52 Commits

Author SHA1 Message Date
unkinben 36d7afbb65 feat: add vault/consul config for media terraform repos (#79)
ci/woodpecker/push/apply Pipeline was successful
Add Kubernetes auth roles, AppRole configs, Consul secret backend roles, Consul ACL policies, and Vault kv read policies for terraform-sonarr, terraform-radarr, and terraform-prowlarr.

Reviewed-on: #79
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-28 22:03:25 +10:00
unkinben c33dcdc447 Add auth and state access for terraform-authentik (#78)
ci/woodpecker/push/apply Pipeline was successful
## Summary
- K8s auth role for Woodpecker CI (`terraform-authentik` SA in `woodpecker` namespace)
- AppRole for local terraform runs
- Consul secret backend role (`terraform-authentik`, TTL 120/300)
- Consul ACL policy for `infra/terraform/authentik/` key prefix
- Vault policy granting both auth methods access to Consul creds

Reviewed-on: #78
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-28 01:17:51 +10:00
benvin be9bd96cf3 feat: enable consul state store for artifactapi (#77)
ci/woodpecker/push/apply Pipeline was successful
enable the terraform-artifactapi system to manage its state in consul
using dynamic credentials from kubernetes ci jobs in woodpecker

---------

Co-authored-by: Ben Vincent <ben@unkin.net>
Reviewed-on: #77
2026-06-17 21:42:25 +10:00
unkinben bb5f6922fa feat: add vault policy for terraform-git webhook secrets (#75)
ci/woodpecker/push/apply Pipeline was successful
## Summary
- Add read policy for kv/data/service/gitea/webhook/* path
- Assigned to terraform_git approle and woodpecker_terraform_git k8s auth role
- Webhook URLs are stored in Vault KV and read at plan/apply time

## Test plan
- [ ] Verify terragrunt plan succeeds for terraform-git after merge

Reviewed-on: #75
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-08 22:56:30 +10:00
benvin 346cf9fa43 feat: manage gitadmin token (#74)
ci/woodpecker/push/apply Pipeline was successful
- add approle for terraform-git
- add policy to read gitadmin token
- update access to the terraform-git consul token

---------

Co-authored-by: Ben Vincent <ben@unkin.net>
Reviewed-on: #74
2026-06-08 15:17:58 +10:00
unkinben 1288057b81 feat: add vault and consul roles for terraform-git (#73)
ci/woodpecker/push/apply Pipeline was successful
## Summary
- Add K8s auth role woodpecker_terraform_git for CI pipeline authentication
- Add consul secret backend role terraform-git for consul state storage tokens
- Add consul ACL policy granting write access to infra/terraform/git/ key prefix
- Add vault policy for reading consul creds at consul_root/au/syd1/creds/terraform-git

## Test plan
- [ ] Verify terragrunt plan succeeds
- [ ] Verify consul ACL policy is created correctly
- [ ] Verify K8s auth role can authenticate from woodpecker namespace

Reviewed-on: #73
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-07 20:36:35 +10:00
unkinben 9cbac6d3ef feat: add plan workflow
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
- update makefile to enable kubernetes auth or roleid auth
- add plan workflow
- update all policies to allow the terraform-vault kubernetes role
2026-05-21 23:52:30 +10:00
unkinben 48a4fd0dd1 feat: add templated policies for kubernetes
ci/woodpecker/pr/pre-commit Pipeline was successful
- add default kubernetes auth role
- add templated access kv/kubernetes/*
2026-03-08 12:48:08 +11:00
unkinben 71789f9f32 feat: add rpmbuilder k8s role
ci/woodpecker/pr/pre-commit Pipeline was successful
- create rpmbuilder role
- enable access to gitea/github ro-tokens
- enable access to rpmbuilder role from woodpeckerci
2026-03-07 11:06:27 +11:00
unkinben 9c93e185f8 feat: enable woodpecker access to ro tokens
ci/woodpecker/pr/pre-commit Pipeline was successful
- enable woodpecker tasks to access gitea/github read-only tokens
2026-03-07 10:49:39 +11:00
unkinben 42351000ee chore: move pgsql password to vault
ci/woodpecker/pr/pre-commit Pipeline was successful
- no more storing secrets in configmaps
2026-03-06 19:39:36 +11:00
unkinben d9e07e432e chore: add artifactapi k8s role
ci/woodpecker/pr/pre-commit Pipeline was successful
- enable access to read artifactapi secrets
2026-03-06 18:53:42 +11:00
unkinben be8bcc3743 chore: enable access woodpecker-agent-secret
ci/woodpecker/pr/pre-commit Pipeline was successful
- add policy to access woodpecker-agent-secret
2026-03-03 23:30:49 +11:00
unkinben dd44146d88 feat: add woodpecker secrets
- add secrets required to integrate woodpecker into gitea/pgsql
2026-02-22 22:27:30 +11:00
unkinben 8fa68e2670 chore: enable access to openldap admin creds
- ensure terraform_ldap can read ldap admin credentials
2026-02-15 20:16:58 +11:00
unkinben c825962490 chore: add default_user_password credentials policy
- fix the comment for ldap_admin_password
- add policy to read default_user_password
2026-02-15 13:43:02 +11:00
unkinben dca26029c0 feat: add terraform-ldap service
- add consul role/policy/acls to allow terraform-ldap state management
- add approle to generate tokens for consul
2026-02-15 13:38:31 +11:00
unkinben 90b765d713 feat: add identity secrets
- add kubernetes auth role for identity namespace
- add policy to access openldap bootstrap credentials
2026-02-15 13:01:06 +11:00
unkinben 33a746e545 feat: add kubernetes ldap groups
vault's terraform approle doesnt need to access all of these kubernetes
roles, it was just added as a placeholder and access to the kubernetes
roles was via the `vault_admin` to-much-access account. this is an
effort to roll back that and make access more targeted.

- add kubernetes* ldap groups for specific cluster/role combinations
- remove tf_vault from kubernetes* roles
2026-02-14 19:46:39 +11:00
unkinben a47f841028 feat: add terraform_k8s approle
- add approle for kubernetes terraform
- ensure it can access consul token for state storage
- ensure it can generate root token for managing kubernetes
2026-02-14 19:37:22 +11:00
unkinben b51617c009 Merge pull request 'feat: implement consul ACL management with provider aliases' (#48) from benvin/consul_backend into master
Reviewed-on: #48
2026-02-14 18:41:49 +11:00
unkinben fd03727ec2 feat: add tf_vault required policies
move management of Vault back to tf_vault approle. for this, we need to
create a number of policies that are missing.

- add policies to manage consul secret engines
- add policies to manage pki secret engines
- add policies to manage kv secret engines
- add policies to manage ssh secret engines
2026-02-14 18:39:21 +11:00
unkinben 5536869a38 feat: implement consul ACL management with provider aliases
This commit message captures the major architectural change of implementing Consul ACL management
with proper provider aliasing, along with the supporting configuration files and policy definitions
for various terraform services.

