15 Commits

Author SHA1 Message Date
unkinben ecee4b4432 fix: grant vault deployer access to manage the litellm engine
Applying the litellm mount failed with 403 permission denied on
PUT litellm/config: the deployer identity (tf_vault approle /
woodpecker_terraform_vault k8s role) could enable the mount via
sys/mounts/admin but had no policy covering the engine's own data paths.

Add a litellm/admin policy granting create/read/update/delete on
litellm/config and litellm/roles/*, assigned to the same auth roles as the
other secret-engine admin policies.
2026-07-07 00:23:20 +10:00
unkinben 9e2c21131f feat: manage litellm secrets engine via terraform-provider-litellmvaultsecret
ci/woodpecker/pr/plan Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
The vault-plugin-secrets-litellm engine mints LiteLLM virtual keys and is
now registered in Vault, but nothing declared its mount/config or roles in
this repo. Wire in the companion litellm provider so the mount is managed
as code alongside the other secret backends.

- Add litellm_secret_backend module: mounts the engine and writes its
  config (base_url, request_timeout_seconds); reads master_key from KV
- Add litellm_secret_backend_role module: manages roles (models,
  max_budget, key_alias_prefix, ttl/max_ttl seconds, metadata)
- Register both modules in vault_cluster main.tf and variables.tf
- Discover litellm_secret_backend[_role] YAML in config.hcl and pass them
  through terragrunt inputs
- Declare the litellm provider (litellmvaultsecret) and
  a provider block in the generated root backend.tf
- Add example config for the litellm mount and a sample role
2026-07-07 00:15:07 +10:00
unkinben bbde79d2a6 policies: let terraform-authentik read its provider API token (#82)
ci/woodpecker/push/apply Pipeline was successful
## Why
terraform-authentik's provider needs an Authentik API token (`TF_VAR_authentik_token`), now sourced from Vault at `kv/service/terraform/authentik` (Makefile wiring in terraform-authentik #2). The CI role needs read access to that path.

## Change
Extend `policies/kv/service/terraform/authentik.yaml` to also grant read on `kv/data/service/terraform/authentik` for the `terraform_authentik` approle + `woodpecker_terraform_authentik` k8s role.

Reviewed-on: #82
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-06 23:41:03 +10:00
unkinben f2c54888de policies: let terraform-authentik read oauth client secrets from kv (#81)
ci/woodpecker/push/apply Pipeline was successful
## Why
terraform-authentik now reads OAuth2 client secrets from Vault (`data.vault_kv_secret_v2`) rather than committing them (terraform-authentik #2). But the `terraform_authentik` approle / `woodpecker_terraform_authentik` k8s role only had the consul-creds policy, so `plan` fails with permission denied on the grafana oauth path.

## Change
Add `policies/kv/service/terraform/authentik.yaml` granting read on `kv/data/kubernetes/namespace/+/default/oauth-credentials` for both the approle and the woodpecker k8s role.

Reviewed-on: #81
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-06 23:05:20 +10:00
unkinben 36d7afbb65 feat: add vault/consul config for media terraform repos (#79)
ci/woodpecker/push/apply Pipeline was successful
Add Kubernetes auth roles, AppRole configs, Consul secret backend roles, Consul ACL policies, and Vault kv read policies for terraform-sonarr, terraform-radarr, and terraform-prowlarr.

Reviewed-on: #79
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-28 22:03:25 +10:00
unkinben c33dcdc447 Add auth and state access for terraform-authentik (#78)
ci/woodpecker/push/apply Pipeline was successful
## Summary
- K8s auth role for Woodpecker CI (`terraform-authentik` SA in `woodpecker` namespace)
- AppRole for local terraform runs
- Consul secret backend role (`terraform-authentik`, TTL 120/300)
- Consul ACL policy for `infra/terraform/authentik/` key prefix
- Vault policy granting both auth methods access to Consul creds

Reviewed-on: #78
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-28 01:17:51 +10:00
benvin be9bd96cf3 feat: enable consul state store for artifactapi (#77)
ci/woodpecker/push/apply Pipeline was successful
enable the terraform-artifactapi system to manage its state in consul
using dynamic credentials from kubernetes ci jobs in woodpecker

---------

Co-authored-by: Ben Vincent <ben@unkin.net>
Reviewed-on: #77
2026-06-17 21:42:25 +10:00
unkinben bb5f6922fa feat: add vault policy for terraform-git webhook secrets (#75)
ci/woodpecker/push/apply Pipeline was successful
## Summary
- Add read policy for kv/data/service/gitea/webhook/* path
- Assigned to terraform_git approle and woodpecker_terraform_git k8s auth role
- Webhook URLs are stored in Vault KV and read at plan/apply time

## Test plan
- [ ] Verify terragrunt plan succeeds for terraform-git after merge

Reviewed-on: #75
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-08 22:56:30 +10:00
benvin 346cf9fa43 feat: manage gitadmin token (#74)
ci/woodpecker/push/apply Pipeline was successful
- add approle for terraform-git
- add policy to read gitadmin token
- update access to the terraform-git consul token

---------

Co-authored-by: Ben Vincent <ben@unkin.net>
Reviewed-on: #74
2026-06-08 15:17:58 +10:00
unkinben 1288057b81 feat: add vault and consul roles for terraform-git (#73)
ci/woodpecker/push/apply Pipeline was successful
## Summary
- Add K8s auth role woodpecker_terraform_git for CI pipeline authentication
- Add consul secret backend role terraform-git for consul state storage tokens
- Add consul ACL policy granting write access to infra/terraform/git/ key prefix
- Add vault policy for reading consul creds at consul_root/au/syd1/creds/terraform-git

## Test plan
- [ ] Verify terragrunt plan succeeds
- [ ] Verify consul ACL policy is created correctly
- [ ] Verify K8s auth role can authenticate from woodpecker namespace

Reviewed-on: #73
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-07 20:36:35 +10:00
unkinben 3876fa818d chore: bump almalinux9 image tags (#72)
ci/woodpecker/push/apply Pipeline was successful
Bump almalinux9 image tags to 20260606

Reviewed-on: #72
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-07 00:35:30 +10:00
unkinben a548bf1cb1 fix: apply requires plan (#71)
ci/woodpecker/push/apply Pipeline was successful
- ensure make plan runs before make apply when deploying

Reviewed-on: #71
2026-05-22 00:03:08 +10:00
unkinben 93ba86baf3 feat: add apply workflow (#70)
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #70
2026-05-21 23:57:25 +10:00
unkinben 098830c10b Merge pull request 'feat: add plan workflow' (#69) from benvin/make-plan-buildwq into master
Reviewed-on: #69
2026-05-21 23:54:07 +10:00
unkinben 9cbac6d3ef feat: add plan workflow
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
- update makefile to enable kubernetes auth or roleid auth
- add plan workflow
- update all policies to allow the terraform-vault kubernetes role
2026-05-21 23:52:30 +10:00
93 changed files with 685 additions and 3 deletions
+23
View File
@@ -0,0 +1,23 @@
when:
- event: push
branch: master
steps:
- name: apply
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
environment:
VAULT_AUTH_METHOD: kubernetes
commands:
- dnf install vault -y
- make plan
- make apply
backend_options:
kubernetes:
serviceAccountName: terraform-vault
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+21
View File
@@ -0,0 +1,21 @@
when:
- event: pull_request
steps:
- name: plan
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
environment:
VAULT_AUTH_METHOD: kubernetes
commands:
- dnf install vault -y
- make plan
backend_options:
kubernetes:
serviceAccountName: terraform-vault
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+11 -1
View File
@@ -3,6 +3,16 @@ when:
steps: steps:
- name: pre-commit - name: pre-commit
image: git.unkin.net/unkin/almalinux9-opentofu:20260308 image: git.unkin.net/unkin/almalinux9-opentofu:20260606
commands: commands:
- uvx pre-commit run --all-files - uvx pre-commit run --all-files
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+11 -2
View File
@@ -1,10 +1,19 @@
.PHONY: init plan apply format .PHONY: init plan apply format
VAULT_AUTH_METHOD ?= approle
VAULT_K8S_ROLE ?= woodpecker_terraform_vault
VAULT_K8S_MOUNT ?= auth/k8s/au/syd1
VAULT_K8S_JWT_PATH ?= /var/run/secrets/kubernetes.io/serviceaccount/token
# Define vault_env function to set up vault environment # Define vault_env function to set up vault environment
define vault_env define vault_env
@export VAULT_ADDR="https://vault.service.consul:8200" && \ @export VAULT_ADDR="https://vault.service.consul:8200" && \
export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID) && \ if [ "$(VAULT_AUTH_METHOD)" = "kubernetes" ]; then \
export CONSUL_HTTP_TOKEN=$$(vault read -format=json consul_root/au/syd1/creds/terraform-vault | jq '.data.token') export VAULT_TOKEN=$$(vault write -field=token $(VAULT_K8S_MOUNT)/login role=$(VAULT_K8S_ROLE) jwt=$$(cat $(VAULT_K8S_JWT_PATH))); \
else \
export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID); \
fi && \
export CONSUL_HTTP_TOKEN=$$(vault read -field=token consul_root/au/syd1/creds/terraform-vault)
endef endef
init: init:
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-artifactapi
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-authentik
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-git
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-prowlarr
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-radarr
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-sonarr
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-vault
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
+13
View File
@@ -185,5 +185,18 @@ locals {
trimsuffix(basename(file_path), ".yaml") => content trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "pki_mount_only/") if startswith(file_path, "pki_mount_only/")
} }
litellm_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "litellm_secret_backend/")
}
litellm_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "litellm_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "litellm_secret_backend_role/", ""))
})
if startswith(file_path, "litellm_secret_backend_role/")
}
} }
} }
@@ -0,0 +1,5 @@
consul_roles:
- terraform-artifactapi
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-authentik
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-git
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-prowlarr
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-radarr
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-sonarr
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,6 @@
# Mounts the LiteLLM dynamic secrets engine at "litellm" and writes its config.
# The master key is sensitive and read from KV, not stored here:
# kv/service/vault/au/syd1/secret_backend/litellm -> key "master_key"
description: "LiteLLM dynamic virtual keys"
base_url: "http://litellm.litellm.svc:4000"
request_timeout_seconds: 30
@@ -0,0 +1,10 @@
---
models:
- claude-haiku-4-5
- claude-sonnet-4-6
max_budget: 50
ttl: 3600 # seconds (1h)
max_ttl: 86400 # seconds (24h)
metadata:
team: mailfiltering
env: prod
+2
View File
@@ -68,6 +68,8 @@ inputs = {
kubernetes_secret_backend = local.config.kubernetes_secret_backend kubernetes_secret_backend = local.config.kubernetes_secret_backend
kubernetes_secret_backend_role = local.config.kubernetes_secret_backend_role kubernetes_secret_backend_role = local.config.kubernetes_secret_backend_role
pki_mount_only = local.config.pki_mount_only pki_mount_only = local.config.pki_mount_only
litellm_secret_backend = local.config.litellm_secret_backend
