11 Commits

Author SHA1 Message Date
unkinben 36d7afbb65 feat: add vault/consul config for media terraform repos (#79)
ci/woodpecker/push/apply Pipeline was successful
Add Kubernetes auth roles, AppRole configs, Consul secret backend roles, Consul ACL policies, and Vault kv read policies for terraform-sonarr, terraform-radarr, and terraform-prowlarr.

Reviewed-on: #79
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-28 22:03:25 +10:00
unkinben c33dcdc447 Add auth and state access for terraform-authentik (#78)
ci/woodpecker/push/apply Pipeline was successful
## Summary
- K8s auth role for Woodpecker CI (`terraform-authentik` SA in `woodpecker` namespace)
- AppRole for local terraform runs
- Consul secret backend role (`terraform-authentik`, TTL 120/300)
- Consul ACL policy for `infra/terraform/authentik/` key prefix
- Vault policy granting both auth methods access to Consul creds

Reviewed-on: #78
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-28 01:17:51 +10:00
benvin be9bd96cf3 feat: enable consul state store for artifactapi (#77)
ci/woodpecker/push/apply Pipeline was successful
enable the terraform-artifactapi system to manage its state in consul
using dynamic credentials from kubernetes ci jobs in woodpecker

---------

Co-authored-by: Ben Vincent <ben@unkin.net>
Reviewed-on: #77
2026-06-17 21:42:25 +10:00
unkinben bb5f6922fa feat: add vault policy for terraform-git webhook secrets (#75)
ci/woodpecker/push/apply Pipeline was successful
## Summary
- Add read policy for kv/data/service/gitea/webhook/* path
- Assigned to terraform_git approle and woodpecker_terraform_git k8s auth role
- Webhook URLs are stored in Vault KV and read at plan/apply time

## Test plan
- [ ] Verify terragrunt plan succeeds for terraform-git after merge

Reviewed-on: #75
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-08 22:56:30 +10:00
benvin 346cf9fa43 feat: manage gitadmin token (#74)
ci/woodpecker/push/apply Pipeline was successful
- add approle for terraform-git
- add policy to read gitadmin token
- update access to the terraform-git consul token

---------

Co-authored-by: Ben Vincent <ben@unkin.net>
Reviewed-on: #74
2026-06-08 15:17:58 +10:00
unkinben 1288057b81 feat: add vault and consul roles for terraform-git (#73)
ci/woodpecker/push/apply Pipeline was successful
## Summary
- Add K8s auth role woodpecker_terraform_git for CI pipeline authentication
- Add consul secret backend role terraform-git for consul state storage tokens
- Add consul ACL policy granting write access to infra/terraform/git/ key prefix
- Add vault policy for reading consul creds at consul_root/au/syd1/creds/terraform-git

## Test plan
- [ ] Verify terragrunt plan succeeds
- [ ] Verify consul ACL policy is created correctly
- [ ] Verify K8s auth role can authenticate from woodpecker namespace

Reviewed-on: #73
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-07 20:36:35 +10:00
unkinben 3876fa818d chore: bump almalinux9 image tags (#72)
ci/woodpecker/push/apply Pipeline was successful
Bump almalinux9 image tags to 20260606

Reviewed-on: #72
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-07 00:35:30 +10:00
unkinben a548bf1cb1 fix: apply requires plan (#71)
ci/woodpecker/push/apply Pipeline was successful
- ensure make plan runs before make apply when deploying