- add consul_acl_management module to manage consul acl policies and roles
- add consul backend roles and policies for terraform services (incus, k8s, nomad, repoflow, vault)
- add consul provider configuration to root.hcl
- add policies to generate credentials for each role
- simplify consul_secret_backend_role module to reference acl-managed roles
- switch to opentofu for provider foreach support
- update terragrunt configuration to support consul backend aliases
- update pre-commit hooks to use opentofu instead of terraform
- configure tflint exceptions for consul acl management module
2026-02-14 18:13:50 +11:00
unkinben 75e9db1aa6 chore: add puppet k8s role
- add role and policies
2026-02-01 14:54:23 +11:00
unkinben 33af7010fb chore: add rancher role
- add kubernetes role for rancher
- add policy to enable access to bootstrap-password
2026-01-30 19:43:06 +11:00
unkinben 8070b6f66b feat: major restructuring in migration to terragrunt
- migrate from individual terraform files to config-driven terragrunt module structure
- add vault_cluster module with config discovery system
- replace individual .tf files with centralized config.hcl
- restructure auth and secret backends as configurable modules
- move auth roles and secret backends to yaml-based configuration
- convert policies from .hcl to .yaml format, add rules/auth definition
- add pre-commit hooks for yaml formatting and file cleanup
- add terragrunt cache to gitignore
- update makefile with terragrunt commands and format target
2026-01-26 23:02:44 +11:00
unkinben 4f185d5e28 feat: add policy to read terraform vars
- read variables required for terraform-repoflow
2025-12-13 10:56:58 +11:00
unkinben 65ad53e24c Merge pull request 'feat: add repoflow service vault configuration' (#39) from benvin/repoflow into master
Reviewed-on: #39
2025-12-13 10:13:33 +11:00
unkinben 9814b8fc1a feat: add repoflow tokens
- add approle for terraform-repoflow
- add policies to access repoflow tokens
2025-12-13 10:09:29 +11:00
unkinben 7b81abfa9e feat: add repoflow service vault configuration
- add secrets for s3, elasticsearch, hasura, postgres and repoflow
2025-12-13 09:20:58 +11:00
unkinben 5afd1ad9c1 feat: add rpmbuilder approle
- add rpmbuilder approle
- add policies to acces gitea/github read-only tokens
2025-11-29 18:00:20 +11:00
unkinben 6624f7aed1 feat: add kubernetes secrets engine with RBAC roles for au-syd1 cluster
- Add Kubernetes secrets engine at kubernetes/au/syd1 path
  - Create four RBAC roles with external YAML configuration:
    * media-apps-operator: namespaced role for media-apps with selective permissions
    * cluster-operator: cluster-wide read-only access to specific API groups
    * cluster-admin: cluster-wide full access to specific API groups
    * cluster-root: cluster-wide superuser access to all resources
  - Add Vault policies for credential generation for each role
  - Add admin policies for kubernetes auth backend configuration and role management
  - Refactor kubernetes auth backend to use shared locals for CA certificate
  - Update terraform-vault approle with required kubernetes policies
2025-11-27 23:22:13 +11:00
unkinben b9deb02cfb chore: remove k8s pki policy
- k8s pki engine was removed some time ago
- also cleanup policy files
2025-11-27 20:42:27 +11:00
unkinben 6353ac6bbc feat: add media-apps integration with vault
- add kubernetes auth role for media-apps
- add policies to read radarr/sonarr secrets
2025-11-27 20:40:54 +11:00
unkinben 4cf1b43960 chore: update k8s csi roles
- ensure the new service accounts can read cephrbd/cephfs
- ensure correct namespace is allowed
2025-11-26 21:01:31 +11:00
unkinben 7814551084 feat: manage k8s auth role integration
- add policies to sign/issue certificates
- manage auth roles for ceph-csi, certmanager, externaldns, huntarr
2025-11-22 23:21:43 +11:00
unkinben 5cbd5815a0 chore: format policy files
- ensure all policy files are correctly formatted
2025-11-16 13:35:10 +11:00
unkinben cbee19b5f9 feat: move k8s secrets into vault
- update kubernetes_host to match value in jwt
- regenerate jwt token and store in vault
- add policy to enable access to jwt token
- update tf_deploy user with access to token
2025-11-16 12:42:18 +11:00
unkinben 85d81fef72 feat: add transit engine
- add transit engine
- add policies to manage keys, encryption and decryption
- add ability to create keys to tf_vault approle
2025-11-15 15:55:51 +11:00
unkinben bc9b4eebdc feat: add kubernetes auth engine
- add kubernetes authentication
- add policy to manage kubernetes auth engine roles/config
2025-11-15 10:50:17 +11:00
unkinben d508dcd4a9 feat: enable access to puppetcerts
- enable the terraform-incus repo to access puppet certs
2025-04-27 16:26:05 +10:00
unkinben 05268f9dd8 feat: enable access to kv/service/packer/builder/docker-incus-client 2025-04-23 18:24:36 +10:00
unkinben 8bc67e1e5b feat: add terraform-incus approle/policy 2025-04-07 16:22:41 +10:00
unkinben 275b640adc feat: add packer-builder policy 2025-04-07 16:22:22 +10:00
unkinben 9b9afdce58 feat: add pki for k8s
- add pki for k8s
- add policy to manage k8s/*/roles/*
2025-01-27 21:05:51 +11:00
unkinben 2d345cc63b fix: fix rolename
- had duplicate role
- change policy name to match approle
- updated ttl as packer builds can take some time
2025-01-11 21:32:33 +11:00
unkinben f83ba13158 feat: add packer-builder role
- limit access to workstation and gitea runners
2025-01-11 21:01:17 +11:00
unkinben 12e04b3db7 feat: add incus-cluster role/policies
- add policy and role to manage incus cluster join tokens
2025-01-06 23:16:06 +11:00
unkinben fc22ac1711 feat: add terraform_nomad role
- add approle and policy for nomad terraform
2024-12-28 17:14:14 +11:00
unkinben 63dd355311 feat: add puppetapi approle/policy 2024-12-15 17:07:01 +11:00