Compare commits

..

35 Commits

Author SHA1 Message Date
unkinben 65f844cbe1 Fix: add policy binding for forgebot K8s auth role
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Every K8s auth role needs at least one entry in the policy_auth_map.
Add a policy granting the forgebot role read access to the namespace-
scoped KV path, which the operator SA needs when authenticating with
the forgebot role instead of the default role.
2026-06-08 23:00:35 +10:00
benvin b9632f39e4 Merge branch 'master' into feature/forgebot-vault-access
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
2026-06-08 22:57:54 +10:00
unkinben bb5f6922fa feat: add vault policy for terraform-git webhook secrets (#75)
ci/woodpecker/push/apply Pipeline was successful
## Summary
- Add read policy for kv/data/service/gitea/webhook/* path
- Assigned to terraform_git approle and woodpecker_terraform_git k8s auth role
- Webhook URLs are stored in Vault KV and read at plan/apply time

## Test plan
- [ ] Verify terragrunt plan succeeds for terraform-git after merge

Reviewed-on: #75
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-08 22:56:30 +10:00
unkinben f5803605d6 Simplify: use default templated policy for forgebot KV access
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
The default K8s auth policy already provides namespace-scoped access to
kv/data/kubernetes/namespace/{namespace}/{sa}/* via identity templating.
Forgebot secrets should be stored at kv/kubernetes/namespace/forgebot/default/*
instead of kv/service/forgebot/*, eliminating the need for 5 individual
policies. The forgebot K8s auth role is kept for the forgebot-operator SA.
2026-06-08 22:54:58 +10:00
unkinben 2c4d0d7f64 Add Vault access for forgebot service
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was canceled
K8s auth role binding for forgebot namespace (default + forgebot-operator
service accounts) and KV read policies for environment config, LiteLLM
API key, Gitea token, PostgreSQL credentials, and webhook secret.
2026-06-08 22:53:25 +10:00
unkinben a29ff9fe6a fix: use gitadmin woodpecker token path
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
2026-06-08 19:08:12 +10:00
unkinben 12680f93cd feat: replace webhook secrets policy with woodpecker token policy
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Webhook URLs are now managed by the Woodpecker terraform provider
instead of being stored in Vault. Add read policy for the Woodpecker
API token at kv/data/service/woodpecker/tokens/terraform-git.
2026-06-08 16:17:00 +10:00
unkinben 132e5ea4d9 feat: add vault policy for terraform-git webhook secrets
ci/woodpecker/pr/plan Pipeline failed
ci/woodpecker/pr/pre-commit Pipeline failed
Allow terraform-git to read webhook URLs stored in
kv/data/service/gitea/webhook/* via approle and k8s auth.
2026-06-08 16:11:58 +10:00
benvin 346cf9fa43 feat: manage gitadmin token (#74)
ci/woodpecker/push/apply Pipeline was successful
- add approle for terraform-git
- add policy to read gitadmin token
- update access to the terraform-git consul token

---------

Co-authored-by: Ben Vincent <ben@unkin.net>
Reviewed-on: #74
2026-06-08 15:17:58 +10:00
unkinben 1288057b81 feat: add vault and consul roles for terraform-git (#73)
ci/woodpecker/push/apply Pipeline was successful
## Summary
- Add K8s auth role woodpecker_terraform_git for CI pipeline authentication
- Add consul secret backend role terraform-git for consul state storage tokens
- Add consul ACL policy granting write access to infra/terraform/git/ key prefix
- Add vault policy for reading consul creds at consul_root/au/syd1/creds/terraform-git

## Test plan
- [ ] Verify terragrunt plan succeeds
- [ ] Verify consul ACL policy is created correctly
- [ ] Verify K8s auth role can authenticate from woodpecker namespace

Reviewed-on: #73
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-07 20:36:35 +10:00
unkinben 3876fa818d chore: bump almalinux9 image tags (#72)
ci/woodpecker/push/apply Pipeline was successful
Bump almalinux9 image tags to 20260606

Reviewed-on: #72
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-07 00:35:30 +10:00
unkinben a548bf1cb1 fix: apply requires plan (#71)
ci/woodpecker/push/apply Pipeline was successful
- ensure make plan runs before make apply when deploying