Reviewed-on: #71
2026-05-22 00:03:08 +10:00
unkinben 93ba86baf3 feat: add apply workflow (#70)
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #70
2026-05-21 23:57:25 +10:00
unkinben 098830c10b Merge pull request 'feat: add plan workflow' (#69) from benvin/make-plan-buildwq into master
Reviewed-on: #69
2026-05-21 23:54:07 +10:00
unkinben 9cbac6d3ef feat: add plan workflow
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
- update makefile to enable kubernetes auth or roleid auth
- add plan workflow
- update all policies to allow the terraform-vault kubernetes role
2026-05-21 23:52:30 +10:00
78 changed files with 415 additions and 3 deletions
+23
View File
@@ -0,0 +1,23 @@
when:
- event: push
branch: master
steps:
- name: apply
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
environment:
VAULT_AUTH_METHOD: kubernetes
commands:
- dnf install vault -y
- make plan
- make apply
backend_options:
kubernetes:
serviceAccountName: terraform-vault
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+21
View File
@@ -0,0 +1,21 @@
when:
- event: pull_request
steps:
- name: plan
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
environment:
VAULT_AUTH_METHOD: kubernetes
commands:
- dnf install vault -y
- make plan
backend_options:
kubernetes:
serviceAccountName: terraform-vault
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+11 -1
View File
@@ -3,6 +3,16 @@ when:
steps:
- name: pre-commit
image: git.unkin.net/unkin/almalinux9-opentofu:20260308
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
commands:
- uvx pre-commit run --all-files
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+11 -2
View File
@@ -1,10 +1,19 @@
.PHONY: init plan apply format
VAULT_AUTH_METHOD ?= approle
VAULT_K8S_ROLE ?= woodpecker_terraform_vault
VAULT_K8S_MOUNT ?= auth/k8s/au/syd1
VAULT_K8S_JWT_PATH ?= /var/run/secrets/kubernetes.io/serviceaccount/token
# Define vault_env function to set up vault environment
define vault_env
@export VAULT_ADDR="https://vault.service.consul:8200" && \
export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID) && \
export CONSUL_HTTP_TOKEN=$$(vault read -format=json consul_root/au/syd1/creds/terraform-vault | jq '.data.token')
if [ "$(VAULT_AUTH_METHOD)" = "kubernetes" ]; then \
export VAULT_TOKEN=$$(vault write -field=token $(VAULT_K8S_MOUNT)/login role=$(VAULT_K8S_ROLE) jwt=$$(cat $(VAULT_K8S_JWT_PATH))); \
else \
export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID); \
fi && \
export CONSUL_HTTP_TOKEN=$$(vault read -field=token consul_root/au/syd1/creds/terraform-vault)
endef
init:
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-artifactapi
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-authentik
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-git
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-prowlarr
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-radarr
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-sonarr
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-vault
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,5 @@
consul_roles:
- terraform-artifactapi
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-authentik
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-git
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-prowlarr
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-radarr
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-sonarr
ttl: 120
max_ttl: 300
datacenters: []
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -21,3 +21,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -15,3 +15,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -14,3 +14,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -0,0 +1,11 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-artifactapi"
capabilities:
- read
auth:
approle:
- terraform_artifactapi
k8s/au/syd1:
- woodpecker_terraform_artifactapi
@@ -0,0 +1,11 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-authentik"
capabilities:
- read
auth:
approle:
- terraform_authentik
k8s/au/syd1:
- woodpecker_terraform_authentik
@@ -0,0 +1,11 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-git"
capabilities:
- read
auth:
approle:
- terraform_git
k8s/au/syd1:
- woodpecker_terraform_git
@@ -0,0 +1,11 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-prowlarr"
capabilities:
- read
auth:
approle:
- terraform_prowlarr
k8s/au/syd1:
- woodpecker_terraform_prowlarr
@@ -0,0 +1,11 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-radarr"
capabilities:
- read
auth:
approle:
- terraform_radarr
k8s/au/syd1:
- woodpecker_terraform_radarr
@@ -0,0 +1,11 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-sonarr"
capabilities:
- read
auth:
approle:
- terraform_sonarr
k8s/au/syd1:
- woodpecker_terraform_sonarr
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -15,3 +15,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -0,0 +1,12 @@
# Allow reading Gitea admin token
---
rules:
- path: "kv/data/service/gitea/gitadmin/tokens/terraform-git"
capabilities:
- read
auth:
approle:
- terraform_git
k8s/au/syd1:
- woodpecker_terraform_git
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -6,5 +6,8 @@ rules:
- read
auth:
approle:
- terraform_prowlarr
k8s/au/syd1:
- media-apps
- woodpecker_terraform_prowlarr
@@ -6,5 +6,8 @@ rules:
- read
auth:
approle:
- terraform_radarr
k8s/au/syd1:
- media-apps
- woodpecker_terraform_radarr
@@ -6,5 +6,8 @@ rules:
- read
auth:
approle:
- terraform_sonarr
k8s/au/syd1:
- media-apps
- woodpecker_terraform_sonarr
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -0,0 +1,11 @@
---
rules:
- path: "kv/data/service/woodpecker/tokens/gitadmin"
capabilities:
- read
auth:
approle:
- terraform_git
k8s/au/syd1:
- woodpecker_terraform_git
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -20,3 +20,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -16,3 +16,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -16,3 +16,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -0,0 +1,7 @@
key_prefix "infra/terraform/artifactapi/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -0,0 +1,7 @@
key_prefix "infra/terraform/authentik/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -0,0 +1,7 @@
key_prefix "infra/terraform/git/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -0,0 +1,7 @@
key_prefix "infra/terraform/prowlarr/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -0,0 +1,7 @@
key_prefix "infra/terraform/radarr/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -0,0 +1,7 @@
key_prefix "infra/terraform/sonarr/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}