gitops_terraform

package module
v0.0.0-...-b21e02a Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 18, 2026 License: Apache-2.0 Imports: 16 Imported by: 0

README

vault-plugin-gitops-terraform

⚠️ WORK IN PROGRESS

Russian version

The plugin monitors a git repository for new commits. When new commits are found that are signed with the required number of signatures, it applies the configuration.

  • Configuration is described in Terraform format.
  • Terraform state is stored in Vault.
  • Vault connection uses the address and token specified in the plugin configuration.
  • Currently requires a renewable periodic token that will be automatically renewed 24 hours before expiration.
  • Status and possible errors can be viewed via the /v1/gitops/status endpoint.
  • It's assumed that the plugin loads the configuration itself, but this isn't required; you can manage another Vault.
  • If you enable multiple plugins, you can manage different parts of the configuration accessible to the token from different repositories.

Building

go build -o gitops cmd/gitops-terraform/main.go

Loading the Plugin into Vault

SHA=$(sha256sum $PWD/gitops | awk '{print $1;}')
vault plugin register -command gitops -sha256 $SHA -version=v0.0.1 secret gitops
vault secrets enable gitops

Configuration

Add a repository to monitor

vault write gitops/configure/git_repository \
      git_repo_url="https://gitlab.com/user/vault-gitops-configuration.git" \
      required_number_of_verified_signatures_on_commit=1 \
      git_poll_period=1m

If the repository is private, configure credentials for access

vault write gitops/configure/git_credential \
      username=token \
      password=glpat-EAEAEAEAEK4SmS7Xmh4XP3m86MQp1OjE0CA.00.000123456

Create keys for signing

gpg --quick-generate-key "key1 <key1@example.com>" rsa4096
gpg --quick-generate-key "key2 <key2@example.com>" rsa4096

Export public parts of the keys

gpg --armor --output key1.pgp --export key1
gpg --armor --output key2.pgp --export key2

Upload the obtained keys to Vault

vault write gitops/configure/trusted_pgp_public_key/key1 public_key=@key1.pgp
vault write gitops/configure/trusted_pgp_public_key/key2 public_key=@key2.pgp

Configuring plugin access to the Vault API

You create a temporary token, which the plugin uses to create its own token with the same parameters and invalidate the old token. If token rotation is not required, specify rotate=false.

TOKEN=$(vault token create -orphan -period=7d -policy=root -display-name="gitops-plugin" -field=token)
vault write gitops/configure/vault vault_addr=http://127.0.0.1:8200 vault_token=$TOKEN rotate=true

Signing

Install git-signatures You can simply copy the bin/git-signatures file

Clone the repository or create new. See example here

git clone https://gitlab.com/user/vault-gitops-configuration.git
cd vault-gitops-configuration

View the list of keys

gpg --list-key

Add a key for signing

git config user.signingKey <KEY_ID>
# Example: git config user.signingKey 0C3AAAA10E30D5F3

Add an arbitrary commit and sign it

date > .demo
git add .demo
git commit -m 'demo commit'
git signatures add

Verify the signature

git signatures show

Expected output

 Public Key ID    | Status     | Trust     | Date                         | Signer Name
=====================================================================================================
 0C3AAAA10E30D5F3 | VALIDSIG   | ULTIMATE  | Mon 22 Dec 2025 20:19:33 MSK | key1 <key1@example.com>

Push the changes

git push origin main
git signatures push

Disabling the Plugin

vault secrets disable gitops
vault plugin deregister -version=v0.0.1 secret gitops

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Factory

func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

Types

type LastFinishedCommit

type LastFinishedCommit struct {
	CommitHash string    `json:"commit_hash"`
	CommitDate time.Time `json:"commit_date"`
}

LastFinishedCommit represents the last successfully processed commit with its date

Directories

Path Synopsis
cmd
pkg
git
pgp

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL