From 71789f9f329042c1747d82972a1496d6fc026f1c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 7 Mar 2026 11:06:27 +1100 Subject: [PATCH] feat: add rpmbuilder k8s role - create rpmbuilder role - enable access to gitea/github ro-tokens - enable access to rpmbuilder role from woodpeckerci --- config/auth_kubernetes_role/k8s/au/syd1/rpmbuilder.yaml | 8 ++++++++ .../gitea/unkinben/tokens/read-only-packages/read.yaml | 2 +- .../github/neoloc/tokens/read-only-token/read.yaml | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 config/auth_kubernetes_role/k8s/au/syd1/rpmbuilder.yaml diff --git a/config/auth_kubernetes_role/k8s/au/syd1/rpmbuilder.yaml b/config/auth_kubernetes_role/k8s/au/syd1/rpmbuilder.yaml new file mode 100644 index 0000000..5e5889a --- /dev/null +++ b/config/auth_kubernetes_role/k8s/au/syd1/rpmbuilder.yaml @@ -0,0 +1,8 @@ +# rpmbuilder is deployed in woodpeckerci +bound_service_account_names: + - default +bound_service_account_namespaces: + - woodpecker +token_ttl: 600 +token_max_ttl: 600 +audience: vault diff --git a/policies/kv/service/gitea/unkinben/tokens/read-only-packages/read.yaml b/policies/kv/service/gitea/unkinben/tokens/read-only-packages/read.yaml index 354fead..bed87a6 100644 --- a/policies/kv/service/gitea/unkinben/tokens/read-only-packages/read.yaml +++ b/policies/kv/service/gitea/unkinben/tokens/read-only-packages/read.yaml @@ -9,4 +9,4 @@ auth: approle: - rpmbuilder k8s/au/syd1: - - woodpecker + - rpmbuilder diff --git a/policies/kv/service/github/neoloc/tokens/read-only-token/read.yaml b/policies/kv/service/github/neoloc/tokens/read-only-token/read.yaml index 1cb2085..6f06cc2 100644 --- a/policies/kv/service/github/neoloc/tokens/read-only-token/read.yaml +++ b/policies/kv/service/github/neoloc/tokens/read-only-token/read.yaml @@ -9,4 +9,4 @@ auth: approle: - rpmbuilder k8s/au/syd1: - - woodpecker + - rpmbuilder