The plugin monitors a git repository for new commits. When new commits are found that are signed with the required number of signatures, it applies the configuration.
- Configuration is described in Terraform format.
- Terraform state is stored in Vault.
- Vault connection uses the address and token specified in the plugin configuration.
- Currently requires a renewable periodic token that will be automatically renewed 24 hours before expiration.
- Status and possible errors can be viewed via the
/v1/gitops/statusendpoint. - It's assumed that the plugin loads the configuration itself, but this isn't required; you can manage another Vault.
- If you enable multiple plugins, you can manage different parts of the configuration accessible to the token from different repositories.
go build -o gitops cmd/gitops-terraform/main.goSHA=$(sha256sum $PWD/gitops | awk '{print $1;}')
vault plugin register -command gitops -sha256 $SHA -version=v0.0.1 secret gitops
vault secrets enable gitopsAdd a repository to monitor
vault write gitops/configure/git_repository \
git_repo_url="https://gitlab.com/user/vault-gitops-configuration.git" \
required_number_of_verified_signatures_on_commit=1 \
git_poll_period=1mIf the repository is private, configure credentials for access
vault write gitops/configure/git_credential \
username=token \
password=glpat-EAEAEAEAEK4SmS7Xmh4XP3m86MQp1OjE0CA.00.000123456Create keys for signing
gpg --quick-generate-key "key1 <key1@example.com>" rsa4096
gpg --quick-generate-key "key2 <key2@example.com>" rsa4096Export public parts of the keys
gpg --armor --output key1.pgp --export key1
gpg --armor --output key2.pgp --export key2Upload the obtained keys to Vault
vault write gitops/configure/trusted_pgp_public_key/key1 public_key=@key1.pgp
vault write gitops/configure/trusted_pgp_public_key/key2 public_key=@key2.pgpConfiguring plugin access to the Vault API
TOKEN=$(vault token create -orphan -period=7d -policy=root -display-name="gitops-plugin" -wrap-ttl 1m -field=wrapping_token)
vault write gitops/configure/vault vault_addr=http://127.0.0.1:8200 wrapping_token=$TOKENHere you create a wrapped token and pass it to the plugin. The plugin unwraps the token and stores it in storage. This token cannot be retrieved. If you use Enterprise Vault and enable sealwrap, the token will be additionally encrypted using seal.
Install git-signatures You can simply copy the bin/git-signatures file
Clone the repository or create new. See example here
git clone https://gitlab.com/user/vault-gitops-configuration.git
cd vault-gitops-configurationView the list of keys
gpg --list-keyAdd a key for signing
git config user.signingKey <KEY_ID>
# Example: git config user.signingKey 0C3AAAA10E30D5F3Add an arbitrary commit and sign it
date > .demo
git add .demo
git commit -m 'demo commit'
git signatures addVerify the signature
git signatures showExpected output
Public Key ID | Status | Trust | Date | Signer Name
=====================================================================================================
0C3AAAA10E30D5F3 | VALIDSIG | ULTIMATE | Mon 22 Dec 2025 20:19:33 MSK | key1 <key1@example.com>
Push the changes
git push origin main
git signatures pushvault secrets disable gitops
vault plugin deregister -version=v0.0.1 secret gitops