unkinben
e8c8d464a4
feat: add woodpecker service accounts for terraform-sonarr, terraform-radarr, terraform-prowlarr
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
2026-06-28 21:59:46 +10:00
unkinben
7f1444fb38
Add Authentik identity provider deployment ( #211 )
...
## Summary
- Deploy Authentik (identity.unkin.net) via Helm chart 2026.5.3
- CNPG PostgreSQL cluster (3 instances) with separate rw/ro poolers (2 instances each)
- Redis with 5Gi persistent storage
- Gateway API for HTTPS (identity.unkin.net) and LDAPS (ldap.k8s.syd1.au.unkin.net, ldap.main.unkin.net)
- TLSRoute for LDAPS passthrough, HTTPRoute for external-dns record creation
- Vault secrets for postgres credentials, authentik secret key, and S3 storage credentials
- S3 storage via RadosGW (bucket: authentik)
- 3 server replicas, 2 worker replicas
- Woodpecker ServiceAccount for terraform-authentik CI
- Platform applicationset and project updated
## Dependencies
- terraform-git #15 (merged) — repo definition
- terraform-vault #78 (merged) — auth roles and Consul ACL
## Vault secrets needed before deploy
Write to `kv/kubernetes/namespace/authentik/default/`:
- `postgres-credentials`: username + password
- `authentik-credentials`: AUTHENTIK_SECRET_KEY
- `s3-credentials`: S3 access key + secret key
Reviewed-on: #211
Co-authored-by: Ben Vincent <ben@unkin.net >
Co-committed-by: Ben Vincent <ben@unkin.net >
2026-06-28 17:42:49 +10:00
benvin
ad2cdd3b63
fix: update woodpecker kustomization ( #191 )
...
Reviewed-on: #191
2026-06-17 21:34:02 +10:00
benvin
17782d716c
feat: enable terraform-artifactapi jobs ( #190 )
...
woodpecker jobs for terraform-artifactapi use the service account of the
same name to run jobs, so that it can access specific secrets
- add terraform-artifactapi serviceaccount
---------
Co-authored-by: Ben Vincent <ben@unkin.net >
Reviewed-on: #190
2026-06-17 21:23:49 +10:00
unkinben
188c39f85d
feat: add terraform-git service account for woodpecker CI ( #189 )
...
## Summary
- Add ServiceAccount terraform-git in woodpecker namespace for terraform-git CI pipelines
- Add to kustomization.yaml
## Test plan
- [ ] Verify ArgoCD syncs the new service account
- [ ] Verify woodpecker CI can use the service account
Reviewed-on: #189
Co-authored-by: Ben Vincent <ben@unkin.net >
Co-committed-by: Ben Vincent <ben@unkin.net >
2026-06-07 20:36:55 +10:00
unkinben
f53a2dc4f8
fix: terraform_vault must be RFC1123 compliant ( #128 )
...
Reviewed-on: #128
2026-05-21 23:19:20 +10:00
unkinben
c5dd3cc5cb
feat: add terraform_vault role ( #127 )
...
this adds a service account that can be used to run the terraform_vault
workflows with, so that we can access the jwt to generate a token
Reviewed-on: #127
2026-05-21 23:13:48 +10:00
unkinben
0894e51ad5
feat: manage woodpecker-agent-secret in vault ( #17 )
...
- unkin/terraform-vault#60
Reviewed-on: #17
2026-03-06 18:33:21 +11:00
unkinben
244d1b5baa
fix: remove revision for pooler ( #14 )
...
- artifact from migrating yaml from k8s to argocd
Reviewed-on: #14
2026-03-03 22:50:45 +11:00
unkinben
dbd8914013
feat: migrate woodpecker to argocd ( #13 )
...
- move woodpecker helm chart deployment to argocd
- move cnpg resources
- move vault resources
Reviewed-on: #13
2026-03-03 22:24:17 +11:00