configuration secrets
- Encryption keys
Authentication: `vault login -method=oidc` (Authentik SSO) → `~/.vault-token` → read by Vault Terraform provider.
Authentication: `vault login -method=oidc` (Authentik SSO) → `~/.vault-token` → read by Vault Terraform provider. On `devvm`, `~/.vault-token` instead holds a long-lived **periodic** admin token auto-renewed daily by a systemd user timer (no weekly re-login) — see the [vault-token-renew-devvm runbook](../runbooks/vault-token-renew-devvm.md).
### External Secrets Operator (ESO)
@ -260,7 +260,14 @@ spec:
### Terraform Provider Auth
`~/.vault-token` created by `vault login -method=oidc`:
The provider reads `VAULT_ADDR` from env and the token from `~/.vault-token`.
That file is populated by `vault login -method=oidc` (humans, ad-hoc) — except
on `devvm`, where it holds a long-lived **periodic** admin token (`display_name
token-devvm-wizard`, `period=768h`, `explicit_max_ttl=0`, policies
`default`+`sops-admin`+`vault-admin`) that a systemd user timer renews daily, so
no weekly re-login is needed. A drift guard refuses to renew if a stray
`vault login` clobbers the file with a foreign token. Deploy + recovery:
[vault-token-renew-devvm runbook](../runbooks/vault-token-renew-devvm.md).
```hcl
provider "vault" {