5 Commits

Author SHA1 Message Date
benvin 30cb219d18 Merge pull request 'Add terraform-provider-litellmvaultsecret implementation' (#1) from benvin/initial-implementation into main
ci/woodpecker/tag/release Pipeline was successful
Reviewed-on: #1
2026-07-03 14:18:57 +10:00
unkinben db3d4c3956 Set kubernetes backend options on all woodpecker steps
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/build Pipeline was successful
ci/woodpecker/pr/test Pipeline was successful
Give every CI step explicit resource requests/limits and the default service
account (matching the pre-commit step), so the k8s woodpecker backend schedules
them with bounded resources.

- build/test/lint/package steps: 512Mi/1cpu requests, 2Gi/2cpu limits
- upload step: lighter 128Mi/100m requests, 512Mi/500m limits
2026-07-03 13:13:00 +10:00
unkinben 59448a5bd2 Use reachable artifactapi host in release upload
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/build Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
Point the on-tag upload at artifactapi.k8s.syd1.au.unkin.net instead of the
unresolvable artifactapi3 name, matching the host used elsewhere (rpmbuilder,
terragrunt env).
2026-07-03 13:06:32 +10:00
unkinben 1c58360d3c Add on-tag release pipeline to upload the provider to artifactapi
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/build Pipeline was successful
Publish the provider so it can be consumed from terraform-vault: on a tag,
package the linux_amd64 build into a versioned zip and PUT it to the artifactapi
terraform registry, mirroring terraform-provider-artifactapi's release flow.

- Add .woodpecker/release.yml (event: tag) running make package + curl upload to
  remotes/terraform-unkin/files/unkin/litellmvaultsecret/
2026-07-03 12:34:52 +10:00
unkinben 4e57e2dba7 Rename resources to litellm_secret_* prefix
ci/woodpecker/pr/build Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/test Pipeline was successful
Use the shorter, cleaner litellm_ resource prefix instead of
litellmvaultsecret_. The provider source stays git.unkin.net/unkin/
litellmvaultsecret; only the resource prefix (provider Metadata TypeName)
changes to litellm, declared under the local name litellm in
required_providers — the same pattern google-beta uses to ship google_*.

