feat(bootstrap): vault init/unseal + capture to encrypted config (T05)
foundation-vault (hashicorp/vault:1.18, digest-pinned) with integrated raft storage in foundation-vault-data (-> /vault/file, which the entrypoint chowns to the vault user), IPC_LOCK for mlock, internal only (8200 unpublished). Init + unseal reuse the olsitec-core pattern but over docker-exec/SSH (ADR-007): the foundation-vault-init command inits 1-of-1 Shamir, unseals, and emits keys + root token on stdout — marked secret and NOT streamed (logging:Stderr) so they never reach the terminal/logs (D2). run.sh captures them into vaultCredentials:* (the one bootstrap secret that cannot live in Vault, CONTRACT_002 §2.4) with an idempotent guard that avoids churning the config. vault-unseal.sh is the passphrase-gated reboot helper (ADR-004): reads keys from config, unseals over an SSH stdin pipe. run.sh also now pins the Pulumi backend per-process (PULUMI_BACKEND_URL) instead of a global `pulumi login`. Live on cx33 Helsinki: initialized + unsealed (raft 1.18.5), keys captured to encrypted config, idempotent re-up reuses stored keys, container-restart reseal recovered by vault-unseal.sh. Acceptance T05 met. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
1792fd9f89
commit
0e81635d88
6 changed files with 236 additions and 9 deletions
|
|
@ -12,6 +12,7 @@ import { deployDns } from "./components/dns";
|
|||
import { generateCredentials } from "./components/credentials";
|
||||
import { deployPostgres } from "./components/postgres";
|
||||
import { deployRustfs } from "./components/rustfs";
|
||||
import { deployVault } from "./components/vault";
|
||||
|
||||
const cfg = loadConfig();
|
||||
|
||||
|
|
@ -29,14 +30,14 @@ const credentials = generateCredentials(ctx);
|
|||
|
||||
// =============================================================================
|
||||
// PHASE 3 — DATA PLANE (depends on: network)
|
||||
// T03 postgres ✓ · T04 rustfs ✓ · T05 vault (sealed)
|
||||
// T03 postgres ✓ · T04 rustfs ✓ · T05 vault ✓
|
||||
// -----------------------------------------------------------------------------
|
||||
const postgres = deployPostgres(ctx, credentials.postgres);
|
||||
const rustfs = deployRustfs(ctx, credentials.rustfs);
|
||||
// const vault = deployVault(ctx);
|
||||
const vault = deployVault(ctx);
|
||||
//
|
||||
// --- GATE A: Vault init + unseal (T05) → writes unseal keys to encrypted config;
|
||||
// credentials.ts (T06) dependsOn the init resource.
|
||||
// --- GATE A: Vault init + unseal (T05) → run.sh captures unseal keys to encrypted
|
||||
// config; credentials.ts (T06) dependsOn vault.init.
|
||||
// writeCredentialsToVault(ctx, credentials, { vault });
|
||||
//
|
||||
// =============================================================================
|
||||
|
|
@ -50,11 +51,16 @@ const rustfs = deployRustfs(ctx, credentials.rustfs);
|
|||
// =============================================================================
|
||||
|
||||
// Stack outputs (extended as phases land).
|
||||
export const phase = "T04-rustfs"; // network + DNS + data-plane: postgres, rustfs
|
||||
export const phase = "T05-vault"; // data-plane complete: postgres, rustfs, vault
|
||||
export const networkName = network.name;
|
||||
export const vmTarget = `${cfg.vm.user}@${cfg.vm.host}`;
|
||||
export const postgresEndpoint = postgres.endpoint;
|
||||
export const rustfsEndpoint = rustfs.endpoint;
|
||||
export const vaultEndpoint = vault.endpoint;
|
||||
// Captured by run.sh into vaultCredentials:* (passphrase-encrypted config) after
|
||||
// `up` — the one bootstrap secret that cannot live in Vault (CONTRACT_002 §2.4).
|
||||
export const vaultUnsealKeys = vault.unsealKeys;
|
||||
export const vaultRootToken = vault.rootToken;
|
||||
export const enabledFeatures = Object.entries(cfg.features)
|
||||
.filter(([, on]) => on)
|
||||
.map(([name]) => name);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue