Commit Graph

142 Commits

Author SHA1 Message Date
unkinben 172ceac2fc Merge pull request 'feat: add templated policies for kubernetes' (#66) from benvin/kubernetes_structured_paths into master
Reviewed-on: #66
2026-03-08 12:57:58 +11:00
unkinben 48a4fd0dd1 feat: add templated policies for kubernetes
ci/woodpecker/pr/pre-commit Pipeline was successful
- add default kubernetes auth role
- add templated access kv/kubernetes/*
2026-03-08 12:48:08 +11:00
unkinben 4dc09547ef Merge pull request 'fix: update audience for rpmbuilder' (#65) from benvin/default_aud into master
Reviewed-on: #65
2026-03-08 12:29:43 +11:00
unkinben 546a9efe44 fix: update audience for rpmbuilder
ci/woodpecker/pr/pre-commit Pipeline was successful
when using using the service account jwt directly, the default audience
is the api servers url
2026-03-07 11:31:36 +11:00
unkinben 679cec4bc1 Merge pull request 'feat: add rpmbuilder k8s role' (#64) from benvin/rpmbuilder-in-k8s into master
Reviewed-on: #64
2026-03-07 11:11:23 +11:00
unkinben 71789f9f32 feat: add rpmbuilder k8s role
ci/woodpecker/pr/pre-commit Pipeline was successful
- create rpmbuilder role
- enable access to gitea/github ro-tokens
- enable access to rpmbuilder role from woodpeckerci
2026-03-07 11:06:27 +11:00
unkinben 4cbcec58d3 Merge pull request 'feat: enable woodpecker access to ro tokens' (#63) from benvin/woodpecker_task_access into master
Reviewed-on: #63
2026-03-07 10:52:38 +11:00
unkinben 9c93e185f8 feat: enable woodpecker access to ro tokens
ci/woodpecker/pr/pre-commit Pipeline was successful
- enable woodpecker tasks to access gitea/github read-only tokens
2026-03-07 10:49:39 +11:00
unkinben d6c8474bd3 Merge pull request 'chore: move pgsql password to vault' (#62) from benvin/artifactapi_postgrespassword into master
Reviewed-on: #62
2026-03-06 19:51:25 +11:00
unkinben 42351000ee chore: move pgsql password to vault
ci/woodpecker/pr/pre-commit Pipeline was successful
- no more storing secrets in configmaps
2026-03-06 19:39:36 +11:00
unkinben f7d1330c37 Merge pull request 'chore: add artifactapi k8s role' (#61) from benvin/artifactapi into master
Reviewed-on: #61
2026-03-06 18:57:05 +11:00
unkinben d9e07e432e chore: add artifactapi k8s role
ci/woodpecker/pr/pre-commit Pipeline was successful
- enable access to read artifactapi secrets
2026-03-06 18:53:42 +11:00
unkinben 14a258de7d Merge pull request 'chore: enable access woodpecker-agent-secret' (#60) from benvin/woodpecker_agent_secret into master
Reviewed-on: #60
2026-03-03 23:34:32 +11:00
unkinben be8bcc3743 chore: enable access woodpecker-agent-secret
ci/woodpecker/pr/pre-commit Pipeline was successful
- add policy to access woodpecker-agent-secret
2026-03-03 23:30:49 +11:00
unkinben dc257b1bcd Merge pull request 'feat: add pre-commit check in ci' (#59) from benvin/woodpecker_integration into master
Reviewed-on: #59
2026-02-28 22:28:21 +11:00
unkinben 66119e5207 feat: add pre-commit check in ci
ci/woodpecker/pr/pre-commit Pipeline was successful
- add a ci workflow to verify pre-commit passes
- fix pre-commit errors/warnings:
  - missing required_version
  - missing required_providers
  - fixed terraform_deprecated_interpolation
  - removed terraform_unused_declarations
2026-02-28 21:42:47 +11:00
unkinben 9e6de4dc32 Merge pull request 'feat: set max token life for auth_kubernetes_role' (#58) from benvin/token_max_ttl into master
Reviewed-on: #58
2026-02-22 22:30:18 +11:00
unkinben 7cafafd483 feat: set max token life for auth_kubernetes_role
found kubernetes vaultauth resources never picking up new policies,
because they would infinitely renew their token.

