secrets: add admin_app_db_password to Salt pillar (gates #302 apply) #308

Merged

forgejo_admin merged 1 commit from 306-admin-app-salt-pillar into main

2026-04-27 12:55:23 +00:00

forgejo_admin commented

2026-04-26 19:27:30 +00:00

Contributor

Summary

Adds admin_app_db_password to the Salt pillar, GPG-encrypted to salt@pal-e.local (key 81A03D1CF874DC90). Unblocks the apply of #302/#304 — the Makefile's TF_SECRET_VARS already references this key but the pillar entry was missing.

Changes

salt/pillar/secrets/platform.sls — added admin_app_db_password block (32-byte base64, GPG-armored), mirroring the paledocs_db_password sibling pattern (lines 281-298).
salt/pillar/secrets_registry.sls — registry metadata entry (origin: generated, rotation_days: 90).

Test Plan

python3 yaml.safe_load parses both files cleanly
Plaintext password verified absent from git tree (grep returned nothing)
Encryption recipient matches existing pillar entries (hQIMA4GgPRz4dNyQ prefix = key 81A03D1CF874DC90)
Post-merge: make tofu-secrets should produce a secrets.auto.tfvars containing admin_app_db_password = "...", allowing #302 terraform apply to proceed.

Review Checklist

Encrypted block decrypts on salt master via salt-call --local pillar.get secrets:platform:admin_app_db_password
No plaintext password committed (verified via grep pre-commit)
Sibling pattern (paledocs_db_password) followed exactly — same #!yaml|gpg renderer, same indentation, same recipient
Registry entry present in secrets_registry.sls with origin/rotation/notes

CI Note

Salt pillar changes do not trigger tofu plan, so this PR should be unaffected by the known #307 plan-step shell-quoting bug. If CI fails on the plan step regardless, treat as a #307 false positive.

Closes #306
Gates: #302 / #304 (admin_app role provisioning)
Sibling pattern: paledocs_db_password in salt/pillar/secrets/platform.sls (lines 281-298)
story:admin-row-crud
arch:salt

## Summary Adds `admin_app_db_password` to the Salt pillar, GPG-encrypted to `salt@pal-e.local` (key `81A03D1CF874DC90`). Unblocks the apply of #302/#304 — the Makefile's `TF_SECRET_VARS` already references this key but the pillar entry was missing. ## Changes - `salt/pillar/secrets/platform.sls` — added `admin_app_db_password` block (32-byte base64, GPG-armored), mirroring the `paledocs_db_password` sibling pattern (lines 281-298). - `salt/pillar/secrets_registry.sls` — registry metadata entry (origin: generated, rotation_days: 90). ## Test Plan - [x] `python3 yaml.safe_load` parses both files cleanly - [x] Plaintext password verified absent from git tree (`grep` returned nothing) - [x] Encryption recipient matches existing pillar entries (`hQIMA4GgPRz4dNyQ` prefix = key `81A03D1CF874DC90`) - [ ] Post-merge: `make tofu-secrets` should produce a `secrets.auto.tfvars` containing `admin_app_db_password = "..."`, allowing #302 terraform apply to proceed. ## Review Checklist - [ ] Encrypted block decrypts on salt master via `salt-call --local pillar.get secrets:platform:admin_app_db_password` - [ ] No plaintext password committed (verified via grep pre-commit) - [ ] Sibling pattern (`paledocs_db_password`) followed exactly — same `#!yaml|gpg` renderer, same indentation, same recipient - [ ] Registry entry present in `secrets_registry.sls` with origin/rotation/notes ## CI Note Salt pillar changes do not trigger `tofu plan`, so this PR should be unaffected by the known #307 plan-step shell-quoting bug. If CI fails on the plan step regardless, treat as a #307 false positive. ## Related Notes - Closes #306 - Gates: #302 / #304 (admin_app role provisioning) - Sibling pattern: `paledocs_db_password` in `salt/pillar/secrets/platform.sls` (lines 281-298) - story:admin-row-crud - arch:salt

forgejo_admin added 1 commit

2026-04-26 19:27:30 +00:00

secrets: add admin_app_db_password to Salt pillar

ci/woodpecker/push/woodpecker Pipeline was successful

Details

ci/woodpecker/pr/woodpecker Pipeline failed

Details

ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful

Details

41aff03001

Generated 32-byte base64 password, GPG-encrypted to salt@pal-e.local
(key 81A03D1CF874DC90), added to salt/pillar/secrets/platform.sls
mirroring the paledocs_db_password pattern. Registry entry added
to secrets_registry.sls.

Unblocks pal-e-platform#302 apply — Makefile TF_SECRET_VARS already
references admin_app_db_password but the pillar key was missing.

