unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
90 Commits 1 Branch 0 Tags 196 KiB
master
Commit Graph

90 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ben Vincent
fdc801739f Merge pull request 'feat: add prowlarr access' (#41) from benvin/prowlarr_policy into master 
Reviewed-on: #41
 2026-01-04 23:37:23 +11:00
Ben Vincent
56d858f900 feat: add prowlarr access 
- enable kubernetes access to prowlarr secrets
 2026-01-04 23:36:43 +11:00
Ben Vincent
bd112181f5 Merge pull request 'feat: add policy to read terraform vars' (#40) from benvin/repoflow_terraform into master 
Reviewed-on: #40
 2025-12-13 10:57:33 +11:00
Ben Vincent
4f185d5e28 feat: add policy to read terraform vars 
- read variables required for terraform-repoflow
 2025-12-13 10:56:58 +11:00
Ben Vincent
65ad53e24c Merge pull request 'feat: add repoflow service vault configuration' (#39) from benvin/repoflow into master 
Reviewed-on: #39
 2025-12-13 10:13:33 +11:00
Ben Vincent
d217f6e42d Merge pull request 'feat: add repoflow tokens' (#38) from benvin/repoflow_tokens into master 
Reviewed-on: #38
 2025-12-13 10:10:07 +11:00
Ben Vincent
9814b8fc1a feat: add repoflow tokens 
- add approle for terraform-repoflow
- add policies to access repoflow tokens
 2025-12-13 10:09:29 +11:00
Ben Vincent
7b81abfa9e feat: add repoflow service vault configuration 
- add secrets for s3, elasticsearch, hasura, postgres and repoflow
 2025-12-13 09:20:58 +11:00
Ben Vincent
2466a6fe5c Merge pull request 'feat: label kubernetes ephemeral serviceaccounts' (#37) from benvin/k8s_roles_labelling into master 
Reviewed-on: #37
 2025-12-07 12:42:45 +11:00
Ben Vincent
c88b19a216 feat: label kubernetes ephemeral serviceaccounts 
- ensure all service accounts are labelled with role/cluster
- add additional api endpoints to cluster roles
 2025-12-07 12:41:37 +11:00
Ben Vincent
3bada72838 Merge pull request 'chore: allow long lines in yamllint' (#36) from benvin/yamlint-args into master 
Reviewed-on: #36
 2025-12-01 21:51:11 +11:00
Ben Vincent
8961ba3748 chore: allow long lines in yamllint 2025-12-01 21:50:49 +11:00
Ben Vincent
26b3ee84d6 Merge pull request 'chore: fix policies for rpmbuilder' (#35) from benvin/fix_rpmbuilder into master 
Reviewed-on: #35
 2025-11-30 21:24:52 +11:00
Ben Vincent
0776fac6eb chore: fix policies for rpmbuilder 
- missed the `/read` on the end
 2025-11-30 21:24:06 +11:00
Ben Vincent
3a2ecc9b23 Merge pull request 'feat: add rpmbuilder approle' (#34) from benvin/rpmbuilder into master 
Reviewed-on: #34
 2025-11-29 18:01:37 +11:00
Ben Vincent
5afd1ad9c1 feat: add rpmbuilder approle 
- add rpmbuilder approle
- add policies to acces gitea/github read-only tokens
 2025-11-29 18:00:20 +11:00
Ben Vincent
756286c231 chore: update name, role type for k8s 
- ensure cluster roles are able to be created as ClusterRole
- prefix all vault managed roles with `vault-`
 2025-11-29 00:09:57 +11:00
Ben Vincent
9cc482d471 Merge pull request 'feat: add kubernetes secrets engine with RBAC roles for au-syd1 cluster' (#33) from benvin/au-syd1-k8s-roles into master 
Reviewed-on: #33
 2025-11-27 23:31:04 +11:00
Ben Vincent
6624f7aed1 feat: add kubernetes secrets engine with RBAC roles for au-syd1 cluster 
- Add Kubernetes secrets engine at kubernetes/au/syd1 path
  - Create four RBAC roles with external YAML configuration:
    * media-apps-operator: namespaced role for media-apps with selective permissions
    * cluster-operator: cluster-wide read-only access to specific API groups
    * cluster-admin: cluster-wide full access to specific API groups
    * cluster-root: cluster-wide superuser access to all resources
  - Add Vault policies for credential generation for each role
  - Add admin policies for kubernetes auth backend configuration and role management
  - Refactor kubernetes auth backend to use shared locals for CA certificate
  - Update terraform-vault approle with required kubernetes policies
 2025-11-27 23:22:13 +11:00
Ben Vincent
ad1118af85 Merge pull request 'chore: remove references k8s pki policy' (#32) from benvin/cleanup_k8s_pki_policy_reference into master 
Reviewed-on: #32
 2025-11-27 21:08:29 +11:00
Ben Vincent
cafa887cdc chore: remove references k8s pki policy 
- missed from previous pr
- policy no longer exists, remove it from the approle
 2025-11-27 21:07:50 +11:00
Ben Vincent
f10f96d19c Merge pull request 'feat: move state path in consul' (#31) from benvin/move-state-path into master 
Reviewed-on: #31
 2025-11-27 21:05:55 +11:00
Ben Vincent
da0e0e4239 feat: move state path in consul 
- move state to the infra/terraform/vault subdir
