unkinben
526245414a
chore: bump almalinux9 image tags to 20260606
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
2026-06-06 23:47:32 +10:00
unkinben
a548bf1cb1
fix: apply requires plan ( #71 )
...
ci/woodpecker/push/apply Pipeline was successful
- ensure make plan runs before make apply when deploying
Reviewed-on: #71
2026-05-22 00:03:08 +10:00
unkinben
93ba86baf3
feat: add apply workflow ( #70 )
...
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #70
2026-05-21 23:57:25 +10:00
unkinben
098830c10b
Merge pull request 'feat: add plan workflow' ( #69 ) from benvin/make-plan-buildwq into master
...
Reviewed-on: #69
2026-05-21 23:54:07 +10:00
unkinben
9cbac6d3ef
feat: add plan workflow
...
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
- update makefile to enable kubernetes auth or roleid auth
- add plan workflow
- update all policies to allow the terraform-vault kubernetes role
2026-05-21 23:52:30 +10:00
unkinben
73aaaaeb99
Merge pull request 'chore: enable access to gateway.networking.k8s.io' ( #68 ) from benvin/gatewayapi into master
...
Reviewed-on: #68
2026-05-21 22:42:28 +10:00
unkinben
7c60a5fd53
chore: enable access to gateway.networking.k8s.io
ci/woodpecker/pr/pre-commit Pipeline was successful
2026-05-21 22:39:57 +10:00
unkinben
27f12f183e
Merge pull request 'chore: change to specific ci image' ( #67 ) from benvin/ci_image into master
...
Reviewed-on: #67
2026-03-09 01:16:59 +11:00
unkinben
c61434b692
chore: change to specific ci image
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- almalinux9-opentofu image contains all required tools
2026-03-09 01:14:41 +11:00
unkinben
172ceac2fc
Merge pull request 'feat: add templated policies for kubernetes' ( #66 ) from benvin/kubernetes_structured_paths into master
...
Reviewed-on: #66
2026-03-08 12:57:58 +11:00
unkinben
48a4fd0dd1
feat: add templated policies for kubernetes
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- add default kubernetes auth role
- add templated access kv/kubernetes/*
2026-03-08 12:48:08 +11:00
unkinben
4dc09547ef
Merge pull request 'fix: update audience for rpmbuilder' ( #65 ) from benvin/default_aud into master
...
Reviewed-on: #65
2026-03-08 12:29:43 +11:00
unkinben
546a9efe44
fix: update audience for rpmbuilder
...
ci/woodpecker/pr/pre-commit Pipeline was successful
when using using the service account jwt directly, the default audience
is the api servers url
2026-03-07 11:31:36 +11:00
unkinben
679cec4bc1
Merge pull request 'feat: add rpmbuilder k8s role' ( #64 ) from benvin/rpmbuilder-in-k8s into master
...
Reviewed-on: #64
2026-03-07 11:11:23 +11:00
unkinben
71789f9f32
feat: add rpmbuilder k8s role
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- create rpmbuilder role
- enable access to gitea/github ro-tokens
- enable access to rpmbuilder role from woodpeckerci
2026-03-07 11:06:27 +11:00
unkinben
4cbcec58d3
Merge pull request 'feat: enable woodpecker access to ro tokens' ( #63 ) from benvin/woodpecker_task_access into master
...
Reviewed-on: #63
2026-03-07 10:52:38 +11:00
unkinben
9c93e185f8
feat: enable woodpecker access to ro tokens
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- enable woodpecker tasks to access gitea/github read-only tokens
2026-03-07 10:49:39 +11:00
unkinben
d6c8474bd3
Merge pull request 'chore: move pgsql password to vault' ( #62 ) from benvin/artifactapi_postgrespassword into master
...
Reviewed-on: #62
2026-03-06 19:51:25 +11:00
unkinben
42351000ee
chore: move pgsql password to vault
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- no more storing secrets in configmaps
2026-03-06 19:39:36 +11:00
unkinben
f7d1330c37
Merge pull request 'chore: add artifactapi k8s role' ( #61 ) from benvin/artifactapi into master
...
Reviewed-on: #61
2026-03-06 18:57:05 +11:00
unkinben
d9e07e432e
chore: add artifactapi k8s role
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- enable access to read artifactapi secrets
2026-03-06 18:53:42 +11:00
unkinben
14a258de7d
Merge pull request 'chore: enable access woodpecker-agent-secret' ( #60 ) from benvin/woodpecker_agent_secret into master
...
Reviewed-on: #60
2026-03-03 23:34:32 +11:00
unkinben
be8bcc3743
chore: enable access woodpecker-agent-secret
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- add policy to access woodpecker-agent-secret
2026-03-03 23:30:49 +11:00
unkinben
dc257b1bcd
Merge pull request 'feat: add pre-commit check in ci' ( #59 ) from benvin/woodpecker_integration into master
...
Reviewed-on: #59
2026-02-28 22:28:21 +11:00
unkinben
66119e5207
feat: add pre-commit check in ci
...
ci/woodpecker/pr/pre-commit Pipeline was successful
- add a ci workflow to verify pre-commit passes
- fix pre-commit errors/warnings:
- missing required_version
- missing required_providers
- fixed terraform_deprecated_interpolation
- removed terraform_unused_declarations
2026-02-28 21:42:47 +11:00
unkinben
9e6de4dc32
Merge pull request 'feat: set max token life for auth_kubernetes_role' ( #58 ) from benvin/token_max_ttl into master
...
Reviewed-on: #58
2026-02-22 22:30:18 +11:00
unkinben
7cafafd483
feat: set max token life for auth_kubernetes_role
...
found kubernetes vaultauth resources never picking up new policies,
because they would infinitely renew their token.
- set default max token length for roles to 1 day
- changed all existing role token_max_ttl to match their token_ttl
2026-02-22 22:28:21 +11:00
unkinben
c94b2af196
Merge pull request 'feat: add woodpecker secrets' ( #57 ) from benvin/woodpecker into master
...
Reviewed-on: #57
2026-02-22 22:27:50 +11:00
unkinben
dd44146d88
feat: add woodpecker secrets
...
- add secrets required to integrate woodpecker into gitea/pgsql
2026-02-22 22:27:30 +11:00
unkinben
18a62332f6
Merge pull request 'chore: enable access to openldap admin creds' ( #56 ) from benvin/ldap_admin_pass_terraform_ldap into master
...
Reviewed-on: #56
2026-02-15 20:17:35 +11:00
unkinben
8fa68e2670
chore: enable access to openldap admin creds
...
- ensure terraform_ldap can read ldap admin credentials
2026-02-15 20:16:58 +11:00
unkinben
4cad39989f
Merge pull request 'chore: add default_user_password credentials policy' ( #55 ) from benvin/openldap_default_pass into master
...
Reviewed-on: #55
2026-02-15 13:45:45 +11:00
unkinben
c825962490
chore: add default_user_password credentials policy
...
- fix the comment for ldap_admin_password
- add policy to read default_user_password
2026-02-15 13:43:02 +11:00
unkinben
51bc3fffc0
Merge pull request 'feat: add terraform-ldap service' ( #54 ) from benvin/terraform-ldap into master
...
Reviewed-on: #54
2026-02-15 13:40:32 +11:00
unkinben
dca26029c0
feat: add terraform-ldap service
...
- add consul role/policy/acls to allow terraform-ldap state management
- add approle to generate tokens for consul
2026-02-15 13:38:31 +11:00
unkinben
d398911108
Merge pull request 'fix: kubernetes auth fixes' ( #53 ) from benvin/kubernetes_fixes into master
...
Reviewed-on: #53
2026-02-15 13:08:43 +11:00
unkinben
c093d5830d
fix: kubernetes auth fixes
...
- annotations as alias metadata does not work with openbao (idempotency issue)
- set token_ttl to be 600 for all auth roles for kubernetes (min)
2026-02-15 13:06:08 +11:00
unkinben
4b176846f2
Merge pull request 'feat: add identity secrets' ( #52 ) from benvin/identity into master
...
Reviewed-on: #52
2026-02-15 13:02:01 +11:00
unkinben
90b765d713
feat: add identity secrets
...
- add kubernetes auth role for identity namespace
- add policy to access openldap bootstrap credentials
2026-02-15 13:01:06 +11:00
unkinben
3fb5a64a17
Merge pull request 'feat: add kubernetes ldap groups' ( #51 ) from benvin/kubernetes_ldap_groups into master
...
Reviewed-on: #51
2026-02-14 19:48:56 +11:00
unkinben
33a746e545
feat: add kubernetes ldap groups
...
vault's terraform approle doesnt need to access all of these kubernetes
roles, it was just added as a placeholder and access to the kubernetes
roles was via the `vault_admin` to-much-access account. this is an
effort to roll back that and make access more targeted.
- add kubernetes* ldap groups for specific cluster/role combinations
- remove tf_vault from kubernetes* roles
2026-02-14 19:46:39 +11:00
unkinben
4fe0e0de73
Merge pull request 'feat: add terraform_k8s approle' ( #50 ) from benvin/terraform_k8s_approle into master
...
Reviewed-on: #50
2026-02-14 19:38:46 +11:00
unkinben
a47f841028
feat: add terraform_k8s approle
...
- add approle for kubernetes terraform
- ensure it can access consul token for state storage
- ensure it can generate root token for managing kubernetes
2026-02-14 19:37:22 +11:00
unkinben
9192879c03
Merge pull request 'feat: use ephemeral consul token' ( #49 ) from benvin/use_consul_creds into master
...
Reviewed-on: #49
2026-02-14 18:59:56 +11:00
unkinben
5cdf6b410d
feat: use ephemeral consul token
...
- add vault_env to makefile
- retrieve a consul_http_token on demand from vault
2026-02-14 18:59:05 +11:00
unkinben
b51617c009
Merge pull request 'feat: implement consul ACL management with provider aliases' ( #48 ) from benvin/consul_backend into master
...
Reviewed-on: #48
2026-02-14 18:41:49 +11:00
unkinben
66ee6430fa
Merge pull request 'feat: add tf_vault required policies' ( #47 ) from benvin/tf-vault-policy-updates into master
...
Reviewed-on: #47
2026-02-14 18:41:33 +11:00
unkinben
fd03727ec2
feat: add tf_vault required policies
...
move management of Vault back to tf_vault approle. for this, we need to
create a number of policies that are missing.
- add policies to manage consul secret engines
- add policies to manage pki secret engines
- add policies to manage kv secret engines
- add policies to manage ssh secret engines
2026-02-14 18:39:21 +11:00
unkinben
5536869a38
feat: implement consul ACL management with provider aliases
...
This commit message captures the major architectural change of implementing Consul ACL management
with proper provider aliasing, along with the supporting configuration files and policy definitions
for various terraform services.
- add consul_acl_management module to manage consul acl policies and roles
- add consul backend roles and policies for terraform services (incus, k8s, nomad, repoflow, vault)
- add consul provider configuration to root.hcl
- add policies to generate credentials for each role
- simplify consul_secret_backend_role module to reference acl-managed roles
- switch to opentofu for provider foreach support
- update terragrunt configuration to support consul backend aliases
- update pre-commit hooks to use opentofu instead of terraform
- configure tflint exceptions for consul acl management module
2026-02-14 18:13:50 +11:00
unkinben
f8f1185b42
Merge pull request 'chore: add puppet k8s role' ( #46 ) from benvin/puppet_secrets into master
...
Reviewed-on: #46
2026-02-01 14:54:45 +11:00