diff --git a/.woodpecker/plan.yaml b/.woodpecker/plan.yaml new file mode 100644 index 0000000..e3a390a --- /dev/null +++ b/.woodpecker/plan.yaml @@ -0,0 +1,21 @@ +when: + - event: pull_request + +steps: + - name: plan + image: git.unkin.net/unkin/almalinux9-opentofu:20260308 + environment: + VAULT_AUTH_METHOD: kubernetes + commands: + - dnf install vault -y + - make plan + backend_options: + kubernetes: + serviceAccountName: terraform-vault + resources: + requests: + memory: 512Mi + cpu: 1 + limits: + memory: 2Gi + cpu: 2 diff --git a/.woodpecker/pre-commit.yaml b/.woodpecker/pre-commit.yaml index 00d1f7d..eb8b331 100644 --- a/.woodpecker/pre-commit.yaml +++ b/.woodpecker/pre-commit.yaml @@ -6,3 +6,13 @@ steps: image: git.unkin.net/unkin/almalinux9-opentofu:20260308 commands: - uvx pre-commit run --all-files + backend_options: + kubernetes: + serviceAccountName: default + resources: + requests: + memory: 512Mi + cpu: 1 + limits: + memory: 2Gi + cpu: 2 diff --git a/Makefile b/Makefile index f015a2a..fa455f4 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,19 @@ .PHONY: init plan apply format +VAULT_AUTH_METHOD ?= approle +VAULT_K8S_ROLE ?= woodpecker_terraform_vault +VAULT_K8S_MOUNT ?= auth/k8s/au/syd1 +VAULT_K8S_JWT_PATH ?= /var/run/secrets/kubernetes.io/serviceaccount/token + # Define vault_env function to set up vault environment define vault_env @export VAULT_ADDR="https://vault.service.consul:8200" && \ - export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID) && \ - export CONSUL_HTTP_TOKEN=$$(vault read -format=json consul_root/au/syd1/creds/terraform-vault | jq '.data.token') + if [ "$(VAULT_AUTH_METHOD)" = "kubernetes" ]; then \ + export VAULT_TOKEN=$$(vault write -field=token $(VAULT_K8S_MOUNT)/login role=$(VAULT_K8S_ROLE) jwt=$$(cat $(VAULT_K8S_JWT_PATH))); \ + else \ + export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID); \ + fi && \ + export CONSUL_HTTP_TOKEN=$$(vault read -field=token consul_root/au/syd1/creds/terraform-vault) endef init: diff --git a/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_vault.yaml b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_vault.yaml new file mode 100644 index 0000000..f68f3ef --- /dev/null +++ b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_vault.yaml @@ -0,0 +1,7 @@ +bound_service_account_names: + - terraform-vault +bound_service_account_namespaces: + - woodpecker +token_ttl: 600 +token_max_ttl: 600 +audience: https://kubernetes.default.svc.cluster.local diff --git a/policies/auth/approle/admin.yaml b/policies/auth/approle/admin.yaml index e61852c..8a349b9 100644 --- a/policies/auth/approle/admin.yaml +++ b/policies/auth/approle/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/auth/approle/login.yaml b/policies/auth/approle/login.yaml index b4fb933..677ec83 100644 --- a/policies/auth/approle/login.yaml +++ b/policies/auth/approle/login.yaml @@ -8,3 +8,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/auth/k8s/au/syd1/admin.yaml b/policies/auth/k8s/au/syd1/admin.yaml index 2754b5a..4f24095 100644 --- a/policies/auth/k8s/au/syd1/admin.yaml +++ b/policies/auth/k8s/au/syd1/admin.yaml @@ -21,3 +21,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/auth/ldap/admin.yaml b/policies/auth/ldap/admin.yaml index 9d3637c..9674887 100644 --- a/policies/auth/ldap/admin.yaml +++ b/policies/auth/ldap/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/auth/token/create.yaml b/policies/auth/token/create.yaml index e9cdaf9..62bd07f 100644 --- a/policies/auth/token/create.yaml +++ b/policies/auth/token/create.yaml @@ -15,3 +15,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/auth/token/lookup.yaml b/policies/auth/token/lookup.yaml index 4f883bb..63651a8 100644 --- a/policies/auth/token/lookup.yaml +++ b/policies/auth/token/lookup.yaml @@ -9,3 +9,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/auth/token/renew.yaml b/policies/auth/token/renew.yaml index 2699f8a..16ec0b5 100644 --- a/policies/auth/token/renew.yaml +++ b/policies/auth/token/renew.yaml @@ -8,3 +8,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/auth/token/roles/admin.yaml b/policies/auth/token/roles/admin.yaml index dcf1ba7..ffcdbfa 100644 --- a/policies/auth/token/roles/admin.yaml +++ b/policies/auth/token/roles/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/auth/token/self.yaml b/policies/auth/token/self.yaml index 4d94d9a..3a10223 100644 --- a/policies/auth/token/self.yaml +++ b/policies/auth/token/self.yaml @@ -14,3 +14,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/consul_root/au/syd1/config/admin.yaml b/policies/consul_root/au/syd1/config/admin.yaml index e974120..db18534 100644 --- a/policies/consul_root/au/syd1/config/admin.yaml +++ b/policies/consul_root/au/syd1/config/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/consul_root/au/syd1/creds/terraform-vault.yaml b/policies/consul_root/au/syd1/creds/terraform-vault.yaml index 0980e77..7f4554a 100644 --- a/policies/consul_root/au/syd1/creds/terraform-vault.yaml +++ b/policies/consul_root/au/syd1/creds/terraform-vault.yaml @@ -8,3 +8,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/consul_root/au/syd1/roles/admin.yaml b/policies/consul_root/au/syd1/roles/admin.yaml index f7feaeb..741d8f1 100644 --- a/policies/consul_root/au/syd1/roles/admin.yaml +++ b/policies/consul_root/au/syd1/roles/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/kubernetes/au/config_admin.yaml b/policies/kubernetes/au/config_admin.yaml index 64387f3..70d5909 100644 --- a/policies/kubernetes/au/config_admin.yaml +++ b/policies/kubernetes/au/config_admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/kubernetes/au/roles_admin.yaml b/policies/kubernetes/au/roles_admin.yaml index d540655..fe9c369 100644 --- a/policies/kubernetes/au/roles_admin.yaml +++ b/policies/kubernetes/au/roles_admin.yaml @@ -15,3 +15,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/kubernetes/au/syd1/creds/media-apps-operator.yaml b/policies/kubernetes/au/syd1/creds/media-apps-operator.yaml index cd1604f..31bec9e 100644 --- a/policies/kubernetes/au/syd1/creds/media-apps-operator.yaml +++ b/policies/kubernetes/au/syd1/creds/media-apps-operator.yaml @@ -8,3 +8,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/kv/config/admin.yaml b/policies/kv/config/admin.yaml index f43cf73..1a95efd 100644 --- a/policies/kv/config/admin.yaml +++ b/policies/kv/config/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/kv/service/glauth/services/svc_vault/read.yaml b/policies/kv/service/glauth/services/svc_vault/read.yaml index a9cf6c7..d662bad 100644 --- a/policies/kv/service/glauth/services/svc_vault/read.yaml +++ b/policies/kv/service/glauth/services/svc_vault/read.yaml @@ -9,3 +9,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/kv/service/kubernetes/au/syd1/service_account_jwt/read.yaml b/policies/kv/service/kubernetes/au/syd1/service_account_jwt/read.yaml index 74a3493..67e443b 100644 --- a/policies/kv/service/kubernetes/au/syd1/service_account_jwt/read.yaml +++ b/policies/kv/service/kubernetes/au/syd1/service_account_jwt/read.yaml @@ -8,3 +8,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.yaml b/policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.yaml index 1cdfae5..289726b 100644 --- a/policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.yaml +++ b/policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.yaml @@ -8,3 +8,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/kv/service/vault/auth_approle_roles_read.yaml b/policies/kv/service/vault/auth_approle_roles_read.yaml index fb743a8..330f630 100644 --- a/policies/kv/service/vault/auth_approle_roles_read.yaml +++ b/policies/kv/service/vault/auth_approle_roles_read.yaml @@ -9,3 +9,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/kv/service/vault/auth_backends_read.yaml b/policies/kv/service/vault/auth_backends_read.yaml index 91e9451..61fff25 100644 --- a/policies/kv/service/vault/auth_backends_read.yaml +++ b/policies/kv/service/vault/auth_backends_read.yaml @@ -9,3 +9,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/kv/service/vault/secret_backends_read.yaml b/policies/kv/service/vault/secret_backends_read.yaml index a6f9259..db8a93d 100644 --- a/policies/kv/service/vault/secret_backends_read.yaml +++ b/policies/kv/service/vault/secret_backends_read.yaml @@ -9,3 +9,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/pki/au/syd1/config/admin.yaml b/policies/pki/au/syd1/config/admin.yaml index 5965236..0dd9152 100644 --- a/policies/pki/au/syd1/config/admin.yaml +++ b/policies/pki/au/syd1/config/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/pki/au/syd1/issuer/admin.yaml b/policies/pki/au/syd1/issuer/admin.yaml index e21ee91..abe9927 100644 --- a/policies/pki/au/syd1/issuer/admin.yaml +++ b/policies/pki/au/syd1/issuer/admin.yaml @@ -9,3 +9,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/pki/au/syd1/roles/admin.yaml b/policies/pki/au/syd1/roles/admin.yaml index aff865d..f22963c 100644 --- a/policies/pki/au/syd1/roles/admin.yaml +++ b/policies/pki/au/syd1/roles/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/pki_int/config/admin.yaml b/policies/pki_int/config/admin.yaml index f63d28d..d06c665 100644 --- a/policies/pki_int/config/admin.yaml +++ b/policies/pki_int/config/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/pki_int/issuer/admin.yaml b/policies/pki_int/issuer/admin.yaml index 3501baa..7bd3c07 100644 --- a/policies/pki_int/issuer/admin.yaml +++ b/policies/pki_int/issuer/admin.yaml @@ -9,3 +9,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/pki_int/roles/admin.yaml b/policies/pki_int/roles/admin.yaml index a0892a8..d52e03d 100644 --- a/policies/pki_int/roles/admin.yaml +++ b/policies/pki_int/roles/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/pki_root/config/admin.yaml b/policies/pki_root/config/admin.yaml index 42059e8..80e917d 100644 --- a/policies/pki_root/config/admin.yaml +++ b/policies/pki_root/config/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/pki_root/issuer/admin.yaml b/policies/pki_root/issuer/admin.yaml index bdb6a82..cfbcbfa 100644 --- a/policies/pki_root/issuer/admin.yaml +++ b/policies/pki_root/issuer/admin.yaml @@ -9,3 +9,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/pki_root/roles/admin.yaml b/policies/pki_root/roles/admin.yaml index 7f66761..dd62a8c 100644 --- a/policies/pki_root/roles/admin.yaml +++ b/policies/pki_root/roles/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/rundeck/config/admin.yaml b/policies/rundeck/config/admin.yaml index 2a63e98..592e99d 100644 --- a/policies/rundeck/config/admin.yaml +++ b/policies/rundeck/config/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/sshca/config/admin.yaml b/policies/sshca/config/admin.yaml index abac807..6eba814 100644 --- a/policies/sshca/config/admin.yaml +++ b/policies/sshca/config/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/sshca/roles/admin.yaml b/policies/sshca/roles/admin.yaml index 491998d..b620b97 100644 --- a/policies/sshca/roles/admin.yaml +++ b/policies/sshca/roles/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/sys/auth/admin.yaml b/policies/sys/auth/admin.yaml index a8c9e1f..026a0d7 100644 --- a/policies/sys/auth/admin.yaml +++ b/policies/sys/auth/admin.yaml @@ -12,3 +12,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/sys/mounts/admin.yaml b/policies/sys/mounts/admin.yaml index 6176a09..6c3c938 100644 --- a/policies/sys/mounts/admin.yaml +++ b/policies/sys/mounts/admin.yaml @@ -20,3 +20,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/sys/policy/admin.yaml b/policies/sys/policy/admin.yaml index 6c86dd7..2b54f03 100644 --- a/policies/sys/policy/admin.yaml +++ b/policies/sys/policy/admin.yaml @@ -16,3 +16,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault diff --git a/policies/transit/keys/admin.yaml b/policies/transit/keys/admin.yaml index c1ce9dd..634cd2c 100644 --- a/policies/transit/keys/admin.yaml +++ b/policies/transit/keys/admin.yaml @@ -16,3 +16,5 @@ rules: auth: approle: - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault