Onboard keycloak + paledocs secrets to Salt pillar pipeline #44

New issue

Closed

opened 2026-03-14 15:03:40 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented 2026-03-14 15:03:40 +00:00

Owner

Copy link

Lineage

plan-pal-e-platform → secrets hardening (ad-hoc)

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want all Terraform secrets flowing through the Salt pillar pipeline
So that make tofu-plan / make tofu-apply works without manual -var flags

Context

Two secrets were added to Terraform variables but never onboarded to the Salt pillar → GPG → Makefile → tfvars pipeline:

• keycloak_admin_password — added in PR #34 (Keycloak deploy, 2026-03-14)
• paledocs_db_password — added in PR #23 (pal-e-docs DB secret, gap since 2026-03-08)

Currently both require manual -var flags on every tofu plan/apply. This breaks the make tofu-plan / make tofu-apply targets.

File Targets

Files to modify:

• salt/pillar/secrets/platform.sls — add GPG-encrypted values for both secrets
• Makefile — add both to TF_SECRET_VARS list
• salt/pillar/secrets_registry.sls — add metadata entries
• README.md — add ## Secrets Architecture section documenting the pipeline

Acceptance Criteria

• Both secrets GPG-encrypted in platform.sls
• Both listed in TF_SECRET_VARS in Makefile
• Both have entries in secrets_registry.sls
• make tofu-secrets renders both into secrets.auto.tfvars
• make tofu-plan works without manual -var flags
• README has Secrets Architecture section documenting the pipeline
• No plaintext secret values in any committed file

Test Expectations

• make tofu-secrets completes without error and outputs correct var count
• grep keycloak_admin_password terraform/secrets.auto.tfvars returns a line
• grep paledocs_db_password terraform/secrets.auto.tfvars returns a line
• make tofu-plan succeeds without any -var flags
• Run: make tofu-secrets && grep -c '=' terraform/secrets.auto.tfvars (should be 12, up from 10)

Constraints

• GPG encrypt with key ID 81A03D1CF874DC90 (Salt Master key, per secrets_registry.sls)
• Follow the sop-secrets-management "Adding a new platform secret" procedure exactly
• Plaintext values come from ~/secrets/pal-e-services/secrets.env (keycloak) and must be sourced for paledocs from the existing k8s secret or Salt state
• Do NOT commit plaintext values — only GPG-encrypted PGP blocks in platform.sls
• README section should explain the pipeline without revealing actual values

Checklist

• PR opened with Closes #N
• make tofu-secrets tested
• No unrelated changes

Related

• sop-secrets-management — the public SOP (procedures)
• PR #34 — keycloak_admin_password gap origin
• PR #23 — paledocs_db_password gap origin

### Lineage `plan-pal-e-platform` → secrets hardening (ad-hoc) ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want all Terraform secrets flowing through the Salt pillar pipeline So that `make tofu-plan` / `make tofu-apply` works without manual `-var` flags ### Context Two secrets were added to Terraform variables but never onboarded to the Salt pillar → GPG → Makefile → tfvars pipeline: - `keycloak_admin_password` — added in PR #34 (Keycloak deploy, 2026-03-14) - `paledocs_db_password` — added in PR #23 (pal-e-docs DB secret, gap since 2026-03-08) Currently both require manual `-var` flags on every `tofu plan/apply`. This breaks the `make tofu-plan` / `make tofu-apply` targets. ### File Targets Files to modify: - `salt/pillar/secrets/platform.sls` — add GPG-encrypted values for both secrets - `Makefile` — add both to `TF_SECRET_VARS` list - `salt/pillar/secrets_registry.sls` — add metadata entries - `README.md` — add `## Secrets Architecture` section documenting the pipeline ### Acceptance Criteria - [ ] Both secrets GPG-encrypted in `platform.sls` - [ ] Both listed in `TF_SECRET_VARS` in Makefile - [ ] Both have entries in `secrets_registry.sls` - [ ] `make tofu-secrets` renders both into `secrets.auto.tfvars` - [ ] `make tofu-plan` works without manual `-var` flags - [ ] README has Secrets Architecture section documenting the pipeline - [ ] No plaintext secret values in any committed file ### Test Expectations - [ ] `make tofu-secrets` completes without error and outputs correct var count - [ ] `grep keycloak_admin_password terraform/secrets.auto.tfvars` returns a line - [ ] `grep paledocs_db_password terraform/secrets.auto.tfvars` returns a line - [ ] `make tofu-plan` succeeds without any `-var` flags - Run: `make tofu-secrets && grep -c '=' terraform/secrets.auto.tfvars` (should be 12, up from 10) ### Constraints - GPG encrypt with key ID `81A03D1CF874DC90` (Salt Master key, per `secrets_registry.sls`) - Follow the `sop-secrets-management` "Adding a new platform secret" procedure exactly - Plaintext values come from `~/secrets/pal-e-services/secrets.env` (keycloak) and must be sourced for paledocs from the existing k8s secret or Salt state - Do NOT commit plaintext values — only GPG-encrypted PGP blocks in `platform.sls` - README section should explain the pipeline without revealing actual values ### Checklist - [ ] PR opened with `Closes #N` - [ ] `make tofu-secrets` tested - [ ] No unrelated changes ### Related - `sop-secrets-management` — the public SOP (procedures) - PR #34 — keycloak_admin_password gap origin - PR #23 — paledocs_db_password gap origin

forgejo_admin referenced this issue from a commit 2026-03-14 15:08:17 +00:00

Onboard 5 secrets to Salt pillar pipeline

forgejo_admin referenced this issue from a pull request that will close it, 2026-03-14 15:08:46 +00:00

Onboard 5 secrets to Salt pillar pipeline #45

forgejo_admin referenced this issue 2026-03-14 15:10:48 +00:00

Onboard 5 secrets to Salt pillar pipeline #45

forgejo_admin 2026-03-14 15:10:49 +00:00

• closed this issue
• added the
  status:needs-fix
  label

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

188-cross-repo-worktree-isolation-for-parall

111-fix-keycloak-probe

86-fix-rotate-woodpecker-api-token-in-salt

71-feat-deploy-pyrra-slo-manager-with-servi

64-hotfix-woodpecker-oauth-login-broken-for

18-fix-grafana-duplicate-default-datasource-v2

18-fix-grafana-duplicate-default-datasource

13-fix-cnpg-all-parameters

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/pal-e-platform#44

No description provided.