unkinben
65f844cbe1
Fix: add policy binding for forgebot K8s auth role
...
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Every K8s auth role needs at least one entry in the policy_auth_map.
Add a policy granting the forgebot role read access to the namespace-
scoped KV path, which the operator SA needs when authenticating with
the forgebot role instead of the default role.
2026-06-08 23:00:35 +10:00
benvin
b9632f39e4
Merge branch 'master' into feature/forgebot-vault-access
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
2026-06-08 22:57:54 +10:00
unkinben
bb5f6922fa
feat: add vault policy for terraform-git webhook secrets ( #75 )
...
ci/woodpecker/push/apply Pipeline was successful
## Summary
- Add read policy for kv/data/service/gitea/webhook/* path
- Assigned to terraform_git approle and woodpecker_terraform_git k8s auth role
- Webhook URLs are stored in Vault KV and read at plan/apply time
## Test plan
- [ ] Verify terragrunt plan succeeds for terraform-git after merge
Reviewed-on: #75
Co-authored-by: Ben Vincent <ben@unkin.net >
Co-committed-by: Ben Vincent <ben@unkin.net >
2026-06-08 22:56:30 +10:00
unkinben
f5803605d6
Simplify: use default templated policy for forgebot KV access
...
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
The default K8s auth policy already provides namespace-scoped access to
kv/data/kubernetes/namespace/{namespace}/{sa}/* via identity templating.
Forgebot secrets should be stored at kv/kubernetes/namespace/forgebot/default/*
instead of kv/service/forgebot/*, eliminating the need for 5 individual
policies. The forgebot K8s auth role is kept for the forgebot-operator SA.
2026-06-08 22:54:58 +10:00
unkinben
2c4d0d7f64
Add Vault access for forgebot service
...
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was canceled
K8s auth role binding for forgebot namespace (default + forgebot-operator
service accounts) and KV read policies for environment config, LiteLLM
API key, Gitea token, PostgreSQL credentials, and webhook secret.
2026-06-08 22:53:25 +10:00
unkinben
a29ff9fe6a
fix: use gitadmin woodpecker token path
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
2026-06-08 19:08:12 +10:00
unkinben
12680f93cd
feat: replace webhook secrets policy with woodpecker token policy
...
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Webhook URLs are now managed by the Woodpecker terraform provider
instead of being stored in Vault. Add read policy for the Woodpecker
API token at kv/data/service/woodpecker/tokens/terraform-git.
2026-06-08 16:17:00 +10:00
unkinben
132e5ea4d9
feat: add vault policy for terraform-git webhook secrets
...
ci/woodpecker/pr/plan Pipeline failed
ci/woodpecker/pr/pre-commit Pipeline failed
Allow terraform-git to read webhook URLs stored in
kv/data/service/gitea/webhook/* via approle and k8s auth.
2026-06-08 16:11:58 +10:00
benvin
346cf9fa43
feat: manage gitadmin token ( #74 )
...
ci/woodpecker/push/apply Pipeline was successful
- add approle for terraform-git
- add policy to read gitadmin token
- update access to the terraform-git consul token
---------
Co-authored-by: Ben Vincent <ben@unkin.net >
Reviewed-on: #74
2026-06-08 15:17:58 +10:00
unkinben
1288057b81
feat: add vault and consul roles for terraform-git ( #73 )
...
ci/woodpecker/push/apply Pipeline was successful
## Summary
- Add K8s auth role woodpecker_terraform_git for CI pipeline authentication
- Add consul secret backend role terraform-git for consul state storage tokens
- Add consul ACL policy granting write access to infra/terraform/git/ key prefix
- Add vault policy for reading consul creds at consul_root/au/syd1/creds/terraform-git
## Test plan
- [ ] Verify terragrunt plan succeeds
- [ ] Verify consul ACL policy is created correctly
- [ ] Verify K8s auth role can authenticate from woodpecker namespace
Reviewed-on: #73
Co-authored-by: Ben Vincent <ben@unkin.net >
Co-committed-by: Ben Vincent <ben@unkin.net >
2026-06-07 20:36:35 +10:00
unkinben
3876fa818d
chore: bump almalinux9 image tags ( #72 )
...
ci/woodpecker/push/apply Pipeline was successful
Bump almalinux9 image tags to 20260606
Reviewed-on: #72
Co-authored-by: Ben Vincent <ben@unkin.net >
Co-committed-by: Ben Vincent <ben@unkin.net >
2026-06-07 00:35:30 +10:00
unkinben
a548bf1cb1
fix: apply requires plan ( #71 )
...
ci/woodpecker/push/apply Pipeline was successful
- ensure make plan runs before make apply when deploying
Reviewed-on: #71
2026-05-22 00:03:08 +10:00
unkinben
93ba86baf3
feat: add apply workflow ( #70 )
...
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #70
2026-05-21 23:57:25 +10:00
unkinben
098830c10b
Merge pull request 'feat: add plan workflow' ( #69 ) from benvin/make-plan-buildwq into master
...
Reviewed-on: #69
2026-05-21 23:54:07 +10:00
unkinben
9cbac6d3ef
feat: add plan workflow
...
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
- update makefile to enable kubernetes auth or roleid auth
- add plan workflow
- update all policies to allow the terraform-vault kubernetes role
2026-05-21 23:52:30 +10:00
unkinben
73aaaaeb99
Merge pull request 'chore: enable access to gateway.networking.k8s.io' ( #68 ) from benvin/gatewayapi into master
...
Reviewed-on: #68
2026-05-21 22:42:28 +10:00
unkinben
7c60a5fd53
chore: enable access to gateway.networking.k8s.io
ci/woodpecker/pr/pre-commit Pipeline was successful
2026-05-21 22:39:57 +10:00
unkinben
27f12f183e
Merge pull request 'chore: change to specific ci image' ( #67 ) from benvin/ci_image into master
...
Reviewed-on: #67
2026-03-09 01:16:59 +11:00
unkinben
c61434b692
chore: change to specific ci image
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- almalinux9-opentofu image contains all required tools
2026-03-09 01:14:41 +11:00
unkinben
172ceac2fc
Merge pull request 'feat: add templated policies for kubernetes' ( #66 ) from benvin/kubernetes_structured_paths into master
...
Reviewed-on: #66
2026-03-08 12:57:58 +11:00
unkinben
48a4fd0dd1
feat: add templated policies for kubernetes
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- add default kubernetes auth role
- add templated access kv/kubernetes/*
2026-03-08 12:48:08 +11:00
unkinben
4dc09547ef
Merge pull request 'fix: update audience for rpmbuilder' ( #65 ) from benvin/default_aud into master
...
Reviewed-on: #65
2026-03-08 12:29:43 +11:00
unkinben
546a9efe44
fix: update audience for rpmbuilder
...
ci/woodpecker/pr/pre-commit Pipeline was successful
when using using the service account jwt directly, the default audience
is the api servers url
2026-03-07 11:31:36 +11:00
unkinben
679cec4bc1
Merge pull request 'feat: add rpmbuilder k8s role' ( #64 ) from benvin/rpmbuilder-in-k8s into master
...
Reviewed-on: #64
2026-03-07 11:11:23 +11:00
unkinben
71789f9f32
feat: add rpmbuilder k8s role
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- create rpmbuilder role
- enable access to gitea/github ro-tokens
- enable access to rpmbuilder role from woodpeckerci
2026-03-07 11:06:27 +11:00
unkinben
4cbcec58d3
Merge pull request 'feat: enable woodpecker access to ro tokens' ( #63 ) from benvin/woodpecker_task_access into master
...
Reviewed-on: #63
2026-03-07 10:52:38 +11:00
unkinben
9c93e185f8
feat: enable woodpecker access to ro tokens
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- enable woodpecker tasks to access gitea/github read-only tokens
2026-03-07 10:49:39 +11:00
unkinben
d6c8474bd3
Merge pull request 'chore: move pgsql password to vault' ( #62 ) from benvin/artifactapi_postgrespassword into master
...
Reviewed-on: #62
2026-03-06 19:51:25 +11:00
unkinben
42351000ee
chore: move pgsql password to vault
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- no more storing secrets in configmaps
2026-03-06 19:39:36 +11:00
unkinben
f7d1330c37
Merge pull request 'chore: add artifactapi k8s role' ( #61 ) from benvin/artifactapi into master
...