litellm_secret_backend_role = local.config.litellm_secret_backend_role
# Pass policy maps to vault_cluster module # Pass policy maps to vault_cluster module
policy_auth_map = local.policies.policy_auth_map policy_auth_map = local.policies.policy_auth_map
+10
View File
@@ -11,6 +11,12 @@ provider "vault" {
address = local.vault_addr address = local.vault_addr
} }
# The LiteLLM secrets engine is managed through its own provider, which talks to
# the same Vault server. Token falls back to the VAULT_TOKEN environment variable.
provider "litellm" {
address = local.vault_addr
}
terraform { terraform {
backend "consul" { backend "consul" {
address = "https://consul.service.consul" address = "https://consul.service.consul"
@@ -29,6 +35,10 @@ terraform {
source = "hashicorp/consul" source = "hashicorp/consul"
version = "2.23.0" version = "2.23.0"
} }
litellm = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
version = "0.1.0"
}
} }
} }
EOF EOF
+31
View File
@@ -303,6 +303,37 @@ module "kubernetes_secret_backend_role" {
depends_on = [module.kubernetes_secret_backend] depends_on = [module.kubernetes_secret_backend]
} }
module "litellm_secret_backend" {
source = "./modules/litellm_secret_backend"
for_each = var.litellm_secret_backend
country = var.country
region = var.region
path = each.key
plugin = each.value.plugin
description = each.value.description
base_url = each.value.base_url
request_timeout_seconds = each.value.request_timeout_seconds
}
module "litellm_secret_backend_role" {
source = "./modules/litellm_secret_backend_role"
for_each = var.litellm_secret_backend_role
name = each.value.name
backend = each.value.backend
models = each.value.models
max_budget = each.value.max_budget
key_alias_prefix = each.value.key_alias_prefix
ttl = each.value.ttl
max_ttl = each.value.max_ttl
metadata = each.value.metadata
depends_on = [module.litellm_secret_backend]
}
module "vault_policy" { module "vault_policy" {
source = "./modules/vault_policy" source = "./modules/vault_policy"
@@ -0,0 +1,14 @@
# Expected keys in KV secret: master_key
data "vault_kv_secret_v2" "secret_backend_config" {
mount = "kv"
name = "service/vault/${var.country}/${var.region}/secret_backend/${var.path}"
}
resource "litellm_secret_backend" "this" {
path = var.path
plugin = var.plugin
description = var.description
base_url = var.base_url
master_key = data.vault_kv_secret_v2.secret_backend_config.data["master_key"]
request_timeout_seconds = var.request_timeout_seconds
}
@@ -0,0 +1,13 @@
terraform {
required_version = ">= 1.10"
required_providers {
vault = {
source = "hashicorp/vault"
version = "5.6.0"
}
litellm = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
version = "0.1.0"
}
}
}
@@ -0,0 +1,37 @@
variable "country" {
description = "Country identifier (used to locate the KV secret holding the master key)"
type = string
}
variable "region" {
description = "Region identifier (used to locate the KV secret holding the master key)"
type = string
}
variable "path" {
description = "Mount path of the LiteLLM secrets engine"
type = string
}
variable "plugin" {
description = "Registered plugin name/type to mount"
type = string
default = "vault-plugin-secrets-litellm"
}
variable "description" {
description = "Human-friendly description of the mount"
type = string
default = null
}
variable "base_url" {
description = "Base URL of the LiteLLM proxy (e.g. http://litellm.litellm.svc:4000)"
type = string
}
variable "request_timeout_seconds" {
description = "HTTP timeout in seconds for calls from the plugin to the LiteLLM proxy"
type = number
default = 30
}
@@ -0,0 +1,10 @@
resource "litellm_secret_backend_role" "this" {
backend = var.backend
name = var.name
models = var.models
max_budget = var.max_budget
key_alias_prefix = var.key_alias_prefix
ttl = var.ttl
max_ttl = var.max_ttl
metadata = var.metadata
}
@@ -0,0 +1,9 @@
terraform {
required_version = ">= 1.10"
required_providers {
litellm = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
version = "0.1.0"
}
}
}
@@ -0,0 +1,45 @@
variable "name" {
description = "Name of the role"
type = string
}
variable "backend" {
description = "Mount path of the LiteLLM secrets engine this role belongs to"
type = string
}
variable "models" {
description = "Models a generated key may access. Empty means unrestricted"
type = list(string)
default = null
}
variable "max_budget" {
description = "Spending limit applied to each generated key. 0 means unlimited"
type = number
default = null
}
variable "key_alias_prefix" {
description = "Prefix for the auto-generated key alias"
type = string
default = null
}
variable "ttl" {
description = "Default lease TTL in seconds for keys generated from this role"
type = number
default = null
}
variable "max_ttl" {
description = "Maximum lease TTL in seconds for keys generated from this role"
type = number
default = null
}
variable "metadata" {
description = "Metadata attached to each generated key"
type = map(string)
default = null
}
+26
View File
@@ -289,6 +289,32 @@ variable "kubernetes_secret_backend_role" {
default = {} default = {}
} }
variable "litellm_secret_backend" {
description = "Map of LiteLLM secret engines to create (mount + config). The master key is read from KV"
type = map(object({
plugin = optional(string, "vault-plugin-secrets-litellm")
description = optional(string)