- set default max token length for roles to 1 day
- changed all existing role token_max_ttl to match their token_ttl
2026-02-22 22:28:21 +11:00
unkinben c94b2af196 Merge pull request 'feat: add woodpecker secrets' (#57) from benvin/woodpecker into master
Reviewed-on: #57
2026-02-22 22:27:50 +11:00
unkinben dd44146d88 feat: add woodpecker secrets
- add secrets required to integrate woodpecker into gitea/pgsql
2026-02-22 22:27:30 +11:00
unkinben 18a62332f6 Merge pull request 'chore: enable access to openldap admin creds' (#56) from benvin/ldap_admin_pass_terraform_ldap into master
Reviewed-on: #56
2026-02-15 20:17:35 +11:00
unkinben 8fa68e2670 chore: enable access to openldap admin creds
- ensure terraform_ldap can read ldap admin credentials
2026-02-15 20:16:58 +11:00
unkinben 4cad39989f Merge pull request 'chore: add default_user_password credentials policy' (#55) from benvin/openldap_default_pass into master
Reviewed-on: #55
2026-02-15 13:45:45 +11:00
unkinben c825962490 chore: add default_user_password credentials policy
- fix the comment for ldap_admin_password
- add policy to read default_user_password
2026-02-15 13:43:02 +11:00
unkinben 51bc3fffc0 Merge pull request 'feat: add terraform-ldap service' (#54) from benvin/terraform-ldap into master
Reviewed-on: #54
2026-02-15 13:40:32 +11:00
unkinben dca26029c0 feat: add terraform-ldap service
- add consul role/policy/acls to allow terraform-ldap state management
- add approle to generate tokens for consul
2026-02-15 13:38:31 +11:00
unkinben d398911108 Merge pull request 'fix: kubernetes auth fixes' (#53) from benvin/kubernetes_fixes into master
Reviewed-on: #53
2026-02-15 13:08:43 +11:00
unkinben c093d5830d fix: kubernetes auth fixes
- annotations as alias metadata does not work with openbao (idempotency issue)
- set token_ttl to be 600 for all auth roles for kubernetes (min)
2026-02-15 13:06:08 +11:00
unkinben 4b176846f2 Merge pull request 'feat: add identity secrets' (#52) from benvin/identity into master
Reviewed-on: #52
2026-02-15 13:02:01 +11:00
unkinben 90b765d713 feat: add identity secrets
- add kubernetes auth role for identity namespace
- add policy to access openldap bootstrap credentials
2026-02-15 13:01:06 +11:00
unkinben 3fb5a64a17 Merge pull request 'feat: add kubernetes ldap groups' (#51) from benvin/kubernetes_ldap_groups into master
Reviewed-on: #51
2026-02-14 19:48:56 +11:00
unkinben 33a746e545 feat: add kubernetes ldap groups
vault's terraform approle doesnt need to access all of these kubernetes
roles, it was just added as a placeholder and access to the kubernetes
roles was via the `vault_admin` to-much-access account. this is an
effort to roll back that and make access more targeted.

