From 132e5ea4d9ab0e816fe88a3aec48145a88264ba0 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 8 Jun 2026 16:11:58 +1000 Subject: [PATCH] feat: add vault policy for terraform-git webhook secrets Allow terraform-git to read webhook URLs stored in kv/data/service/gitea/webhook/* via approle and k8s auth. --- policies/kv/service/gitea/webhook.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 policies/kv/service/gitea/webhook.yaml diff --git a/policies/kv/service/gitea/webhook.yaml b/policies/kv/service/gitea/webhook.yaml new file mode 100644 index 0000000..b6ea85a --- /dev/null +++ b/policies/kv/service/gitea/webhook.yaml @@ -0,0 +1,11 @@ +--- +rules: + - path: "kv/data/service/gitea/webhook/*" + capabilities: + - read + +auth: + approle: + - terraform_git + k8s/au/syd1: + - woodpecker_terraform_git