This repository contains the infrastructure as code (IaC) for the Hashicorp Vault instance using Pulumi.
To create the infrastructure and deploy the cluster, a Pulumi Stack with the correct configuration needs to exists.
The stack can be deployed via:
yarn install
yarn build; pulumi up
The entire infrastructure can be destroyed via:
yarn install
yarn build; pulumi destroy
To successfully run, and configure the Pulumi plugins, you need to set a list of environment variables. Alternatively, refer to the used Pulumi provider's configuration documentation.
CLOUDSDK_COMPUTE_REGION
the Google Cloud (GCP) regionGOOGLE_APPLICATION_CREDENTIALS
: reference to a file containing the Google Cloud (GCP) service account credentialsGITHUB_TOKEN
: the GitHub Personal Access Token (PAT)PROXMOX_VE_USERNAME
: the Proxmox usernamePROXMOX_VE_PASSWORD
: the Proxmox passwordPROXMOX_VE_ENDPOINT
: the endpoint to connect to ProxmoxPROXMOX_VE_INSECURE
: turn on/off insecure connections to Proxmox
The following section describes the configuration which must be set in the Pulumi Stack.
Attention: do use Secrets Encryption provided by Pulumi for secret values!
bucketId: the bucket identifier to upload assets to
Flux deployed applications can reference secrets being encrypted with sops. We need to specify, and allow access to this encryption stored in Google KMS.
gcp:
project: the GCP project to create all resources in
region: the GCP region to create resources in
encryptionKey: references the sops encryption key
cryptoKeyId: the CryptoKey identifier
keyringId: the KeyRing identifier
location: the location of the key
General configuration about the local network.
network:
domain: the internal DNS domain
ipv4:
cidrMask: the CIDR mask of the internal network
enabled: enables IPv4 networking
gateway: the IPv4 gateway
ipv6:
cidrMask: the CIDR mask of the internal network
enabled: enables IPv6 networking
gateway: the IPv6 gateway
nameservers: a list of all nameservers to set (IPv4, IPv6)
The OIDC configuration to connect the Vault instance to for login.
oidc:
discoveryUrl: the OIDC discovery url (without ".well-known")
clientId: the client id
clientSecret: the client secret
redirectUrls: a list of redirect URLs to set
General configuration about the Proxmox environment.
Attention: you must download the specifief imageName
to each Proxmox host!
pve:
cpuType: the default CPU type to assign to machines
imageName: the reference to the locally installed image
localStoragePool: the storage pool used for snippets
networkBridge: the network bridge to use for server connectivity
storagePool: the storage pool used for machine disks
The Proxmox server configuration.
server:
cpu: the CPU allocation
diskSize: the disk size to use
memory: memory configuration (enables or disables ballooning automatically)
min: the minimum memory to assign
max: the maximum memory to assign
host: the Proxmox host to create the node on
ipv4Address: the internal IPv4 address
ipv6Address: the internal IPv6 address (optional)
startupOrder: the order when the VM should be automatically started
username: the username to use for interacting with the servers
- GitHub Actions are linting, and verifying the code.
- Renovate Bot is updating NodeJS packages, and GitHub Actions.