- add kubernetes* ldap groups for specific cluster/role combinations
- remove tf_vault from kubernetes* roles
2026-02-14 19:46:39 +11:00
unkinben 4fe0e0de73 Merge pull request 'feat: add terraform_k8s approle' (#50) from benvin/terraform_k8s_approle into master
Reviewed-on: #50
2026-02-14 19:38:46 +11:00
unkinben a47f841028 feat: add terraform_k8s approle
- add approle for kubernetes terraform
- ensure it can access consul token for state storage
- ensure it can generate root token for managing kubernetes
2026-02-14 19:37:22 +11:00
unkinben 9192879c03 Merge pull request 'feat: use ephemeral consul token' (#49) from benvin/use_consul_creds into master
Reviewed-on: #49
2026-02-14 18:59:56 +11:00
unkinben 5cdf6b410d feat: use ephemeral consul token
- add vault_env to makefile
- retrieve a consul_http_token on demand from vault
2026-02-14 18:59:05 +11:00
unkinben b51617c009 Merge pull request 'feat: implement consul ACL management with provider aliases' (#48) from benvin/consul_backend into master
Reviewed-on: #48
2026-02-14 18:41:49 +11:00
unkinben 66ee6430fa Merge pull request 'feat: add tf_vault required policies' (#47) from benvin/tf-vault-policy-updates into master
Reviewed-on: #47
2026-02-14 18:41:33 +11:00
unkinben fd03727ec2 feat: add tf_vault required policies
move management of Vault back to tf_vault approle. for this, we need to
create a number of policies that are missing.

- add policies to manage consul secret engines
- add policies to manage pki secret engines
- add policies to manage kv secret engines
- add policies to manage ssh secret engines
2026-02-14 18:39:21 +11:00
unkinben 5536869a38 feat: implement consul ACL management with provider aliases
This commit message captures the major architectural change of implementing Consul ACL management
with proper provider aliasing, along with the supporting configuration files and policy definitions
for various terraform services.

- add consul_acl_management module to manage consul acl policies and roles
- add consul backend roles and policies for terraform services (incus, k8s, nomad, repoflow, vault)
- add consul provider configuration to root.hcl
- add policies to generate credentials for each role
- simplify consul_secret_backend_role module to reference acl-managed roles
- switch to opentofu for provider foreach support
- update terragrunt configuration to support consul backend aliases
- update pre-commit hooks to use opentofu instead of terraform
- configure tflint exceptions for consul acl management module
2026-02-14 18:13:50 +11:00
unkinben f8f1185b42 Merge pull request 'chore: add puppet k8s role' (#46) from benvin/puppet_secrets into master
Reviewed-on: #46
2026-02-01 14:54:45 +11:00
unkinben 75e9db1aa6 chore: add puppet k8s role
- add role and policies
2026-02-01 14:54:23 +11:00
unkinben f47804ffdf Merge pull request 'chore: rancher pods use rancher service account' (#45) from benvin/rancher_role into master
Reviewed-on: #45
2026-01-30 22:11:53 +11:00
unkinben 24c124d6eb chore: rancher pods use rancher service account
- update bound service account names to be `rancher`
- update namespace to cattle-system (do not run rancher in another namespace)
2026-01-30 22:11:08 +11:00
unkinben 9d54b4cfcc Merge pull request 'chore: add rancher role' (#44) from benvin/rancher_role into master
Reviewed-on: #44
2026-01-30 19:46:19 +11:00
unkinben 33af7010fb chore: add rancher role
- add kubernetes role for rancher
- add policy to enable access to bootstrap-password
2026-01-30 19:43:06 +11:00
unkinben cb1b383035 Merge pull request 'feat: major restructuring in migration to terragrunt' (#43) from benvin/vault_terragrunt into master
Reviewed-on: #43
2026-01-26 23:53:35 +11:00
unkinben f6d06cb319 chore: cleanup unused config data
- remove token_policies from roles config data, this comes from policies.hcl inputs
- remove policies from ldap groups
- remove backend data from roles, this comes from config.hcl inputs
2026-01-26 23:51:50 +11:00
unkinben 1c9e063310 Merge branch 'master' into benvin/vault_terragrunt 2026-01-26 23:07:13 +11:00
unkinben 8070b6f66b feat: major restructuring in migration to terragrunt
- migrate from individual terraform files to config-driven terragrunt module structure
- add vault_cluster module with config discovery system
- replace individual .tf files with centralized config.hcl
- restructure auth and secret backends as configurable modules
- move auth roles and secret backends to yaml-based configuration
- convert policies from .hcl to .yaml format, add rules/auth definition
- add pre-commit hooks for yaml formatting and file cleanup
- add terragrunt cache to gitignore
- update makefile with terragrunt commands and format target
2026-01-26 23:02:44 +11:00