policies: let terraform-authentik read oauth client secrets from kv
The terraform-authentik module now reads OAuth2 client secrets from Vault (data.vault_kv_secret_v2) instead of committing them, but the terraform_authentik approle / woodpecker_terraform_authentik k8s role only had the consul creds policy, so plan failed with permission denied. Grant read on kv/data/kubernetes/namespace/+/default/oauth-credentials so the runner can read the client secret for any namespace's OIDC provider (e.g. grafana).
This commit is contained in:
@@ -0,0 +1,15 @@
|
|||||||
|
# Allow the Terraform Authentik runner to read OAuth2/OIDC client secrets that
|
||||||
|
# back authentik providers. Secrets live under each target service's kv
|
||||||
|
# namespace path (kv/kubernetes/namespace/<ns>/default/oauth-credentials) and
|
||||||
|
# are read by the module's data.vault_kv_secret_v2 lookups.
|
||||||
|
---
|
||||||
|
rules:
|
||||||
|
- path: "kv/data/kubernetes/namespace/+/default/oauth-credentials"
|
||||||
|
capabilities:
|
||||||
|
- read
|
||||||
|
|
||||||
|
auth:
|
||||||
|
approle:
|
||||||
|
- terraform_authentik
|
||||||
|
k8s/au/syd1:
|
||||||
|
- woodpecker_terraform_authentik
|
||||||
Reference in New Issue
Block a user