- Provider TypeName litellmvaultsecret -> litellm
- Resources: litellm_secret_backend, litellm_secret_backend_role
- Update examples (dirs + contents), README, and the e2e terraform config
2026-07-03 12:29:39 +10:00
8 changed files with 97 additions and 20 deletions
+10
View File
@@ -6,3 +6,13 @@ steps:
image: golang:1.25
commands:
- make build
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+40
View File
@@ -0,0 +1,40 @@
when:
- event: tag
steps:
- name: package
image: git.unkin.net/unkin/almalinux9-gobuilder:20260606
commands:
- make package VERSION=${CI_COMMIT_TAG}
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
- name: upload
image: git.unkin.net/unkin/almalinux9-base:20260606
commands:
- |
VERSION=$$(echo ${CI_COMMIT_TAG} | sed 's/^v//')
FILE="terraform-provider-litellmvaultsecret_$${VERSION}_linux_amd64.zip"
curl -f -X PUT \
"https://artifactapi.k8s.syd1.au.unkin.net/api/v2/remotes/terraform-unkin/files/unkin/litellmvaultsecret/$${FILE}" \
-H "Content-Type: application/zip" \
--data-binary @"$${FILE}"
depends_on: [package]
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 512Mi
cpu: 500m
+20
View File
@@ -6,8 +6,28 @@ steps:
image: golang:1.25
commands:
- make lint
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
- name: test
image: golang:1.25
commands:
- make test
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+13 -9
View File
@@ -13,21 +13,25 @@ config, and the roles that scope generated virtual keys — for use from
```hcl
terraform {
required_providers {
litellmvaultsecret = {
litellm = {
source = "git.unkin.net/unkin/litellmvaultsecret"
}
}
}
provider "litellmvaultsecret" {
provider "litellm" {
address = "https://vault.example.com" # or VAULT_ADDR
token = var.vault_token # or VAULT_TOKEN
}
```
> The provider's source is `git.unkin.net/unkin/litellmvaultsecret`, but its
> resources are prefixed `litellm_`. Declare it under the local name `litellm`
> (as above), the same way `google-beta` ships `google_*` resources.
## Resources
### `litellmvaultsecret_secret_backend`
### `litellm_secret_backend`
Mounts the engine and writes its connection config.
@@ -40,7 +44,7 @@ Mounts the engine and writes its connection config.
| `description` | no | Mount description. |
| `request_timeout_seconds` | no | Plugin→LiteLLM HTTP timeout (default 30). |
### `litellmvaultsecret_secret_backend_role`
### `litellm_secret_backend_role`
Manages a role that constrains generated keys.
@@ -58,14 +62,14 @@ Manages a role that constrains generated keys.
## Example
```hcl
resource "litellmvaultsecret_secret_backend" "litellm" {
resource "litellm_secret_backend" "litellm" {
path = "litellm"
base_url = "http://litellm.litellm.svc:4000"
master_key = var.litellm_master_key
}
resource "litellmvaultsecret_secret_backend_role" "team_a" {
backend = litellmvaultsecret_secret_backend.litellm.path
resource "litellm_secret_backend_role" "team_a" {
backend = litellm_secret_backend.litellm.path
name = "team-a"
models = ["gpt-3.5-turbo", "gpt-4"]
max_budget = 50
@@ -80,8 +84,8 @@ budgeted, lease-bound virtual key.
## Import
```sh
terraform import litellmvaultsecret_secret_backend.litellm litellm
terraform import litellmvaultsecret_secret_backend_role.team_a litellm/roles/team-a
terraform import litellm_secret_backend.litellm litellm
terraform import litellm_secret_backend_role.team_a litellm/roles/team-a
```
## Development
@@ -1,17 +1,17 @@
terraform {
required_providers {
litellmvaultsecret = {
litellm = {
source = "git.unkin.net/unkin/litellmvaultsecret"
}
}
}
provider "litellmvaultsecret" {
provider "litellm" {
# address and token fall back to VAULT_ADDR / VAULT_TOKEN
address = "https://vault.example.com"
}
resource "litellmvaultsecret_secret_backend" "litellm" {
resource "litellm_secret_backend" "litellm" {
path = "litellm"
description = "LiteLLM dynamic virtual keys"
base_url = "http://litellm.litellm.svc:4000"
@@ -1,5 +1,5 @@
resource "litellmvaultsecret_secret_backend_role" "team_a" {
backend = litellmvaultsecret_secret_backend.litellm.path
resource "litellm_secret_backend_role" "team_a" {
backend = litellm_secret_backend.litellm.path
name = "team-a"
models = ["gpt-3.5-turbo", "gpt-4"]
+4 -1
View File
@@ -29,7 +29,10 @@ func New(version string) func() provider.Provider {
}
func (p *litellmProvider) Metadata(_ context.Context, _ provider.MetadataRequest, resp *provider.MetadataResponse) {
resp.TypeName = "litellmvaultsecret"
// The provider's source address is git.unkin.net/unkin/litellmvaultsecret,
// but its resources are prefixed "litellm_" (declare it in required_providers
// under the local name "litellm"), mirroring how google-beta ships google_*.
resp.TypeName = "litellm"
resp.Version = p.version
}
+5 -5
View File
@@ -1,17 +1,17 @@
terraform {
required_providers {
litellmvaultsecret = {
litellm = {
source = "git.unkin.net/unkin/litellmvaultsecret"
}
}
}
provider "litellmvaultsecret" {
provider "litellm" {
address = "http://127.0.0.1:8200"
token = "root"
}
resource "litellmvaultsecret_secret_backend" "litellm" {
resource "litellm_secret_backend" "litellm" {
path = "litellm"
description = "LiteLLM dynamic virtual keys (e2e)"
# Reachable from inside the vault container, where the plugin runs.
@@ -19,8 +19,8 @@ resource "litellmvaultsecret_secret_backend" "litellm" {
master_key = "sk-master-e2e-1234"
}
resource "litellmvaultsecret_secret_backend_role" "team_a" {
backend = litellmvaultsecret_secret_backend.litellm.path
resource "litellm_secret_backend_role" "team_a" {
backend = litellm_secret_backend.litellm.path
name = "team-a"
models = ["gpt-3.5-turbo"]
max_budget = 10