muehlbachler: Hashicorp Vault - Infrastructure

This repository contains the infrastructure as code (IaC) for the Hashicorp Vault instance using Pulumi.

---

Requirements

• NodeJS, and yarn
• Pulumi

Creating the Infrastructure

To create the infrastructure and deploy the cluster, a Pulumi Stack with the correct configuration needs to exists.

The stack can be deployed via:

yarn install
yarn build; pulumi up

Destroying the Infrastructure

The entire infrastructure can be destroyed via:

yarn install
yarn build; pulumi destroy

Environment Variables

To successfully run, and configure the Pulumi plugins, you need to set a list of environment variables. Alternatively, refer to the used Pulumi provider's configuration documentation.

• CLOUDSDK_COMPUTE_REGION the Google Cloud (GCP) region
• GOOGLE_APPLICATION_CREDENTIALS: reference to a file containing the Google Cloud (GCP) service account credentials
• GITHUB_TOKEN: the GitHub Personal Access Token (PAT)
• PROXMOX_VE_USERNAME: the Proxmox username
• PROXMOX_VE_PASSWORD: the Proxmox password
• PROXMOX_VE_ENDPOINT: the endpoint to connect to Proxmox
• PROXMOX_VE_INSECURE: turn on/off insecure connections to Proxmox

---

Configuration

The following section describes the configuration which must be set in the Pulumi Stack.

Attention: do use Secrets Encryption provided by Pulumi for secret values!

Bucket Identifier

bucketId: the bucket identifier to upload assets to

Google Cloud (GCP)

Flux deployed applications can reference secrets being encrypted with sops. We need to specify, and allow access to this encryption stored in Google KMS.

gcp:
  project: the GCP project to create all resources in
  region: the GCP region to create resources in
  encryptionKey: references the sops encryption key
    cryptoKeyId: the CryptoKey identifier
    keyringId: the KeyRing identifier
    location: the location of the key

Network

General configuration about the local network.

network:
  domain: the internal DNS domain
  ipv4:
    cidrMask: the CIDR mask of the internal network
    enabled: enables IPv4 networking
    gateway: the IPv4 gateway
  ipv6:
    cidrMask: the CIDR mask of the internal network
    enabled: enables IPv6 networking
    gateway: the IPv6 gateway
  nameservers: a list of all nameservers to set (IPv4, IPv6)

OIDC

The OIDC configuration to connect the Vault instance to for login.

oidc:
  discoveryUrl: the OIDC discovery url (without ".well-known")
  clientId: the client id
  clientSecret: the client secret
  redirectUrls: a list of redirect URLs to set

Proxmox VE (pve)

General configuration about the Proxmox environment.

Attention: you must download the specifief imageName to each Proxmox host!

pve:
  cpuType: the default CPU type to assign to machines
  imageName: the reference to the locally installed image
  localStoragePool: the storage pool used for snippets
  networkBridge: the network bridge to use for server connectivity
  storagePool: the storage pool used for machine disks

Server

The Proxmox server configuration.

server:
  cpu: the CPU allocation
  diskSize: the disk size to use
  memory: memory configuration (enables or disables ballooning automatically)
    min: the minimum memory to assign
    max: the maximum memory to assign
  host: the Proxmox host to create the node on
  ipv4Address: the internal IPv4 address
  ipv6Address: the internal IPv6 address (optional)
  startupOrder: the order when the VM should be automatically started

Username

username: the username to use for interacting with the servers

---

Continuous Integration and Automations

• GitHub Actions are linting, and verifying the code.
• Renovate Bot is updating NodeJS packages, and GitHub Actions.