// components/vault.ts (T05) — the hard one. // // foundation-vault — the runtime secret store (CONTRACT_003 §3.2; ADR-004). // Integrated raft storage in the named volume foundation-vault-data (→ /vault/file, // which the image's entrypoint chowns to the vault user); IPC_LOCK so mlock keeps // secrets out of swap. Internal-only (8200 NOT published; Caddy fronts it later). // // Init + unseal follow the proven olsitec-core pattern (init → capture keys → write // back to passphrase-encrypted config → unseal), but the MECHANISM is docker-exec // over SSH (ADR-007) because 8200 isn't reachable from the operator. The init // command emits the unseal keys + root token on STDOUT (marked secret, and NOT // streamed — logging:Stderr); run.sh then captures them into vaultCredentials:* // (CONTRACT_001 §1.3 / CONTRACT_002 §2.4 — the one bootstrap exception that cannot // live in Vault). On re-runs it reads those stored keys back (via stdin) and only // re-unseals. Reboots re-seal Vault → the operator runs vault-unseal.sh (ADR-004). import * as pulumi from "@pulumi/pulumi"; import * as docker from "@pulumi/docker"; import * as command from "@pulumi/command"; import { DeployCtx } from "../lib/context"; import { vmConnection } from "../lib/remote"; export interface VaultOutputs { container: docker.Container; /** Vault is initialized + unsealed once this resolves (GATE A for T06). */ init: command.remote.Command; /** JSON-array string of unseal keys (secret) — captured to config by run.sh. */ unsealKeys: pulumi.Output; /** Root token (secret) — captured to config by run.sh. */ rootToken: pulumi.Output; /** Internal API endpoint (CONTRACT_003 §3.3). */ endpoint: string; } // Raft single-node config (api/cluster on the foundation-net name). 1-of-1 Shamir: // all shares live together in the same passphrase-encrypted config, so splitting // adds no real security here — the passphrase IS the root of trust (PLAN-002 §4.1). // Rekey to N/M later if multi-custodian distribution is ever wanted. const VAULT_LOCAL_CONFIG = JSON.stringify({ storage: { raft: { path: "/vault/file", node_id: "foundation-vault" } }, listener: { tcp: { address: "0.0.0.0:8200", tls_disable: true } }, api_addr: "http://foundation-vault:8200", cluster_addr: "http://foundation-vault:8201", ui: true, disable_mlock: false, }); // Idempotent init/unseal (ADR-007). Stored keys arrive on stdin (line 1 = JSON // array of unseal keys or empty on first run; line 2 = root token or empty). // Progress → stderr; the captured creds are the ONLY thing on stdout (two lines), // and the command sets logging:Stderr so stdout is never streamed to the terminal. const INIT_UNSEAL = `set -eu IFS= read -r STORED_KEYS_JSON || true IFS= read -r STORED_ROOT_TOKEN || true C=foundation-vault VE='-e VAULT_ADDR=http://127.0.0.1:8200' vstat() { docker exec $VE "$C" vault status -format=json 2>/dev/null; } ready= for _ in $(seq 1 40); do vstat >/tmp/vstatus && rc=0 || rc=$? # 0 = unsealed, 2 = sealed/uninitialized but reachable; both mean "up" if [ "$rc" = 0 ] || { [ "$rc" = 2 ] && [ -s /tmp/vstatus ]; }; then ready=1; break; fi sleep 2 done [ "$ready" = 1 ] || { echo "foundation-vault not reachable after 80s" >&2; exit 1; } INITIALIZED=$(vstat | jq -r '.initialized') if [ "$INITIALIZED" = "false" ]; then echo "initializing vault (1/1 shamir)" >&2 INIT_JSON=$(docker exec $VE "$C" vault operator init -key-shares=1 -key-threshold=1 -format=json) KEYS_JSON=$(printf '%s' "$INIT_JSON" | jq -c '.unseal_keys_b64') ROOT_TOKEN=$(printf '%s' "$INIT_JSON" | jq -r '.root_token') else echo "vault already initialized; reusing stored keys" >&2 [ -n "$STORED_KEYS_JSON" ] || { echo "vault initialized but no stored unseal keys in config" >&2; exit 1; } KEYS_JSON="$STORED_KEYS_JSON" ROOT_TOKEN="$STORED_ROOT_TOKEN" fi if [ "$(vstat | jq -r '.sealed')" = "true" ]; then echo "unsealing" >&2 printf '%s' "$KEYS_JSON" | jq -r '.[]' | while IFS= read -r k; do docker exec $VE "$C" vault operator unseal "$k" >/dev/null done fi [ "$(vstat | jq -r '.sealed')" = "false" ] || { echo "vault still sealed after unseal" >&2; exit 1; } echo "vault unsealed and ready" >&2 # stdout: the two captured secrets (run.sh -> vaultCredentials:*). Never streamed. printf '%s\n%s\n' "$KEYS_JSON" "$ROOT_TOKEN"`; export function deployVault(ctx: DeployCtx): VaultOutputs { const { provider, network } = ctx; const image = new docker.RemoteImage( "foundation-vault-image", { name: ctx.image("VAULT"), keepLocally: true }, { provider }, ); const volume = new docker.Volume( "foundation-vault-data", { name: "foundation-vault-data" }, { provider, retainOnDelete: true }, // raft store — losing it loses ALL secrets ); const container = new docker.Container( "foundation-vault", { name: "foundation-vault", image: image.imageId, hostname: "foundation-vault", restart: "unless-stopped", command: ["server"], // override the image's default `server -dev` envs: [ `VAULT_LOCAL_CONFIG=${VAULT_LOCAL_CONFIG}`, "VAULT_API_ADDR=http://foundation-vault:8200", ], capabilities: { adds: ["IPC_LOCK"] }, volumes: [{ volumeName: volume.name, containerPath: "/vault/file" }], networksAdvanced: [{ name: network.name, aliases: ["foundation-vault"] }], logDriver: "json-file", logOpts: { "max-size": "10m", "max-file": "3" }, }, { provider, dependsOn: [network], deleteBeforeReplace: true }, ); // Stored creds from passphrase-encrypted config (undefined → "" on first init). const vc = new pulumi.Config("vaultCredentials"); const stdin = pulumi .all([vc.getSecret("unsealKeys"), vc.getSecret("rootToken")]) .apply(([k, t]) => `${k ?? ""}\n${t ?? ""}\n`); const init = new command.remote.Command( "foundation-vault-init", { connection: vmConnection(ctx), create: INIT_UNSEAL, update: INIT_UNSEAL, // re-run on stdin change (stored keys appear after capture) stdin, addPreviousOutputInEnv: false, // Keep the captured keys (stdout) OUT of the streamed log — only stderr shows. logging: command.remote.Logging.Stderr, triggers: [container.id, stdin], }, { dependsOn: [container], additionalSecretOutputs: ["stdout"] }, ); // stdout = "\n\n" (secret). Split into the two. const unsealKeys = init.stdout.apply((s) => s.split("\n")[0] ?? ""); const rootToken = init.stdout.apply((s) => s.split("\n")[1] ?? ""); return { container, init, unsealKeys: pulumi.secret(unsealKeys), rootToken: pulumi.secret(rootToken), endpoint: "http://foundation-vault:8200", }; }