Reviewed-on: #61
2026-03-06 18:57:05 +11:00
unkinben
d9e07e432e
chore: add artifactapi k8s role
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- enable access to read artifactapi secrets
2026-03-06 18:53:42 +11:00
unkinben
14a258de7d
Merge pull request 'chore: enable access woodpecker-agent-secret' ( #60 ) from benvin/woodpecker_agent_secret into master
...
Reviewed-on: #60
2026-03-03 23:34:32 +11:00
unkinben
be8bcc3743
chore: enable access woodpecker-agent-secret
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- add policy to access woodpecker-agent-secret
2026-03-03 23:30:49 +11:00
unkinben
dc257b1bcd
Merge pull request 'feat: add pre-commit check in ci' ( #59 ) from benvin/woodpecker_integration into master
...
Reviewed-on: #59
2026-02-28 22:28:21 +11:00
unkinben
66119e5207
feat: add pre-commit check in ci
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- add a ci workflow to verify pre-commit passes
- fix pre-commit errors/warnings:
- missing required_version
- missing required_providers
- fixed terraform_deprecated_interpolation
- removed terraform_unused_declarations
2026-02-28 21:42:47 +11:00
unkinben
9e6de4dc32
Merge pull request 'feat: set max token life for auth_kubernetes_role' ( #58 ) from benvin/token_max_ttl into master
...
Reviewed-on: #58
2026-02-22 22:30:18 +11:00
unkinben
7cafafd483
feat: set max token life for auth_kubernetes_role
...
found kubernetes vaultauth resources never picking up new policies,
because they would infinitely renew their token.
- set default max token length for roles to 1 day
- changed all existing role token_max_ttl to match their token_ttl
2026-02-22 22:28:21 +11:00
unkinben
c94b2af196
Merge pull request 'feat: add woodpecker secrets' ( #57 ) from benvin/woodpecker into master
...
Reviewed-on: #57
2026-02-22 22:27:50 +11:00
unkinben
dd44146d88
feat: add woodpecker secrets
...
- add secrets required to integrate woodpecker into gitea/pgsql
2026-02-22 22:27:30 +11:00
unkinben
18a62332f6
Merge pull request 'chore: enable access to openldap admin creds' ( #56 ) from benvin/ldap_admin_pass_terraform_ldap into master
...
Reviewed-on: #56
2026-02-15 20:17:35 +11:00
unkinben
8fa68e2670
chore: enable access to openldap admin creds
...
- ensure terraform_ldap can read ldap admin credentials
2026-02-15 20:16:58 +11:00
unkinben
4cad39989f
Merge pull request 'chore: add default_user_password credentials policy' ( #55 ) from benvin/openldap_default_pass into master
...
Reviewed-on: #55
2026-02-15 13:45:45 +11:00
unkinben
c825962490
chore: add default_user_password credentials policy
...
- fix the comment for ldap_admin_password
- add policy to read default_user_password
2026-02-15 13:43:02 +11:00
unkinben
51bc3fffc0
Merge pull request 'feat: add terraform-ldap service' ( #54 ) from benvin/terraform-ldap into master
...
Reviewed-on: #54
2026-02-15 13:40:32 +11:00
unkinben
dca26029c0
feat: add terraform-ldap service
...
- add consul role/policy/acls to allow terraform-ldap state management
- add approle to generate tokens for consul
2026-02-15 13:38:31 +11:00
unkinben
d398911108
Merge pull request 'fix: kubernetes auth fixes' ( #53 ) from benvin/kubernetes_fixes into master
...
Reviewed-on: #53
2026-02-15 13:08:43 +11:00
unkinben
c093d5830d
fix: kubernetes auth fixes
...
- annotations as alias metadata does not work with openbao (idempotency issue)
- set token_ttl to be 600 for all auth roles for kubernetes (min)
2026-02-15 13:06:08 +11:00
unkinben
4b176846f2
Merge pull request 'feat: add identity secrets' ( #52 ) from benvin/identity into master
...
Reviewed-on: #52
2026-02-15 13:02:01 +11:00
unkinben
90b765d713
feat: add identity secrets
...
- add kubernetes auth role for identity namespace
- add policy to access openldap bootstrap credentials
2026-02-15 13:01:06 +11:00
unkinben
3fb5a64a17
Merge pull request 'feat: add kubernetes ldap groups' ( #51 ) from benvin/kubernetes_ldap_groups into master
...
Reviewed-on: #51
2026-02-14 19:48:56 +11:00