131 lines
3.9 KiB
Text
131 lines
3.9 KiB
Text
# Vault Service Schema
|
|
# Secrets management and encryption configuration
|
|
|
|
let constraints = import "schemas/platform/common/constraints.ncl" in
|
|
let docker_build_schema = import "schemas/platform/docker-build.ncl" in
|
|
|
|
let VaultStorage =
|
|
std.contract.custom (
|
|
fun label =>
|
|
fun value =>
|
|
let valid_backends = ["surrealdb", "etcd", "postgresql", "filesystem"] in
|
|
if std.array.any (fun x => x == value) valid_backends then
|
|
'Ok value
|
|
else
|
|
'Error {
|
|
message = "Invalid storage_backend '%{value}'.\nValid values: surrealdb | etcd | postgresql | filesystem"
|
|
}
|
|
) in
|
|
|
|
let DeploymentMode =
|
|
std.contract.custom (
|
|
fun label =>
|
|
fun value =>
|
|
let valid_modes = ["local", "docker", "kubernetes"] in
|
|
if std.array.any (fun x => x == value) valid_modes then
|
|
'Ok value
|
|
else
|
|
'Error {
|
|
message = "Invalid deployment_mode '%{value}'.\nValid values: local | docker | kubernetes"
|
|
}
|
|
) in
|
|
|
|
let LogLevel =
|
|
std.contract.custom (
|
|
fun label =>
|
|
fun value =>
|
|
let valid_levels = ["debug", "info", "warn", "error"] in
|
|
if std.array.any (fun x => x == value) valid_levels then
|
|
'Ok value
|
|
else
|
|
'Error {
|
|
message = "Invalid log level '%{value}'.\nValid values: debug | info | warn | error"
|
|
}
|
|
) in
|
|
|
|
let HAMode =
|
|
std.contract.custom (
|
|
fun label =>
|
|
fun value =>
|
|
let valid_modes = ["active-passive", "active-active"] in
|
|
if std.array.any (fun x => x == value) valid_modes then
|
|
'Ok value
|
|
else
|
|
'Error {
|
|
message = "Invalid HA mode '%{value}'.\nValid values: active-passive | active-active"
|
|
}
|
|
) in
|
|
|
|
let EncryptionAlgorithm =
|
|
std.contract.custom (
|
|
fun label =>
|
|
fun value =>
|
|
let valid_algos = ["aes-256-gcm", "aes-128-gcm", "chacha20-poly1305"] in
|
|
if std.array.any (fun x => x == value) valid_algos then
|
|
'Ok value
|
|
else
|
|
'Error {
|
|
message = "Invalid encryption_algorithm '%{value}'.\nValid values: aes-256-gcm | aes-128-gcm | chacha20-poly1305"
|
|
}
|
|
) in
|
|
|
|
{
|
|
VaultServiceConfig = {
|
|
# Server configuration (port must be >= 9000 for vault-service)
|
|
server | {
|
|
host | String,
|
|
port | Number | constraints.port_high,
|
|
workers | Number | optional,
|
|
keep_alive | Number | optional,
|
|
max_connections | Number | optional,
|
|
} | optional,
|
|
|
|
# Storage backend configuration
|
|
storage | {
|
|
backend | VaultStorage,
|
|
path | String | optional,
|
|
encryption_key_path | String | optional,
|
|
} | optional,
|
|
|
|
# Vault-specific settings
|
|
vault | {
|
|
server_url | String,
|
|
storage_backend
|
|
| doc "Storage Backend for Vault"
|
|
| VaultStorage
|
|
| default = "filesystem",
|
|
deployment_mode | DeploymentMode | optional,
|
|
auth_token | String | optional,
|
|
mount_point | String | default = "transit",
|
|
key_name | String | default = "provisioning-master",
|
|
tls_verify | Bool | default = false,
|
|
tls_ca_cert | String | optional,
|
|
} | optional,
|
|
|
|
# High Availability configuration
|
|
ha | {
|
|
enabled | Bool | default = false,
|
|
mode | HAMode | optional,
|
|
} | optional,
|
|
|
|
# Security configuration
|
|
security | {
|
|
encryption_algorithm | EncryptionAlgorithm | optional,
|
|
key_rotation_days | Number | optional,
|
|
} | optional,
|
|
|
|
# Monitoring and logging
|
|
monitoring | {
|
|
enabled | Bool | default = false,
|
|
metrics_interval | Number | optional,
|
|
} | optional,
|
|
|
|
logging | {
|
|
level | LogLevel | default = "info",
|
|
format | String | optional,
|
|
} | optional,
|
|
|
|
# Docker build configuration
|
|
build | docker_build_schema.DockerBuildConfig | optional,
|
|
},
|
|
}
|