Add auth and state access for terraform-authentik
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed

- K8s auth role for Woodpecker CI (terraform-authentik SA)
- AppRole for local runs
- Consul secret backend role for state storage
- Consul ACL policy for infra/terraform/authentik/ key prefix
- Vault policy granting creds access to both auth methods
This commit is contained in:
2026-06-28 00:58:12 +10:00
parent be9bd96cf3
commit 7d9e76bf74
5 changed files with 39 additions and 0 deletions
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-authentik
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,5 @@
consul_roles:
- terraform-authentik
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,11 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-authentik"
capabilities:
- read
auth:
approle:
- terraform_authentik
k8s/au/syd1:
- woodpecker_terraform_authentik
@@ -0,0 +1,7 @@
key_prefix "infra/terraform/authentik/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}