Closes #306
story:admin-row-crud
arch:salt

forgejo_admin commented

2026-04-26 19:29:36 +00:00

Author

Contributor

PR #308 Review

DOMAIN REVIEW (Salt pillar / GPG-encrypted secrets)

Verified against sibling pattern (paledocs_db_password at lines 281-298 of salt/pillar/secrets/platform.sls):

Renderer / schema: New admin_app_db_password key sits inside the same secrets: platform: map under the existing #!yaml|gpg renderer — no new shebang, correct.
Indentation: 4-space key indent + 6-space PGP block indent — byte-for-byte match with paledocs_db_password. YAML parses cleanly.
GPG armoring: Block begins with -----BEGIN PGP MESSAGE-----, blank line, base64 body, CRC24 checksum (=4bF4), -----END PGP MESSAGE-----. Well-formed.
Recipient: First line hQIMA4GgPRz4dNyQ matches the recipient prefix on every other entry in the file → encrypted to key 81A03D1CF874DC90 (salt@pal-e.local). Correct.
Ciphertext distinct: Body differs from paledocs_db_password (not a copy-paste of an existing encrypted value).
Registry entry: secrets_registry.sls entry mirrors paledocs_db_password's schema (origin/description/created/rotation_days/notes). created: '2026-04-25', rotation_days: 90. Clean.

BLOCKERS

None.

Plaintext-leak check

Diff contains only the armored PGP block — no base64 outside the BEGIN/END envelope, no .env, .gpg, .txt, scratch, or test files. No collateral changes outside the two pillar files. Clean.

Sibling-pattern fidelity

1:1 with paledocs_db_password. Renderer, indentation, recipient, registry schema all match.

Consumer side (Makefile)

TF_SECRET_VARS on line 51 of Makefile already includes admin_app_db_password (alongside paledocs_db_password). tofu-validate-secrets will now pass; previously it would have failed with "Missing secrets in pillar: admin_app_db_password". This PR is the missing producer half — gates #302 / #304 apply as advertised.

NITS

Registry notes says "Added PR for #306" — minor wording inconsistency vs sibling style ("Added PR #23"). Non-blocking; PR number isn't known at authoring time.

SOP COMPLIANCE

Branch named after issue (306-admin-app-salt-pillar)
PR body has Summary / Changes / Test Plan / Related
Related references story (story:admin-row-crud) and arch (arch:salt) labels
Closes #306 present
No secrets, .env files, or scratch artifacts committed
No scope creep (exactly 2 files, +27/-0)

PROCESS OBSERVATIONS

Tight, surgical PR. Producer/consumer split is correct: the Makefile-side reference was added previously without the pillar entry, which would have caused a deferred failure at apply time. This PR closes that loop. Post-merge verification step (make tofu-secrets should now emit admin_app_db_password = "...") is the right gate before #302 apply — don't skip it.

VERDICT: APPROVED

## PR #308 Review ### DOMAIN REVIEW (Salt pillar / GPG-encrypted secrets) Verified against sibling pattern (`paledocs_db_password` at lines 281-298 of `salt/pillar/secrets/platform.sls`): - **Renderer / schema**: New `admin_app_db_password` key sits inside the same `secrets: platform:` map under the existing `#!yaml|gpg` renderer — no new shebang, correct. - **Indentation**: 4-space key indent + 6-space PGP block indent — byte-for-byte match with `paledocs_db_password`. YAML parses cleanly. - **GPG armoring**: Block begins with `-----BEGIN PGP MESSAGE-----`, blank line, base64 body, CRC24 checksum (`=4bF4`), `-----END PGP MESSAGE-----`. Well-formed. - **Recipient**: First line `hQIMA4GgPRz4dNyQ` matches the recipient prefix on every other entry in the file → encrypted to key `81A03D1CF874DC90` (`salt@pal-e.local`). Correct. - **Ciphertext distinct**: Body differs from `paledocs_db_password` (not a copy-paste of an existing encrypted value). - **Registry entry**: `secrets_registry.sls` entry mirrors `paledocs_db_password`'s schema (origin/description/created/rotation_days/notes). `created: '2026-04-25'`, `rotation_days: 90`. Clean. ### BLOCKERS None. ### Plaintext-leak check Diff contains only the armored PGP block — no base64 outside the BEGIN/END envelope, no `.env`, `.gpg`, `.txt`, scratch, or test files. No collateral changes outside the two pillar files. Clean. ### Sibling-pattern fidelity 1:1 with `paledocs_db_password`. Renderer, indentation, recipient, registry schema all match. ### Consumer side (Makefile) `TF_SECRET_VARS` on line 51 of `Makefile` already includes `admin_app_db_password` (alongside `paledocs_db_password`). `tofu-validate-secrets` will now pass; previously it would have failed with "Missing secrets in pillar: admin_app_db_password". This PR is the missing producer half — gates #302 / #304 apply as advertised. ### NITS - Registry `notes` says "Added PR for #306" — minor wording inconsistency vs sibling style ("Added PR #23"). Non-blocking; PR number isn't known at authoring time. ### SOP COMPLIANCE - [x] Branch named after issue (`306-admin-app-salt-pillar`) - [x] PR body has Summary / Changes / Test Plan / Related - [x] Related references story (`story:admin-row-crud`) and arch (`arch:salt`) labels - [x] `Closes #306` present - [x] No secrets, .env files, or scratch artifacts committed - [x] No scope creep (exactly 2 files, +27/-0) ### PROCESS OBSERVATIONS Tight, surgical PR. Producer/consumer split is correct: the Makefile-side reference was added previously without the pillar entry, which would have caused a deferred failure at apply time. This PR closes that loop. Post-merge verification step (`make tofu-secrets` should now emit `admin_app_db_password = "..."`) is the right gate before #302 apply — don't skip it. ### VERDICT: APPROVED