base_url = string
request_timeout_seconds = optional(number, 30)
}))
default = {}
}
variable "litellm_secret_backend_role" {
description = "Map of LiteLLM roles to create"
type = map(object({
name = string
backend = string
models = optional(list(string))
max_budget = optional(number)
key_alias_prefix = optional(string)
ttl = optional(number)
max_ttl = optional(number)
metadata = optional(map(string))
}))
default = {}
}
variable "policy_auth_map" { variable "policy_auth_map" {
description = "Map of auth mounts -> auth roles -> policy names" description = "Map of auth mounts -> auth roles -> policy names"
type = map(map(list(string))) type = map(map(list(string)))
+2
View File
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -8,3 +8,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -21,3 +21,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -15,3 +15,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -8,3 +8,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -14,3 +14,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -0,0 +1,11 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-artifactapi"
capabilities:
- read
auth:
approle:
- terraform_artifactapi
k8s/au/syd1:
- woodpecker_terraform_artifactapi
@@ -0,0 +1,11 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-authentik"
capabilities:
- read
auth:
approle:
- terraform_authentik
k8s/au/syd1:
- woodpecker_terraform_authentik
@@ -0,0 +1,11 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-git"
capabilities:
- read
auth:
approle:
- terraform_git
k8s/au/syd1:
- woodpecker_terraform_git
@@ -0,0 +1,11 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-prowlarr"
capabilities:
- read
auth:
approle:
- terraform_prowlarr
k8s/au/syd1:
- woodpecker_terraform_prowlarr
@@ -0,0 +1,11 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-radarr"
capabilities:
- read
auth:
approle:
- terraform_radarr
k8s/au/syd1:
- woodpecker_terraform_radarr
@@ -0,0 +1,11 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-sonarr"
capabilities:
- read
auth:
approle:
- terraform_sonarr
k8s/au/syd1:
- woodpecker_terraform_sonarr
@@ -8,3 +8,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -15,3 +15,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -8,3 +8,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -0,0 +1,12 @@
# Allow reading Gitea admin token
---
rules:
- path: "kv/data/service/gitea/gitadmin/tokens/terraform-git"
capabilities:
- read
auth:
approle:
- terraform_git
k8s/au/syd1:
- woodpecker_terraform_git
@@ -9,3 +9,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -8,3 +8,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -8,3 +8,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -6,5 +6,8 @@ rules:
- read - read
auth: auth:
approle:
- terraform_prowlarr
k8s/au/syd1: k8s/au/syd1:
- media-apps - media-apps
- woodpecker_terraform_prowlarr
@@ -6,5 +6,8 @@ rules:
- read - read
auth: auth:
approle:
- terraform_radarr
k8s/au/syd1: k8s/au/syd1:
- media-apps - media-apps
- woodpecker_terraform_radarr
@@ -6,5 +6,8 @@ rules:
- read - read
auth: auth:
approle:
- terraform_sonarr
k8s/au/syd1: k8s/au/syd1:
- media-apps - media-apps
- woodpecker_terraform_sonarr
@@ -0,0 +1,18 @@
# Allow the Terraform Authentik runner to read:
# - its own Authentik API token (provider auth), and
# - OAuth2/OIDC client secrets that back authentik providers (per target
# service's kv namespace path, via the module's data.vault_kv_secret_v2).
---
rules:
- path: "kv/data/service/terraform/authentik"
capabilities:
- read
- path: "kv/data/kubernetes/namespace/+/default/oauth-credentials"
capabilities:
- read
auth:
approle:
- terraform_authentik
k8s/au/syd1:
- woodpecker_terraform_authentik
@@ -9,3 +9,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -9,3 +9,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -9,3 +9,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -0,0 +1,11 @@
---
rules:
- path: "kv/data/service/woodpecker/tokens/gitadmin"
capabilities:
- read
auth:
approle:
- terraform_git
k8s/au/syd1:
- woodpecker_terraform_git
+26
View File
@@ -0,0 +1,26 @@
# Allow management of the LiteLLM secrets engine (config and roles)
---
rules:
- path: "litellm/config"
capabilities:
- create
- update
- read
- delete
- path: "litellm/roles/*"
capabilities:
- create
- update
- delete
- read
- list
- path: "litellm/roles"
capabilities:
- read
- list
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -20,3 +20,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -16,3 +16,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -16,3 +16,5 @@ rules:
auth: auth:
approle: approle:
- tf_vault - tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -0,0 +1,7 @@
key_prefix "infra/terraform/artifactapi/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -0,0 +1,7 @@
key_prefix "infra/terraform/authentik/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -0,0 +1,7 @@
key_prefix "infra/terraform/git/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -0,0 +1,7 @@
key_prefix "infra/terraform/prowlarr/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -0,0 +1,7 @@
key_prefix "infra/terraform/radarr/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -0,0 +1,7 @@
key_prefix "infra/terraform/sonarr/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}