From 5afd1ad9c1678bad37b27e727ec47dd38782f28f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 29 Nov 2025 18:00:20 +1100 Subject: [PATCH] feat: add rpmbuilder approle - add rpmbuilder approle - add policies to acces gitea/github read-only tokens --- auth_approle_rpmbuilder.tf | 16 ++++++++++++++++ .../unkinben/tokens/read-only-packages/read.hcl | 3 +++ .../neoloc/tokens/read-only-token/read.hcl | 3 +++ 3 files changed, 22 insertions(+) create mode 100644 auth_approle_rpmbuilder.tf create mode 100644 policies/kv/service/gitea/unkinben/tokens/read-only-packages/read.hcl create mode 100644 policies/kv/service/github/neoloc/tokens/read-only-token/read.hcl diff --git a/auth_approle_rpmbuilder.tf b/auth_approle_rpmbuilder.tf new file mode 100644 index 0000000..9a44d0a --- /dev/null +++ b/auth_approle_rpmbuilder.tf @@ -0,0 +1,16 @@ +resource "vault_approle_auth_backend_role" "rpmbuilder" { + role_name = "rpmbuilder" + bind_secret_id = false + token_policies = [ + "kv/service/github/neoloc/tokens/read-only-token", + "kv/service/gitea/unkinben/tokens/read-only-packages", + ] + token_ttl = 30 + token_max_ttl = 30 + token_bound_cidrs = [ + "10.10.12.200/32", + "198.18.25.102/32", + "198.18.26.91/32", + "198.18.27.40/32", + ] +} diff --git a/policies/kv/service/gitea/unkinben/tokens/read-only-packages/read.hcl b/policies/kv/service/gitea/unkinben/tokens/read-only-packages/read.hcl new file mode 100644 index 0000000..e848288 --- /dev/null +++ b/policies/kv/service/gitea/unkinben/tokens/read-only-packages/read.hcl @@ -0,0 +1,3 @@ +path "kv/data/service/gitea/unkinben/tokens/read-only-packages" { + capabilities = ["read"] +} diff --git a/policies/kv/service/github/neoloc/tokens/read-only-token/read.hcl b/policies/kv/service/github/neoloc/tokens/read-only-token/read.hcl new file mode 100644 index 0000000..0ff450c --- /dev/null +++ b/policies/kv/service/github/neoloc/tokens/read-only-token/read.hcl @@ -0,0 +1,3 @@ +path "kv/data/service/github/neoloc/tokens/read-only-token" { + capabilities = ["read"] +}