[infra] vault + chsettle + aurora for dev

2026-03-16 19:50:05 +01:00
parent 5b1aca86e7
commit 89edf33c2c
51 changed files with 1606 additions and 62 deletions
--- a/ci/prod/compose/vault/agent.dev.hcl
+++ b/ci/prod/compose/vault/agent.dev.hcl
@@ -0,0 +1,29 @@
+# Vault Agent for the dev DB stack. AppRole creds are files on the host.
+pid_file = "/tmp/vault-agent.pid"
+
+auto_auth {
+  method "approle" {
+    mount_path = "auth/approle"
+    config = {
+      role_id_file_path   = "/vault/secrets/role_id"
+      secret_id_file_path = "/vault/secrets/secret_id"
+    }
+  }
+  sink "file" { config = { path = "/vault/token" } }
+}
+
+vault { address = "{{ env `VAULT_ADDR` }}" }
+
+template {
+  source      = "/etc/vault/templates/mongo/user.ctmpl"
+  destination = "/vault/secrets/MONGO_INITDB_ROOT_USERNAME"
+}
+template {
+  source      = "/etc/vault/templates/mongo/pass.ctmpl"
+  destination = "/vault/secrets/MONGO_INITDB_ROOT_PASSWORD"
+}
+template {
+  source      = "/etc/vault/templates/mongo/keyfile.ctmpl"
+  destination = "/vault/secrets/mongo.kf"
+  command     = "sh -lc 'chown 999:999 /vault/secrets/mongo.kf && chmod 0400 /vault/secrets/mongo.kf'"
+}