From e01deb13d6d7ab80766d0487e44dd46602921c8c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 6 Jul 2026 22:20:40 +1000 Subject: [PATCH] policies: let terraform-authentik read oauth client secrets from kv The terraform-authentik module now reads OAuth2 client secrets from Vault (data.vault_kv_secret_v2) instead of committing them, but the terraform_authentik approle / woodpecker_terraform_authentik k8s role only had the consul creds policy, so plan failed with permission denied. Grant read on kv/data/kubernetes/namespace/+/default/oauth-credentials so the runner can read the client secret for any namespace's OIDC provider (e.g. grafana). --- policies/kv/service/terraform/authentik.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 policies/kv/service/terraform/authentik.yaml diff --git a/policies/kv/service/terraform/authentik.yaml b/policies/kv/service/terraform/authentik.yaml new file mode 100644 index 0000000..29adda4 --- /dev/null +++ b/policies/kv/service/terraform/authentik.yaml @@ -0,0 +1,15 @@ +# Allow the Terraform Authentik runner to read OAuth2/OIDC client secrets that +# back authentik providers. Secrets live under each target service's kv +# namespace path (kv/kubernetes/namespace//default/oauth-credentials) and +# are read by the module's data.vault_kv_secret_v2 lookups. +--- +rules: + - path: "kv/data/kubernetes/namespace/+/default/oauth-credentials" + capabilities: + - read + +auth: + approle: + - terraform_authentik + k8s/au/syd1: + - woodpecker_terraform_authentik