From dd44146d88caef0e36a5bcbf871063a736d11052 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 22 Feb 2026 19:15:48 +1100
Subject: [PATCH] feat: add woodpecker secrets

- add secrets required to integrate woodpecker into gitea/pgsql
---
 .../auth_kubernetes_role/k8s/au/syd1/woodpecker.yaml   |  6 ++++++
 .../woodpecker/woodpecker-database-config/read.yaml    | 10 ++++++++++
 .../kv/service/woodpecker/woodpecker-gitea/read.yaml   | 10 ++++++++++
 .../woodpecker-postgres-credentials/read.yaml          | 10 ++++++++++
 4 files changed, 36 insertions(+)
 create mode 100644 config/auth_kubernetes_role/k8s/au/syd1/woodpecker.yaml
 create mode 100644 policies/kv/service/woodpecker/woodpecker-database-config/read.yaml
 create mode 100644 policies/kv/service/woodpecker/woodpecker-gitea/read.yaml
 create mode 100644 policies/kv/service/woodpecker/woodpecker-postgres-credentials/read.yaml

diff --git a/config/auth_kubernetes_role/k8s/au/syd1/woodpecker.yaml b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker.yaml
new file mode 100644
index 0000000..2dfda00
--- /dev/null
+++ b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker.yaml
@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - default
+bound_service_account_namespaces:
+  - woodpecker
+token_ttl: 600
+audience: vault
diff --git a/policies/kv/service/woodpecker/woodpecker-database-config/read.yaml b/policies/kv/service/woodpecker/woodpecker-database-config/read.yaml
new file mode 100644
index 0000000..d56a1f7
--- /dev/null
+++ b/policies/kv/service/woodpecker/woodpecker-database-config/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading woodpecker/database integration details
+---
+rules:
+  - path: "kv/data/service/woodpecker/woodpecker-database-config"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - woodpecker
diff --git a/policies/kv/service/woodpecker/woodpecker-gitea/read.yaml b/policies/kv/service/woodpecker/woodpecker-gitea/read.yaml
new file mode 100644
index 0000000..04506db
--- /dev/null
+++ b/policies/kv/service/woodpecker/woodpecker-gitea/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading woodpecker/gitea integration details
+---
+rules:
+  - path: "kv/data/service/woodpecker/woodpecker-gitea"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - woodpecker
diff --git a/policies/kv/service/woodpecker/woodpecker-postgres-credentials/read.yaml b/policies/kv/service/woodpecker/woodpecker-postgres-credentials/read.yaml
new file mode 100644
index 0000000..a768269
--- /dev/null
+++ b/policies/kv/service/woodpecker/woodpecker-postgres-credentials/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading woodpecker/postgres integration details
+---
+rules:
+  - path: "kv/data/service/woodpecker/woodpecker-postgres-credentials"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - woodpecker