policies: let terraform-authentik read its provider API token (#82)
ci/woodpecker/push/apply Pipeline was successful
ci/woodpecker/push/apply Pipeline was successful
## Why terraform-authentik's provider needs an Authentik API token (`TF_VAR_authentik_token`), now sourced from Vault at `kv/service/terraform/authentik` (Makefile wiring in terraform-authentik #2). The CI role needs read access to that path. ## Change Extend `policies/kv/service/terraform/authentik.yaml` to also grant read on `kv/data/service/terraform/authentik` for the `terraform_authentik` approle + `woodpecker_terraform_authentik` k8s role. Reviewed-on: #82 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
This commit was merged in pull request #82.
This commit is contained in:
@@ -1,9 +1,12 @@
|
|||||||
# Allow the Terraform Authentik runner to read OAuth2/OIDC client secrets that
|
# Allow the Terraform Authentik runner to read:
|
||||||
# back authentik providers. Secrets live under each target service's kv
|
# - its own Authentik API token (provider auth), and
|
||||||
# namespace path (kv/kubernetes/namespace/<ns>/default/oauth-credentials) and
|
# - OAuth2/OIDC client secrets that back authentik providers (per target
|
||||||
# are read by the module's data.vault_kv_secret_v2 lookups.
|
# service's kv namespace path, via the module's data.vault_kv_secret_v2).
|
||||||
---
|
---
|
||||||
rules:
|
rules:
|
||||||
|
- path: "kv/data/service/terraform/authentik"
|
||||||
|
capabilities:
|
||||||
|
- read
|
||||||
- path: "kv/data/kubernetes/namespace/+/default/oauth-credentials"
|
- path: "kv/data/kubernetes/namespace/+/default/oauth-credentials"
|
||||||
capabilities:
|
capabilities:
|
||||||
- read
|
- read
|
||||||
|
|||||||
Reference in New Issue
Block a user