Merge pull request 'feat: add plan workflow' (#69) from benvin/make-plan-buildwq into master

Reviewed-on: #69
This commit was merged in pull request #69.
This commit is contained in:
2026-05-21 23:54:07 +10:00
42 changed files with 125 additions and 2 deletions
+21
View File
@@ -0,0 +1,21 @@
when:
- event: pull_request
steps:
- name: plan
image: git.unkin.net/unkin/almalinux9-opentofu:20260308
environment:
VAULT_AUTH_METHOD: kubernetes
commands:
- dnf install vault -y
- make plan
backend_options:
kubernetes:
serviceAccountName: terraform-vault
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+10
View File
@@ -6,3 +6,13 @@ steps:
image: git.unkin.net/unkin/almalinux9-opentofu:20260308
commands:
- uvx pre-commit run --all-files
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+11 -2
View File
@@ -1,10 +1,19 @@
.PHONY: init plan apply format
VAULT_AUTH_METHOD ?= approle
VAULT_K8S_ROLE ?= woodpecker_terraform_vault
VAULT_K8S_MOUNT ?= auth/k8s/au/syd1
VAULT_K8S_JWT_PATH ?= /var/run/secrets/kubernetes.io/serviceaccount/token
# Define vault_env function to set up vault environment
define vault_env
@export VAULT_ADDR="https://vault.service.consul:8200" && \
export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID) && \
export CONSUL_HTTP_TOKEN=$$(vault read -format=json consul_root/au/syd1/creds/terraform-vault | jq '.data.token')
if [ "$(VAULT_AUTH_METHOD)" = "kubernetes" ]; then \
export VAULT_TOKEN=$$(vault write -field=token $(VAULT_K8S_MOUNT)/login role=$(VAULT_K8S_ROLE) jwt=$$(cat $(VAULT_K8S_JWT_PATH))); \
else \
export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID); \
fi && \
export CONSUL_HTTP_TOKEN=$$(vault read -field=token consul_root/au/syd1/creds/terraform-vault)
endef
init:
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-vault
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -21,3 +21,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -15,3 +15,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -14,3 +14,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -15,3 +15,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -20,3 +20,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -16,3 +16,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -16,3 +16,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault