feat(bootstrap): vault init/unseal + capture to encrypted config (T05)
foundation-vault (hashicorp/vault:1.18, digest-pinned) with integrated raft storage in foundation-vault-data (-> /vault/file, which the entrypoint chowns to the vault user), IPC_LOCK for mlock, internal only (8200 unpublished). Init + unseal reuse the olsitec-core pattern but over docker-exec/SSH (ADR-007): the foundation-vault-init command inits 1-of-1 Shamir, unseals, and emits keys + root token on stdout — marked secret and NOT streamed (logging:Stderr) so they never reach the terminal/logs (D2). run.sh captures them into vaultCredentials:* (the one bootstrap secret that cannot live in Vault, CONTRACT_002 §2.4) with an idempotent guard that avoids churning the config. vault-unseal.sh is the passphrase-gated reboot helper (ADR-004): reads keys from config, unseals over an SSH stdin pipe. run.sh also now pins the Pulumi backend per-process (PULUMI_BACKEND_URL) instead of a global `pulumi login`. Live on cx33 Helsinki: initialized + unsealed (raft 1.18.5), keys captured to encrypted config, idempotent re-up reuses stored keys, container-restart reseal recovered by vault-unseal.sh. Acceptance T05 met. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
1792fd9f89
commit
0e81635d88
6 changed files with 236 additions and 9 deletions
2
VERSIONS
2
VERSIONS
|
|
@ -59,7 +59,7 @@
|
|||
IMAGE_CADDY=caddy:2.10@sha256:PIN_DIGEST
|
||||
IMAGE_FORGEJO=codeberg.org/forgejo/forgejo:11@sha256:PIN_DIGEST
|
||||
IMAGE_POSTGRES=postgres:17@sha256:5c855ad7b85e68e48a62f34662853f38b57c1c1d80f3a927ab58034fd6d31c5e
|
||||
IMAGE_VAULT=hashicorp/vault:1.18@sha256:PIN_DIGEST
|
||||
IMAGE_VAULT=hashicorp/vault:1.18@sha256:750bb37c1638fa194ab37053a81618c61bb0491ddec6fccac87c07a8e6cd8166
|
||||
IMAGE_RUSTFS=rustfs/rustfs:latest@sha256:fa19210ac4697c79d7ccca1ec9b0eb91aebacc6691991ffb14014bb3c67e6cc3
|
||||
IMAGE_ACT_RUNNER=code.forgejo.org/forgejo/runner:6@sha256:PIN_DIGEST
|
||||
IMAGE_REGISTRY=registry:2@sha256:PIN_DIGEST
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue