policies: let terraform-authentik read oauth client secrets from kv
ci/woodpecker/pr/plan Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful

The terraform-authentik module now reads OAuth2 client secrets from Vault
(data.vault_kv_secret_v2) instead of committing them, but the
terraform_authentik approle / woodpecker_terraform_authentik k8s role only
had the consul creds policy, so plan failed with permission denied.

Grant read on kv/data/kubernetes/namespace/+/default/oauth-credentials so
the runner can read the client secret for any namespace's OIDC provider
(e.g. grafana).
This commit is contained in:
2026-07-06 22:20:40 +10:00
parent 36d7afbb65
commit e01deb13d6
@@ -0,0 +1,15 @@
# Allow the Terraform Authentik runner to read OAuth2/OIDC client secrets that
# back authentik providers. Secrets live under each target service's kv
# namespace path (kv/kubernetes/namespace/<ns>/default/oauth-credentials) and
# are read by the module's data.vault_kv_secret_v2 lookups.
---
rules:
- path: "kv/data/kubernetes/namespace/+/default/oauth-credentials"
capabilities:
- read
auth:
approle:
- terraform_authentik
k8s/au/syd1:
- woodpecker_terraform_authentik