Paths

Table of Contentst

Differential D4026

Deploy or rotate Vault secrets
ClosedPublic
Actions

Authored by dereckson on Mon, Mar 23, 00:32.

Details

Reviewers

yousra

Commits

rOPS7ce768a16c8c: Deploy or rotate Vault secrets

Summary

Terraform/OpenTofu is handling both the policies and the credentials to allow
other applications to connect themselves to Vault.

Once the AppRole have been created or updated in Vault by Terraform/OpenTofu,
the relevant configuration files with AppRole credentials must be provisioned.

This make deploy-secrets target allows to automate each steps and do a full
secrets rotation.

Reference: https://agora.nasqueron.org/Operations_grimoire/Deploy_with_Terraform

Diff Detail

Repository

rOPS Nasqueron Operations

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

dereckson requested review of this revision.Mon, Mar 23, 00:32

dereckson created this revision.

Harbormaster completed remote builds in B6524: Diff 10511.Mon, Mar 23, 00:32

dereckson retitled this revision from Once the AppRole have been created or updated in Vault by Terraform/OpenTofu, the relevant configuration files with AppRole credentials must be provisioned. to Deploy or rotate Vault secrets.Mon, Mar 23, 08:44

dereckson edited the summary of this revision. (Show Details)

Note: we're deploying a third secret for CARP routers scripts. If we've already that code merged, we'll need to append a line to deploy that state too.

In D4026#62889, @dereckson wrote:

Note: we're deploying a third secret for CARP routers scripts. If we've already that code merged, we'll need to append a line to deploy that state too.

How to target router-002 and router-003 through grains

-G, --grain
The target expression matches values returned by the Salt grains system on the minions. The target expression is in the format of '<grain value>:<glob expression>'; example: 'os:Arch*'

This was changed in version 0.9.8 to accept glob expressions instead of regular expression. To use regular expression matching with grains, use the --grain-pcre option.

--grain-pcre
The target expression matches values returned by the Salt grains system on the minions. The target expression is in the format of '<grain value>:< regular expression>'; example: 'os:Arch.*'

yousra added a reviewer: yousra.Wed, Mar 25, 12:36

yousra accepted this revision.Wed, Mar 25, 13:26

This revision is now accepted and ready to land.Wed, Mar 25, 13:26

yousra mentioned this in T2276: Automate CARP VIP MAC reassignment using devd and OVH API.Sun, Mar 29, 17:56

Enable rotation of Vault AppRole credentials on CARP routers

Harbormaster completed remote builds in B6544: Diff 10535.Sun, Mar 29, 18:21

dereckson added inline comments.Sun, Mar 29, 20:29

Makefile
65	I wonder if we don't need wildcards as it's a list, if a router has several roles, for example router + bastion is a combo we considered several times.

[yousra@complector /opt/salt/nasqueron-operations]$ salt web-001 grains.get roles
web-001:
    - webserver-alkane
    - webserver-alkane
    - webserver-alkane-prod
    - saas-mediawiki
    - saas-wordpress

[yousra@complector /opt/salt/nasqueron-operations]$ salt -G 'roles:saas-wordpress' test.ping
web-001:
    True

I tested the targeting with a minion having multiple roles (list), and roles:<value> correctly matches entries inside the list. So roles:router should work even if the minion has additional roles.

Closed by commit rOPS7ce768a16c8c: Deploy or rotate Vault secrets (authored by dereckson, committed by yousra). · Explain WhyMon, Apr 6, 13:59

This revision was automatically updated to reflect the committed changes.

yousra added a commit: rOPS7ce768a16c8c: Deploy or rotate Vault secrets.

Revision Contents
Changeset List

Path

Size

Makefile

12 lines

Diff 10568

View Options

Deploy or rotate Vault secretsClosedPublicActions