obsidian/infra/vault.md at 5bf9f5f5630305dc88f2bf88b31881dfbd96eeef

kaffa/obsidian

Fork 0

Files

heimdall 5bf9f5f563 auto: vault secret tree sync (2026-04-15, 104 paths)

2026-04-15 10:43:07 +09:00

5.0 KiB

Raw Blame History

title, updated, tags

title

updated

K3s 배포

HashiCorp Vault v1.21.2, K3s에 HA Raft 3노드로 배포 (Helm chart hashicorp/vault 0.32.0). namespace: vault. 스토리지: Longhorn 10Gi PVC. Unseal key 5개 (threshold 3), 키 파일: ~/vault-keys.json

접근

UI/API: https://hcv.inouter.com
트래픽 흐름: BunnyCDN (pull zone: inouter, ID 5316471) → SafeLine WAF → apisix (라우트 hcv-inouter-com) → K3s Traefik (192.168.9.134/140/214:443) → vault-active:8200
K3s Ingress: vault-ui (class traefik, TLS wildcard-inouter-com-tls)
APISIX upstream: hcv-inouter-com (roundrobin, 3노드 443)

Root Token

Vault root token은 만료 없음 (TTL: 0s)

접근 정책

접근 정책: infra-read(읽기 전용), infra-admin(읽기/쓰기)

시크릿 구조 (KV v1)

⚠️ KV v1 — 버전 관리 없음. 덮어쓰기 주의. ⚠️ 시크릿 읽을 때 모든 키를 확인할 것 — 한 경로에 여러 키가 있음 (예: cloudflare에 api_token과 global_api_key 둘 다 있음)

전수 목록 (2026-04-15 실측)

| 카테고리 | 경로 | 내용 | |----------| ai/ | brave, context7, deepseek, google/drive-mcp, openai, openrouter, pinecone, testsprite, vertex | | apps/ | anomaly-detect, cfb-manager, cf-multisite, discord, figma, gitea, gitea/registry, k3s, myapp, n8n, nocodb, ops-agents-ssh, outline, portainer, postgres, sftpgo, telegram-ai-support, trader, twilio, waf-saas | | auth/ | api-keys/openai, api-keys/stripe, github/oauth-gitea, google/ca/external-account-key, google/ca/service-account, google/oauth-gitea | | cloud/ | alibaba, aws, backblaze, backblaze/restic, bunnycdn, cloudflare, cloudflare-netbis, cloudflare/r2, cloudflare/turnstile-crowdsec-captcha, cloudflare/turnstile-inouter-bunny, latitude, lightsail, linode, r2-gitea, r2-multisite, r2-sftpgo, supabase, vultr, zenlayer | | company/ | bank, info, ironclad, korbit, koreaexim, popbill | | database/ | bunnydb/cs-blocklist, postgres, redis | | domain/ | globalping, maxmind, namecheap, namecheap/api, namecheap/api-server, namecheap/deposit-api, namecheap/registrant | | infra/ | apisix, argocd, cert-manager, cf-tunnel-manager, crowdsec-bunny-bouncer, google/eab, ilo, k8s/infra-tool, mariadb, safeline, ssh, ssh/id_ed25519, tailscale, vault-sync | | messaging/ | discord/bot, discord-brokkr, discord/claudechannel, discord-claude-code, discord/nocodb-webhook, discord/webhook-heimdall, discord/webhook-relay, mailgun/api-key, mailgun/smtp, telegram | | openclaw/ | discord/main-bot, gateway/local, gitea/main, integrations/discord, oauth/gmail, runtime/test, test, tools/brave | | product/ | irondesk/ton-wallet, irondesk/tron |

자주 사용하는 시크릿 (빠른 참조)

용도	경로	주요 키	주의사항
Cloudflare API	`cloud/cloudflare`	`api_token` (제한), `global_api_key` (전체 권한), `email`, `account_id`	Rulesets/Firewall/Rate Limits는 `global_api_key`만 접근 가능
BunnyCDN API	`cloud/bunnycdn`	`api_key`
Gitea API	`apps/gitea`	`api_token`, `url`, `admin_password`
Outline API	`apps/outline`	`api-key` (kappa), `brokkr-api-key` (에이전트)
Portainer API	`apps/portainer`	`api_token`, `url`
Turnstile (crowdsec)	`cloud/cloudflare/turnstile-crowdsec-captcha`	`sitekey`, `secret_key`
Mailgun	`messaging/mailgun/api-key`
Discord 봇	`messaging/discord/bot`
ops 에이전트 SSH	`apps/ops-agents-ssh`	`private_key`, `public_key`

SSH CA (Signed Certificates)

Vault SSH Secrets Engine (ssh-client-signer/) 활성화. CA 키: ed25519. 역할: admin (allowed_users: root,kaffa,admin, TTL 8h, max 24h).

CA 등록 완료 서버:

infra-hosts (100.108.39.107) — root
infra-hosts (100.109.123.1) — kaffa
infra-hosts (100.84.111.28) — kaffa
infra-hosts (100.119.109.41) — kaffa
zlambda (100.78.51.18, 구 sandbox-tokyo) — root [2026-04-08 NixOS 재설치 후 미등록, 재등록 필요]
infra-hosts (100.120.61.54) — admin

미등록: safeline-osaka (응답 없음)

자동화: ~/.ssh/vault-sign.sh가 인증서 만료 시 자동 재발급 (vault CLI 기반). 인증서에 root,kaffa,admin principals 포함. ~/.ssh/config에 Match exec로 연동. ssh apisix-osaka 등 일반 SSH처럼 사용 가능.

MCP 서버

vault-mcp-server v0.2.0 (hashicorp/vault-mcp-server:0.2.0 Docker 이미지). K3s vault namespace에 Deployment로 배포. streamable-http 모드, 엔드포인트: https://hcv.inouter.com/mcp. 내부 통신: vault-active.vault.svc.cluster.local:8200. token은 Secret vault-mcp-token에 저장. Claude Code MCP 설정: type http, url https://hcv.inouter.com/mcp. K3s Ingress vault-mcp가 /mcp 경로를 vault-mcp-server Service(8080)로 라우팅. 로컬 바이너리도 /usr/local/bin/vault-mcp-server에 설치됨.

5.0 KiB Raw Blame History