README
¶
vault-plugin-gitops-terraform
⚠️ WORK IN PROGRESS
The plugin monitors a git repository for new commits. When new commits are found that are signed with the required number of signatures, it applies the configuration.
- Configuration is described in Terraform format.
- Terraform state is stored in Vault.
- Vault connection uses the address and token specified in the plugin configuration.
- Currently requires a renewable periodic token that will be automatically renewed 24 hours before expiration.
- Status and possible errors can be viewed via the
/v1/gitops/statusendpoint. - It's assumed that the plugin loads the configuration itself, but this isn't required; you can manage another Vault.
- If you enable multiple plugins, you can manage different parts of the configuration accessible to the token from different repositories.
Building
go build -o gitops cmd/gitops-terraform/main.go
Loading the Plugin into Vault
SHA=$(sha256sum $PWD/gitops | awk '{print $1;}')
vault plugin register -command gitops -sha256 $SHA -version=v0.0.1 secret gitops
vault secrets enable gitops
Configuration
Add a repository to monitor
vault write gitops/configure/git_repository \
git_repo_url="https://gitlab.com/user/vault-gitops-configuration.git" \
required_number_of_verified_signatures_on_commit=1 \
git_poll_period=1m
If the repository is private, configure credentials for access
vault write gitops/configure/git_credential \
username=token \
password=glpat-EAEAEAEAEK4SmS7Xmh4XP3m86MQp1OjE0CA.00.000123456
Create keys for signing
gpg --quick-generate-key "key1 <key1@example.com>" rsa4096
gpg --quick-generate-key "key2 <key2@example.com>" rsa4096
Export public parts of the keys
gpg --armor --output key1.pgp --export key1
gpg --armor --output key2.pgp --export key2
Upload the obtained keys to Vault
vault write gitops/configure/trusted_pgp_public_key/key1 public_key=@key1.pgp
vault write gitops/configure/trusted_pgp_public_key/key2 public_key=@key2.pgp
Configuring plugin access to the Vault API
You create a temporary token, which the plugin uses to create its own token with the same parameters and invalidate the old token.
If token rotation is not required, specify rotate=false.
TOKEN=$(vault token create -orphan -period=7d -policy=root -display-name="gitops-plugin" -field=token)
vault write gitops/configure/vault vault_addr=http://127.0.0.1:8200 vault_token=$TOKEN rotate=true
Signing
Install git-signatures You can simply copy the bin/git-signatures file
Clone the repository or create new. See example here
git clone https://gitlab.com/user/vault-gitops-configuration.git
cd vault-gitops-configuration
View the list of keys
gpg --list-key
Add a key for signing
git config user.signingKey <KEY_ID>
# Example: git config user.signingKey 0C3AAAA10E30D5F3
Add an arbitrary commit and sign it
date > .demo
git add .demo
git commit -m 'demo commit'
git signatures add
Verify the signature
git signatures show
Expected output
Public Key ID | Status | Trust | Date | Signer Name
=====================================================================================================
0C3AAAA10E30D5F3 | VALIDSIG | ULTIMATE | Mon 22 Dec 2025 20:19:33 MSK | key1 <key1@example.com>
Push the changes
git push origin main
git signatures push
Disabling the Plugin
vault secrets disable gitops
vault plugin deregister -version=v0.0.1 secret gitops
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type LastFinishedCommit ¶
type LastFinishedCommit struct {
CommitHash string `json:"commit_hash"`
CommitDate time.Time `json:"commit_date"`
}
LastFinishedCommit represents the last successfully processed commit with its date
Source Files
Directories