From 27fc46664f90b5fba05ab866e1e57551d43d1980 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 21 Feb 2026 09:07:56 +0100 Subject: [PATCH] feat: migrate Atlantis from SOPS to OpenBao for Proxmox token - Replace sops -d --extract with bao kv get -field in workflow - Remove .sops.yaml and encrypted proxmox.secrets.yaml - Update .gitleaks.toml comment (remove SOPS reference) - Proxmox token now fetched from OpenBao secret/infrastructure/proxmox via AppRole authentication (atlantis role) Co-Authored-By: Claude Opus 4.6 --- .gitleaks.toml | 2 +- .sops.yaml | 5 ----- atlantis.yaml | 4 ++-- environments/production/proxmox.secrets.yaml | 16 ---------------- 4 files changed, 3 insertions(+), 24 deletions(-) delete mode 100644 .sops.yaml delete mode 100644 environments/production/proxmox.secrets.yaml diff --git a/.gitleaks.toml b/.gitleaks.toml index 60f9655..d20ebe2 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -3,7 +3,7 @@ [allowlist] description = "Infrastructure repo allowlist" - # Terraform tenant VM passwords are managed by VM Bot and encrypted at rest via SOPS + # Terraform tenant VM passwords are managed by VM Bot # The .tf files contain passwords needed for Proxmox VM provisioning paths = [ '''environments/production/tenant-vms\.tf''', diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index af4243d..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,5 +0,0 @@ -creation_rules: - - path_regex: \.secrets\.yaml$ - age: age1yttnttdpafzn73mf3g8fw4x04444gymwsfrfm99fv9qkcxqzqs7sld8hln - - path_regex: secrets/.*\.yaml$ - age: age1yttnttdpafzn73mf3g8fw4x04444gymwsfrfm99fv9qkcxqzqs7sld8hln diff --git a/atlantis.yaml b/atlantis.yaml index 3952755..7c82342 100644 --- a/atlantis.yaml +++ b/atlantis.yaml @@ -22,7 +22,7 @@ workflows: steps: - env: name: PROXMOX_VE_API_TOKEN - command: "sops -d --extract '[\"proxmox_api_token\"]' proxmox.secrets.yaml" + command: "source /secrets/openbao-approle && export BAO_TOKEN=$(bao write -field=token auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID) && bao kv get -field=PROXMOX_VE_API_TOKEN secret/infrastructure/proxmox" - init - plan - run: | @@ -38,6 +38,6 @@ workflows: steps: - env: name: PROXMOX_VE_API_TOKEN - command: "sops -d --extract '[\"proxmox_api_token\"]' proxmox.secrets.yaml" + command: "source /secrets/openbao-approle && export BAO_TOKEN=$(bao write -field=token auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID) && bao kv get -field=PROXMOX_VE_API_TOKEN secret/infrastructure/proxmox" - init - apply diff --git a/environments/production/proxmox.secrets.yaml b/environments/production/proxmox.secrets.yaml deleted file mode 100644 index be53412..0000000 --- a/environments/production/proxmox.secrets.yaml +++ /dev/null @@ -1,16 +0,0 @@ -proxmox_api_token: ENC[AES256_GCM,data:Dg8+7TWwsaDuQ9JJPyWBI6pc+6n3tVbg3TsjMx8OIS6R00eVTD6o2rAF6CTyIvLN2MI=,iv:cPq5O1Fl2azbVQST0+piq/3yA0Br6OZhcmkl52p2f5Q=,tag:P/CHM/ufI2xm/W4pr91QIQ==,type:str] -sops: - age: - - recipient: age1yttnttdpafzn73mf3g8fw4x04444gymwsfrfm99fv9qkcxqzqs7sld8hln - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUU0MyOEhrWXE1K1V2aUEw - VFVkcHMzdnhTSUlhUjQ3b2UxYzhmdHQ5OUhVCkhHRHlFbzlhMkViRmxPTWZCUHJy - V3BsYUhmOVRYWEpHWkJrMFFyL1liL3cKLS0tIDB4NWVwN3NhUmoyZWp5Rnk4Yit0 - VUdrSFVpT0FmTklybFpnOHJYbVdtbDgKzocwM5FdTxgbgL3oi344BH/2Z4oKWDN4 - mzeExtxt+cg4KGvQXamQIzqwso4j9QrYpOB76EfWhLUL8ijGsdcWlQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-02-11T07:09:40Z" - mac: ENC[AES256_GCM,data:A89cdpQPFOH/x5PBSwdlv1SpupcSi2wp8DiRl6TNMOUDlQfP9d1ThQNE2a1lDG+H1NGDdP7josvERmZ+Y6IIh0QicyQutSizhZXDtPcNIiGBRHaI74g6Ed4TqSSgrbkZ253JGPvZqzcQOHUrfHykKJavYitHYMbQxwEUKTbamKM=,iv:PIg3H0T0IUgwDa6HjZLFghfxjUwF/8Km1x16cDlvnvQ=,tag:Oe8LU8q8lZDMI66xusZw7A==,type:str] - unencrypted_suffix: _unencrypted - version: 3.11.0