39 Commits

Author SHA1 Message Date
unkinben 36d7afbb65 feat: add vault/consul config for media terraform repos (#79)
ci/woodpecker/push/apply Pipeline was successful
Add Kubernetes auth roles, AppRole configs, Consul secret backend roles, Consul ACL policies, and Vault kv read policies for terraform-sonarr, terraform-radarr, and terraform-prowlarr.

Reviewed-on: #79
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-28 22:03:25 +10:00
unkinben bb5f6922fa feat: add vault policy for terraform-git webhook secrets (#75)
ci/woodpecker/push/apply Pipeline was successful
## Summary
- Add read policy for kv/data/service/gitea/webhook/* path
- Assigned to terraform_git approle and woodpecker_terraform_git k8s auth role
- Webhook URLs are stored in Vault KV and read at plan/apply time

## Test plan
- [ ] Verify terragrunt plan succeeds for terraform-git after merge

Reviewed-on: #75
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-08 22:56:30 +10:00
benvin 346cf9fa43 feat: manage gitadmin token (#74)
ci/woodpecker/push/apply Pipeline was successful
- add approle for terraform-git
- add policy to read gitadmin token
- update access to the terraform-git consul token

---------

Co-authored-by: Ben Vincent <ben@unkin.net>
Reviewed-on: #74
2026-06-08 15:17:58 +10:00
unkinben 9cbac6d3ef feat: add plan workflow
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
- update makefile to enable kubernetes auth or roleid auth
- add plan workflow
- update all policies to allow the terraform-vault kubernetes role
2026-05-21 23:52:30 +10:00
unkinben 48a4fd0dd1 feat: add templated policies for kubernetes
ci/woodpecker/pr/pre-commit Pipeline was successful
- add default kubernetes auth role
- add templated access kv/kubernetes/*
2026-03-08 12:48:08 +11:00
unkinben 71789f9f32 feat: add rpmbuilder k8s role
ci/woodpecker/pr/pre-commit Pipeline was successful
- create rpmbuilder role
- enable access to gitea/github ro-tokens
- enable access to rpmbuilder role from woodpeckerci
2026-03-07 11:06:27 +11:00
unkinben 9c93e185f8 feat: enable woodpecker access to ro tokens
ci/woodpecker/pr/pre-commit Pipeline was successful
- enable woodpecker tasks to access gitea/github read-only tokens
2026-03-07 10:49:39 +11:00
unkinben 42351000ee chore: move pgsql password to vault
ci/woodpecker/pr/pre-commit Pipeline was successful
- no more storing secrets in configmaps
2026-03-06 19:39:36 +11:00
unkinben d9e07e432e chore: add artifactapi k8s role
ci/woodpecker/pr/pre-commit Pipeline was successful
- enable access to read artifactapi secrets
2026-03-06 18:53:42 +11:00
unkinben be8bcc3743 chore: enable access woodpecker-agent-secret
ci/woodpecker/pr/pre-commit Pipeline was successful
- add policy to access woodpecker-agent-secret
2026-03-03 23:30:49 +11:00
unkinben dd44146d88 feat: add woodpecker secrets
- add secrets required to integrate woodpecker into gitea/pgsql
2026-02-22 22:27:30 +11:00
unkinben 8fa68e2670 chore: enable access to openldap admin creds
- ensure terraform_ldap can read ldap admin credentials
2026-02-15 20:16:58 +11:00
unkinben c825962490 chore: add default_user_password credentials policy
- fix the comment for ldap_admin_password
- add policy to read default_user_password
2026-02-15 13:43:02 +11:00
unkinben 90b765d713 feat: add identity secrets
- add kubernetes auth role for identity namespace
- add policy to access openldap bootstrap credentials
2026-02-15 13:01:06 +11:00
unkinben fd03727ec2 feat: add tf_vault required policies
move management of Vault back to tf_vault approle. for this, we need to
create a number of policies that are missing.

- add policies to manage consul secret engines
- add policies to manage pki secret engines
- add policies to manage kv secret engines
- add policies to manage ssh secret engines
2026-02-14 18:39:21 +11:00
unkinben 75e9db1aa6 chore: add puppet k8s role
- add role and policies
2026-02-01 14:54:23 +11:00
unkinben 33af7010fb chore: add rancher role
- add kubernetes role for rancher
- add policy to enable access to bootstrap-password
2026-01-30 19:43:06 +11:00
unkinben 8070b6f66b feat: major restructuring in migration to terragrunt
- migrate from individual terraform files to config-driven terragrunt module structure
- add vault_cluster module with config discovery system
- replace individual .tf files with centralized config.hcl
- restructure auth and secret backends as configurable modules
- move auth roles and secret backends to yaml-based configuration
- convert policies from .hcl to .yaml format, add rules/auth definition
- add pre-commit hooks for yaml formatting and file cleanup
- add terragrunt cache to gitignore
- update makefile with terragrunt commands and format target
2026-01-26 23:02:44 +11:00
unkinben 4f185d5e28 feat: add policy to read terraform vars
- read variables required for terraform-repoflow
2025-12-13 10:56:58 +11:00
unkinben 65ad53e24c Merge pull request 'feat: add repoflow service vault configuration' (#39) from benvin/repoflow into master
Reviewed-on: #39
2025-12-13 10:13:33 +11:00
unkinben 9814b8fc1a feat: add repoflow tokens
- add approle for terraform-repoflow
- add policies to access repoflow tokens
2025-12-13 10:09:29 +11:00
unkinben 7b81abfa9e feat: add repoflow service vault configuration
- add secrets for s3, elasticsearch, hasura, postgres and repoflow
2025-12-13 09:20:58 +11:00
unkinben 5afd1ad9c1 feat: add rpmbuilder approle
- add rpmbuilder approle
- add policies to acces gitea/github read-only tokens
2025-11-29 18:00:20 +11:00
unkinben 6624f7aed1 feat: add kubernetes secrets engine with RBAC roles for au-syd1 cluster
- Add Kubernetes secrets engine at kubernetes/au/syd1 path
  - Create four RBAC roles with external YAML configuration:
    * media-apps-operator: namespaced role for media-apps with selective permissions
    * cluster-operator: cluster-wide read-only access to specific API groups
    * cluster-admin: cluster-wide full access to specific API groups
    * cluster-root: cluster-wide superuser access to all resources
  - Add Vault policies for credential generation for each role
  - Add admin policies for kubernetes auth backend configuration and role management
  - Refactor kubernetes auth backend to use shared locals for CA certificate
  - Update terraform-vault approle with required kubernetes policies
2025-11-27 23:22:13 +11:00
unkinben 6353ac6bbc feat: add media-apps integration with vault
- add kubernetes auth role for media-apps
- add policies to read radarr/sonarr secrets
2025-11-27 20:40:54 +11:00
unkinben 4cf1b43960 chore: update k8s csi roles
- ensure the new service accounts can read cephrbd/cephfs
- ensure correct namespace is allowed
2025-11-26 21:01:31 +11:00
unkinben 7814551084 feat: manage k8s auth role integration
- add policies to sign/issue certificates
- manage auth roles for ceph-csi, certmanager, externaldns, huntarr
2025-11-22 23:21:43 +11:00
unkinben 5cbd5815a0 chore: format policy files
- ensure all policy files are correctly formatted
2025-11-16 13:35:10 +11:00
unkinben cbee19b5f9 feat: move k8s secrets into vault
- update kubernetes_host to match value in jwt
- regenerate jwt token and store in vault
- add policy to enable access to jwt token
- update tf_deploy user with access to token
2025-11-16 12:42:18 +11:00
unkinben d508dcd4a9 feat: enable access to puppetcerts
- enable the terraform-incus repo to access puppet certs
2025-04-27 16:26:05 +10:00
unkinben 05268f9dd8 feat: enable access to kv/service/packer/builder/docker-incus-client 2025-04-23 18:24:36 +10:00
unkinben 8bc67e1e5b feat: add terraform-incus approle/policy 2025-04-07 16:22:41 +10:00
unkinben 275b640adc feat: add packer-builder policy 2025-04-07 16:22:22 +10:00
unkinben 2d345cc63b fix: fix rolename
- had duplicate role
- change policy name to match approle
- updated ttl as packer builds can take some time
2025-01-11 21:32:33 +11:00
unkinben f83ba13158 feat: add packer-builder role
- limit access to workstation and gitea runners
2025-01-11 21:01:17 +11:00
unkinben 12e04b3db7 feat: add incus-cluster role/policies
- add policy and role to manage incus cluster join tokens
2025-01-06 23:16:06 +11:00
unkinben fc22ac1711 feat: add terraform_nomad role
- add approle and policy for nomad terraform
2024-12-28 17:14:14 +11:00
unkinben 63dd355311 feat: add puppetapi approle/policy 2024-12-15 17:07:01 +11:00
unkinben f78416361b feat: manage terraform access to vault
- add approle for terraform, tf_vault
- add policices to manage terraform access to vault
- add policices for default access to vault from ldap users
2024-09-26 22:59:40 +10:00