Page MenuHomeDevCentral
Differential D4026

Deploy or rotate Vault secrets
AcceptedPublic
Actions

Authored by dereckson on Mon, Mar 23, 00:32.
Tags
None
Referenced Files
F25162481: D4026.id10535.diff
Thu, Apr 2, 11:35
Unknown Object (File)
Wed, Apr 1, 03:29
Unknown Object (File)
Tue, Mar 31, 23:09
Unknown Object (File)
Mon, Mar 30, 21:39
Unknown Object (File)
Mon, Mar 30, 19:25
Unknown Object (File)
Mon, Mar 30, 12:17
Unknown Object (File)
Mon, Mar 30, 10:51
Unknown Object (File)
Sun, Mar 29, 11:59
View All 34 Files
Subscribers
None

Details

Reviewers
yousra
Summary

Terraform/OpenTofu is handling both the policies and the credentials to allow
other applications to connect themselves to Vault.

Once the AppRole have been created or updated in Vault by Terraform/OpenTofu,
the relevant configuration files with AppRole credentials must be provisioned.

This make deploy-secrets target allows to automate each steps and do a full
secrets rotation.

Reference: https://agora.nasqueron.org/Operations_grimoire/Deploy_with_Terraform

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Skipped
Unit
No Test Coverage
Branch
arcpatch-D4026
Build Status
Buildable 6544
Build 6828: arc lint + arc unit

Event Timeline

dereckson requested review of this revision.Mon, Mar 23, 00:32
dereckson created this revision.
Harbormaster completed remote builds in B6524: Diff 10511.Mon, Mar 23, 00:32
dereckson retitled this revision from Once the AppRole have been created or updated in Vault by Terraform/OpenTofu, the relevant configuration files with AppRole credentials must be provisioned. to Deploy or rotate Vault secrets.Mon, Mar 23, 08:44
dereckson edited the summary of this revision. (Show Details)
dereckson added a comment.Mon, Mar 23, 14:21

Note: we're deploying a third secret for CARP routers scripts. If we've already that code merged, we'll need to append a line to deploy that state too.

dereckson added a comment.Mon, Mar 23, 14:26
In D4026#62889, @dereckson wrote:

Note: we're deploying a third secret for CARP routers scripts. If we've already that code merged, we'll need to append a line to deploy that state too.

How to target router-002 and router-003 through grains
-G, --grain
The target expression matches values returned by the Salt grains system on the minions. The target expression is in the format of '<grain value>:<glob expression>'; example: 'os:Arch*'

This was changed in version 0.9.8 to accept glob expressions instead of regular expression. To use regular expression matching with grains, use the --grain-pcre option.

--grain-pcre
The target expression matches values returned by the Salt grains system on the minions. The target expression is in the format of '<grain value>:< regular expression>'; example: 'os:Arch.*'
yousra added a reviewer: yousra.Wed, Mar 25, 12:36
yousra accepted this revision.Wed, Mar 25, 13:26
This revision is now accepted and ready to land.Wed, Mar 25, 13:26
yousra mentioned this in T2276: Automate CARP VIP MAC reassignment using devd and OVH API.Sun, Mar 29, 17:56
yousra updated this revision to Diff 10535.Sun, Mar 29, 18:21

Enable rotation of Vault AppRole credentials on CARP routers

Harbormaster completed remote builds in B6544: Diff 10535.Sun, Mar 29, 18:21
dereckson added inline comments.Sun, Mar 29, 20:29
Makefile
65

I wonder if we don't need wildcards as it's a list, if a router has several roles, for example router + bastion is a combo we considered several times.

Revision Contents
Changeset List

PathSize
12 lines

Diff 10535

View Options

Makefile

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator