first db deployment script

ci/prod/compose/vault/agent.hcl

@@ -0,0 +1,50 @@
+# Vault Agent for DB stack. AppRole creds are files on the host.
+pid_file = "/tmp/vault-agent.pid"
+
+auto_auth {
+  method "approle" {
+    mount_path = "auth/approle"
+    config = {
+      role_id_file_path   = "/vault/role_id"
+      secret_id_file_path = "/vault/secret_id"
+    }
+  }
+  sink "file" { config = { path = "/vault/token" } }
+}
+
+vault { address = "{{ env `VAULT_ADDR` }}" }
+
+# Mongo root credentials
+template {
+  source      = "/etc/vault/templates/mongo/user.ctmpl"
+  destination = "/vault/secrets/MONGO_INITDB_ROOT_USERNAME"
+}
+template {
+  source      = "/etc/vault/templates/mongo/pass.ctmpl"
+  destination = "/vault/secrets/MONGO_INITDB_ROOT_PASSWORD"
+}
+
+# Replica set keyFile (strict perms)
+template {
+  source      = "/etc/vault/templates/mongo/keyfile.ctmpl"
+  destination = "/vault/secrets/mongo.kf"
+  command     = "sh -lc 'chown 999:999 /vault/secrets/mongo.kf && chmod 0400 /vault/secrets/mongo.kf'"
+}
+
+# PBM: backup user/pass + S3 creds env
+template {
+  source      = "/etc/vault/templates/backup/user.ctmpl"
+  destination = "/etc/backup/.u"
+}
+template {
+  source      = "/etc/vault/templates/backup/pass.ctmpl"
+  destination = "/etc/backup/.p"
+}
+template {
+  source      = "/etc/vault/templates/pbm/env.ctmpl"
+  destination = "/etc/backup/pbm.env"
+}
+template {
+  source      = "/etc/vault/templates/pbm/config.ctmpl"
+  destination = "/etc/backup/pbm-config.yaml"
+}

ci/prod/compose/vault/templates/backup/pass.ctmpl

@@ -0,0 +1,3 @@
+{{ with secret "kv/data/ops/db/backup" -}}
+{{ .Data.data.user }}
+{{- end }}

ci/prod/compose/vault/templates/backup/user.ctmpl

@@ -0,0 +1,3 @@
+{{ with secret "kv/data/ops/db/backup" -}}
+{{ .Data.data.user }}
+{{- end }}

ci/prod/compose/vault/templates/mongo/keyfile.ctmpl

@@ -0,0 +1,3 @@
+{{ with secret "kv/data/sendico/db" -}}
+{{ .Data.data.key }}
+{{- end }}

ci/prod/compose/vault/templates/mongo/pass.ctmpl

@@ -0,0 +1,3 @@
+{{ with secret "kv/data/sendico/db" -}}
+{{ .Data.data.password }}
+{{- end }}

ci/prod/compose/vault/templates/mongo/user.ctmpl

@@ -0,0 +1,3 @@
+{{ with secret "kv/data/sendico/db" -}}
+{{ .Data.data.user }}
+{{- end }}

ci/prod/compose/vault/templates/pbm/config.ctmpl

@@ -0,0 +1,16 @@
+# Rendered by Vault Agent; contains no secrets.
+storage:
+  type: s3
+  s3:
+    endpointUrl: "{{ env "PBM_S3_ENDPOINT" }}"
+    region: "{{ env "PBM_S3_REGION" }}"
+    bucket: "{{ env "PBM_S3_BUCKET" }}"
+    forcePathStyle: true
+
+pitr:
+  enabled: true
+  oplogSpanMin: 10
+  compression: "s2"
+
+backup:
+  compression: "s2"

ci/prod/compose/vault/templates/pbm/env.ctmpl

@@ -0,0 +1,3 @@
+# Rendered by Vault Agent. Contains only secrets.
+AWS_ACCESS_KEY_ID={{ with secret "kv/data/s3/backup" -}}{{ .Data.data.access_key_id }}{{- end }}
+AWS_SECRET_ACCESS_KEY={{ with secret "kv/data/s3/backup" -}}{{ .Data.data.secret_access_key }}{{- end }}