policies: let terraform-authentik read its provider API token
ci/woodpecker/pr/plan Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful

Grant the terraform_authentik approle / woodpecker_terraform_authentik
k8s role read on kv/data/service/terraform/authentik so the Makefile can
export TF_VAR_authentik_token for the authentik provider.
This commit is contained in:
2026-07-06 23:32:49 +10:00
parent f2c54888de
commit d2c8b3d18c
+7 -4
View File
@@ -1,9 +1,12 @@
# Allow the Terraform Authentik runner to read OAuth2/OIDC client secrets that # Allow the Terraform Authentik runner to read:
# back authentik providers. Secrets live under each target service's kv # - its own Authentik API token (provider auth), and
# namespace path (kv/kubernetes/namespace/<ns>/default/oauth-credentials) and # - OAuth2/OIDC client secrets that back authentik providers (per target
# are read by the module's data.vault_kv_secret_v2 lookups. # service's kv namespace path, via the module's data.vault_kv_secret_v2).
--- ---
rules: rules:
- path: "kv/data/service/terraform/authentik"
capabilities:
- read
- path: "kv/data/kubernetes/namespace/+/default/oauth-credentials" - path: "kv/data/kubernetes/namespace/+/default/oauth-credentials"
capabilities: capabilities:
- read - read