fix: grant vault deployer access to import + manage the gpg engine
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful

Applying the gpg mount (#87) needs two grants the deployer lacks: it registers
the plugin itself (vault_plugin -> sys/plugins/catalog, sudo-protected) and
manages keys via the gpgvaultsecret provider (gpg/keys/*). The deployer already
has sys/mounts/* but neither of these, so apply would 403 on the plugin
registration and on gpg/keys writes.

- Add policies/gpg/admin.yaml granting create/read/update/delete/sudo on
  sys/plugins/catalog/secret/vault-plugin-secrets-gpg and full management of
  gpg/keys/*, assigned to tf_vault (approle) + woodpecker_terraform_vault
  (k8s/au/syd1), mirroring policies/litellm/admin.yaml (#84).
This commit is contained in:
2026-07-17 22:52:23 +10:00
parent 8bb071ae46
commit 74063d4d8a
+35
View File
@@ -0,0 +1,35 @@
# Allow the vault deployer to import the gpg plugin and manage its OpenPGP keys.
#
# terraform-vault registers the plugin itself (vault_plugin -> sys/plugins/catalog,
# a sudo-protected path) and manages keys via the gpgvaultsecret provider, so the
# deployer needs catalog access on top of the mount access it already has
# (sys/mounts/*). Without this, apply 403s on the plugin registration and on
# gpg/keys writes.
---
rules:
# Import / register (and deregister) the gpg plugin in the catalog.
- path: "sys/plugins/catalog/secret/vault-plugin-secrets-gpg"
capabilities:
- create
- read
- update
- delete
- sudo
# Manage keys (create/rotate/config/delete) in the gpg mount.
- path: "gpg/keys/*"
capabilities:
- create
- read
- update
- delete
- list
- path: "gpg/keys"
capabilities:
- read
- list
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault