dev cicd + tron + docs

ci/dev/vault/agent.hcl

@@ -0,0 +1,49 @@
+# Vault Agent for Development Environment
+# AppRole credentials are injected as files from environment variables
+pid_file = "/tmp/vault-agent.pid"
+
+auto_auth {
+  method "approle" {
+    mount_path = "auth/approle"
+    config = {
+      role_id_file_path   = "/vault/secrets/role_id"
+      secret_id_file_path = "/vault/secrets/secret_id"
+    }
+  }
+  sink "file" {
+    config = { path = "/vault/token" }
+  }
+}
+
+vault {
+  address = "{{ env `VAULT_ADDR` }}"
+}
+
+# MongoDB root credentials
+template {
+  source      = "/etc/vault/templates/mongo/user.ctmpl"
+  destination = "/vault/secrets/MONGO_ROOT_USER"
+}
+
+template {
+  source      = "/etc/vault/templates/mongo/pass.ctmpl"
+  destination = "/vault/secrets/MONGO_ROOT_PASSWORD"
+}
+
+# MongoDB replica set keyFile (strict perms for MongoDB)
+template {
+  source      = "/etc/vault/templates/mongo/keyfile.ctmpl"
+  destination = "/vault/secrets/mongo.kf"
+  command     = "sh -lc 'chmod 0400 /vault/secrets/mongo.kf'"
+}
+
+# NATS credentials
+template {
+  source      = "/etc/vault/templates/nats/user.ctmpl"
+  destination = "/vault/secrets/NATS_USER"
+}
+
+template {
+  source      = "/etc/vault/templates/nats/pass.ctmpl"
+  destination = "/vault/secrets/NATS_PASSWORD"
+}

ci/dev/vault/config.hcl

@@ -0,0 +1,17 @@
+# Vault Configuration for Development
+# Single node, file storage backend
+
+storage "file" {
+  path = "/vault/file"
+}
+
+listener "tcp" {
+  address     = "0.0.0.0:8200"
+  tls_disable = true
+}
+
+api_addr = "http://0.0.0.0:8200"
+ui = true
+
+# Disable mlock for dev (no need for memory protection)
+disable_mlock = true

ci/dev/vault/templates/mongo/keyfile.ctmpl

@@ -0,0 +1,3 @@
+{{ with secret "kv/data/sendico/dev" -}}
+{{ .Data.data.mongo_keyfile }}
+{{- end }}

ci/dev/vault/templates/mongo/pass.ctmpl

@@ -0,0 +1,3 @@
+{{ with secret "kv/data/sendico/dev" -}}
+{{ .Data.data.mongo_password }}
+{{- end }}

ci/dev/vault/templates/mongo/user.ctmpl

@@ -0,0 +1,3 @@
+{{ with secret "kv/data/sendico/dev" -}}
+{{ .Data.data.mongo_user }}
+{{- end }}

ci/dev/vault/templates/nats/pass.ctmpl

@@ -0,0 +1,3 @@
+{{ with secret "kv/data/sendico/dev" -}}
+{{ .Data.data.nats_password }}
+{{- end }}

ci/dev/vault/templates/nats/user.ctmpl

@@ -0,0 +1,3 @@
+{{ with secret "kv/data/sendico/dev" -}}
+{{ .Data.data.nats_user }}
+{{- end }}