 2025-11-27 21:04:44 +11:00
Ben Vincent
2efbf7cc6e Merge pull request 'chore: remove k8s pki policy' (#30) from benvin/cleanup_k8s_pki into master 
Reviewed-on: #30
 2025-11-27 20:43:08 +11:00
Ben Vincent
b9deb02cfb chore: remove k8s pki policy 
- k8s pki engine was removed some time ago
- also cleanup policy files
 2025-11-27 20:42:27 +11:00
Ben Vincent
391c77d30b Merge pull request 'feat: add media-apps integration with vault' (#29) from benvin/media_apps_k8s into master 
Reviewed-on: #29
 2025-11-27 20:41:52 +11:00
Ben Vincent
6353ac6bbc feat: add media-apps integration with vault 
- add kubernetes auth role for media-apps
- add policies to read radarr/sonarr secrets
 2025-11-27 20:40:54 +11:00
Ben Vincent
605aa204a9 Merge pull request 'chore: update k8s csi roles' (#28) from benvin/ceph-csi-changes into master 
Reviewed-on: #28
 2025-11-26 21:01:58 +11:00
Ben Vincent
4cf1b43960 chore: update k8s csi roles 
- ensure the new service accounts can read cephrbd/cephfs
- ensure correct namespace is allowed
 2025-11-26 21:01:31 +11:00
Ben Vincent
f217dbaeca Merge pull request 'feat: manage k8s auth role integration' (#27) from benvin/k8s_roles_integration into master 
Reviewed-on: #27
 2025-11-22 23:23:13 +11:00
Ben Vincent
7814551084 feat: manage k8s auth role integration 
- add policies to sign/issue certificates
- manage auth roles for ceph-csi, certmanager, externaldns, huntarr
 2025-11-22 23:21:43 +11:00
Ben Vincent
85cda88a3b Merge pull request 'chore: fix kubernetes_host' (#26) from benvin/kubernetes_host into master 
Reviewed-on: #26
 2025-11-16 16:50:13 +11:00
Ben Vincent
02654ac32a chore: fix kubernetes_host 
- correct hostname to match `kubectl cluster-info`
- fix formatting with terraform fmt
 2025-11-16 16:49:04 +11:00
Ben Vincent
c3c1cb660a Merge pull request 'benvin/pre-commit' (#25) from benvin/pre-commit into master 
Reviewed-on: #25
 2025-11-16 13:37:55 +11:00
Ben Vincent
5cbd5815a0 chore: format policy files 
- ensure all policy files are correctly formatted
 2025-11-16 13:35:10 +11:00
Ben Vincent
6d84efe81e feat: add pre-commit 
- ran 'pre-commit install'
- add pre-commit configuration
- test yaml + terraform related checks
- terragrunt-hcl-fmt for policy hcl files
 2025-11-16 13:31:16 +11:00
Ben Vincent
9ff6cf7de7 Merge pull request 'chore: add terraform required version' (#24) from benvin/terraform_required_version into master 
Reviewed-on: #24
 2025-11-16 13:13:44 +11:00
Ben Vincent
865a97ba0e Merge pull request 'feat: rework policies file' (#23) from benvin/policy_rework into master 
Reviewed-on: #23
 2025-11-16 13:13:37 +11:00
Ben Vincent
c0d0888172 chore: add terraform required version 
- set the terraform required version to 1.10+
 2025-11-16 13:13:08 +11:00
Ben Vincent
49889eaf22 feat: rework policies file 
- policy files are now found automatically
 2025-11-16 13:08:50 +11:00
Ben Vincent
d2acaeb7bc Merge pull request 'feat: move k8s secrets into vault' (#22) from benvin/kubernetes_secret_handling into master 
Reviewed-on: #22
 2025-11-16 12:44:40 +11:00
Ben Vincent
cbee19b5f9 feat: move k8s secrets into vault 
- update kubernetes_host to match value in jwt
- regenerate jwt token and store in vault
- add policy to enable access to jwt token
- update tf_deploy user with access to token
 2025-11-16 12:42:18 +11:00
Ben Vincent
353d726510 Merge pull request 'feat: add makefile' (#21) from benvin/makefile into master 
Reviewed-on: #21
 2025-11-16 12:40:25 +11:00
Ben Vincent
537cc9013a feat: add makefile 
- add init, plan and apply to makefile
 2025-11-16 12:39:32 +11:00
Ben Vincent
8e1d242dba Merge pull request 'feat: add transit engine' (#20) from benvin/transit_engine into master 
Reviewed-on: #20
 2025-11-15 15:57:04 +11:00
Ben Vincent
85d81fef72 feat: add transit engine 
- add transit engine
- add policies to manage keys, encryption and decryption
- add ability to create keys to tf_vault approle
 2025-11-15 15:55:51 +11:00
Ben Vincent
59b7b01c23 Merge pull request 'feat: enable annotations as alias metadata' (#19) from benvin/annotations_as_alias_metadata into master 
Reviewed-on: #19
 2025-11-15 15:41:42 +11:00
Ben Vincent
5675a469da feat: enable annotations as alias metadata 
- enable the ability to set additional alias metadata via annotations
 2025-11-15 15:40:54 +11:00
Ben Vincent
489969fed8 Merge pull request 'feat: upgrade vault provider' (#18) from benvin/upgrade_provider into master 
Reviewed-on: #18
 2025-11-15 15:40:16 +11:00
Ben Vincent
1ee07dd52f feat: upgrade vault provider 
- upgrade to hashicorp/vault 5.4.0
 2025-11-15 15:38:22 +11:00