a7704f46a6
Infra side of ADR-0014: an mTLS gRPC consumer of Calico Goldmane's Flows API that records the namespace-pair edge-set in CNPG and posts a daily new-edge digest to #security. Adds the goldmane-edge-aggregator stack, the pg-goldmane-edges Vault rotation role (Tier-0 vault state updated here), and the namespace in the ghcr-credentials allowlist. Cert: REUSES the operator-minted, Tigera-CA-signed whisker-backend client cert (Goldmane verifies only the CA chain, not identity) instead of minting from the Tigera CA private key. This avoids putting the CA key in TF state AND the hashicorp/tls provider, which is incompatible with this repo's global generate-providers/lockfile pattern (it broke every stack's lockfile). Verified live: aggregator streaming flows, 174 edges in Postgres across 50x54 namespaces, db+slack ExternalSecrets synced, digest dry-run formats correctly, private image pulls via the Kyverno-synced ghcr-credentials. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
24 lines
848 B
HCL
24 lines
848 B
HCL
include "root" {
|
|
path = find_in_parent_folders()
|
|
}
|
|
|
|
# Tier-1 stack (PG state backend). The root terragrunt.hcl generates backend.tf
|
|
# (pg backend, schema_name = "goldmane-edge-aggregator"), providers.tf,
|
|
# cloudflare_provider.tf and tiers.tf automatically — do NOT hand-write those.
|
|
# This stack adds the hashicorp/tls provider via a local versions.tf (merged
|
|
# into the generated required_providers).
|
|
|
|
dependency "platform" {
|
|
config_path = "../platform"
|
|
skip_outputs = true
|
|
}
|
|
|
|
dependency "vault" {
|
|
config_path = "../vault"
|
|
skip_outputs = true
|
|
}
|
|
|
|
# The Vault DB static role pg-goldmane-edges (7-day rotation) and the CNPG
|
|
# connection allowlist entry live in the vault stack (stacks/vault/main.tf).
|
|
# The vault dependency above orders this stack after it so the ExternalSecret
|
|
# can materialize the rotated credential on first apply.
|