feat: migrate Atlantis from SOPS to OpenBao for Proxmox token

- Replace sops -d --extract with bao kv get -field in workflow - Remove .sops.yaml and encrypted proxmox.secrets.yaml - Update .gitleaks.toml comment (remove SOPS reference) - Proxmox token now fetched from OpenBao secret/infrastructure/proxmox via AppRole authentication (atlantis role) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 09:07:56 +01:00 · 2026-02-21 09:07:56 +01:00 · 27fc46664f
commit 27fc46664f
parent 207be707aa
4 changed files with 3 additions and 24 deletions
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@ -3,7 +3,7 @@

 [allowlist]
  description = "Infrastructure repo allowlist"
-  # Terraform tenant VM passwords are managed by VM Bot and encrypted at rest via SOPS
+  # Terraform tenant VM passwords are managed by VM Bot
  # The .tf files contain passwords needed for Proxmox VM provisioning
  paths = [
    '''environments/production/tenant-vms\.tf''',
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,5 +0,0 @@
-creation_rules:
-  - path_regex: \.secrets\.yaml$
-    age: age1yttnttdpafzn73mf3g8fw4x04444gymwsfrfm99fv9qkcxqzqs7sld8hln
-  - path_regex: secrets/.*\.yaml$
-    age: age1yttnttdpafzn73mf3g8fw4x04444gymwsfrfm99fv9qkcxqzqs7sld8hln
--- a/atlantis.yaml
+++ b/atlantis.yaml
@ -22,7 +22,7 @@ workflows:
      steps:
        - env:
            name: PROXMOX_VE_API_TOKEN
-            command: "sops -d --extract '[\"proxmox_api_token\"]' proxmox.secrets.yaml"
+            command: "source /secrets/openbao-approle && export BAO_TOKEN=$(bao write -field=token auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID) && bao kv get -field=PROXMOX_VE_API_TOKEN secret/infrastructure/proxmox"
        - init
        - plan
        - run: |
@ -38,6 +38,6 @@ workflows:
      steps:
        - env:
            name: PROXMOX_VE_API_TOKEN
-            command: "sops -d --extract '[\"proxmox_api_token\"]' proxmox.secrets.yaml"
+            command: "source /secrets/openbao-approle && export BAO_TOKEN=$(bao write -field=token auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID) && bao kv get -field=PROXMOX_VE_API_TOKEN secret/infrastructure/proxmox"
        - init
        - apply
--- a/environments/production/proxmox.secrets.yaml
+++ b/environments/production/proxmox.secrets.yaml
@ -1,16 +0,0 @@
-proxmox_api_token: ENC[AES256_GCM,data:Dg8+7TWwsaDuQ9JJPyWBI6pc+6n3tVbg3TsjMx8OIS6R00eVTD6o2rAF6CTyIvLN2MI=,iv:cPq5O1Fl2azbVQST0+piq/3yA0Br6OZhcmkl52p2f5Q=,tag:P/CHM/ufI2xm/W4pr91QIQ==,type:str]
-sops:
-    age:
-        - recipient: age1yttnttdpafzn73mf3g8fw4x04444gymwsfrfm99fv9qkcxqzqs7sld8hln
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUU0MyOEhrWXE1K1V2aUEw
-            VFVkcHMzdnhTSUlhUjQ3b2UxYzhmdHQ5OUhVCkhHRHlFbzlhMkViRmxPTWZCUHJy
-            V3BsYUhmOVRYWEpHWkJrMFFyL1liL3cKLS0tIDB4NWVwN3NhUmoyZWp5Rnk4Yit0
-            VUdrSFVpT0FmTklybFpnOHJYbVdtbDgKzocwM5FdTxgbgL3oi344BH/2Z4oKWDN4
-            mzeExtxt+cg4KGvQXamQIzqwso4j9QrYpOB76EfWhLUL8ijGsdcWlQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-11T07:09:40Z"
-    mac: ENC[AES256_GCM,data:A89cdpQPFOH/x5PBSwdlv1SpupcSi2wp8DiRl6TNMOUDlQfP9d1ThQNE2a1lDG+H1NGDdP7josvERmZ+Y6IIh0QicyQutSizhZXDtPcNIiGBRHaI74g6Ed4TqSSgrbkZ253JGPvZqzcQOHUrfHykKJavYitHYMbQxwEUKTbamKM=,iv:PIg3H0T0IUgwDa6HjZLFghfxjUwF/8Km1x16cDlvnvQ=,tag:Oe8LU8q8lZDMI66xusZw7A==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.11.0