Reviewed-on: #71
2026-05-22 00:03:08 +10:00
unkinben 93ba86baf3 feat: add apply workflow (#70)
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #70
2026-05-21 23:57:25 +10:00
unkinben 098830c10b Merge pull request 'feat: add plan workflow' (#69) from benvin/make-plan-buildwq into master
Reviewed-on: #69
2026-05-21 23:54:07 +10:00
unkinben 9cbac6d3ef feat: add plan workflow
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
- update makefile to enable kubernetes auth or roleid auth
- add plan workflow
- update all policies to allow the terraform-vault kubernetes role
2026-05-21 23:52:30 +10:00
unkinben 73aaaaeb99 Merge pull request 'chore: enable access to gateway.networking.k8s.io' (#68) from benvin/gatewayapi into master
Reviewed-on: #68
2026-05-21 22:42:28 +10:00
unkinben 7c60a5fd53 chore: enable access to gateway.networking.k8s.io
ci/woodpecker/pr/pre-commit Pipeline was successful
2026-05-21 22:39:57 +10:00
unkinben 27f12f183e Merge pull request 'chore: change to specific ci image' (#67) from benvin/ci_image into master
Reviewed-on: #67
2026-03-09 01:16:59 +11:00
unkinben c61434b692 chore: change to specific ci image
ci/woodpecker/pr/pre-commit Pipeline was successful
- almalinux9-opentofu image contains all required tools
2026-03-09 01:14:41 +11:00
unkinben 172ceac2fc Merge pull request 'feat: add templated policies for kubernetes' (#66) from benvin/kubernetes_structured_paths into master
Reviewed-on: #66
2026-03-08 12:57:58 +11:00
unkinben 48a4fd0dd1 feat: add templated policies for kubernetes
ci/woodpecker/pr/pre-commit Pipeline was successful
- add default kubernetes auth role
- add templated access kv/kubernetes/*
2026-03-08 12:48:08 +11:00
unkinben 4dc09547ef Merge pull request 'fix: update audience for rpmbuilder' (#65) from benvin/default_aud into master
Reviewed-on: #65
2026-03-08 12:29:43 +11:00
unkinben 546a9efe44 fix: update audience for rpmbuilder
ci/woodpecker/pr/pre-commit Pipeline was successful
when using using the service account jwt directly, the default audience
is the api servers url
2026-03-07 11:31:36 +11:00
unkinben 679cec4bc1 Merge pull request 'feat: add rpmbuilder k8s role' (#64) from benvin/rpmbuilder-in-k8s into master
Reviewed-on: #64
2026-03-07 11:11:23 +11:00
unkinben 71789f9f32 feat: add rpmbuilder k8s role
ci/woodpecker/pr/pre-commit Pipeline was successful
- create rpmbuilder role
- enable access to gitea/github ro-tokens
- enable access to rpmbuilder role from woodpeckerci
2026-03-07 11:06:27 +11:00
unkinben 4cbcec58d3 Merge pull request 'feat: enable woodpecker access to ro tokens' (#63) from benvin/woodpecker_task_access into master
Reviewed-on: #63
2026-03-07 10:52:38 +11:00
unkinben 9c93e185f8 feat: enable woodpecker access to ro tokens
ci/woodpecker/pr/pre-commit Pipeline was successful
- enable woodpecker tasks to access gitea/github read-only tokens
2026-03-07 10:49:39 +11:00
unkinben d6c8474bd3 Merge pull request 'chore: move pgsql password to vault' (#62) from benvin/artifactapi_postgrespassword into master
Reviewed-on: #62
2026-03-06 19:51:25 +11:00
unkinben 42351000ee chore: move pgsql password to vault
ci/woodpecker/pr/pre-commit Pipeline was successful
- no more storing secrets in configmaps
2026-03-06 19:39:36 +11:00
unkinben f7d1330c37 Merge pull request 'chore: add artifactapi k8s role' (#61) from benvin/artifactapi into master
Reviewed-on: #61
2026-03-06 18:57:05 +11:00
unkinben d9e07e432e chore: add artifactapi k8s role
ci/woodpecker/pr/pre-commit Pipeline was successful
- enable access to read artifactapi secrets
2026-03-06 18:53:42 +11:00
unkinben 14a258de7d Merge pull request 'chore: enable access woodpecker-agent-secret' (#60) from benvin/woodpecker_agent_secret into master
Reviewed-on: #60
2026-03-03 23:34:32 +11:00
unkinben be8bcc3743 chore: enable access woodpecker-agent-secret
ci/woodpecker/pr/pre-commit Pipeline was successful
- add policy to access woodpecker-agent-secret
2026-03-03 23:30:49 +11:00
unkinben dc257b1bcd Merge pull request 'feat: add pre-commit check in ci' (#59) from benvin/woodpecker_integration into master
Reviewed-on: #59
2026-02-28 22:28:21 +11:00
unkinben 66119e5207 feat: add pre-commit check in ci
ci/woodpecker/pr/pre-commit Pipeline was successful
- add a ci workflow to verify pre-commit passes
- fix pre-commit errors/warnings:
  - missing required_version
  - missing required_providers
  - fixed terraform_deprecated_interpolation
  - removed terraform_unused_declarations
2026-02-28 21:42:47 +11:00
69 changed files with 319 additions and 31 deletions
+23
View File
@@ -0,0 +1,23 @@
when:
- event: push
branch: master
steps:
- name: apply
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
environment:
VAULT_AUTH_METHOD: kubernetes
commands:
- dnf install vault -y
- make plan
- make apply
backend_options:
kubernetes:
serviceAccountName: terraform-vault
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+21
View File
@@ -0,0 +1,21 @@
when:
- event: pull_request
steps:
- name: plan
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
environment:
VAULT_AUTH_METHOD: kubernetes
commands:
- dnf install vault -y
- make plan
backend_options:
kubernetes:
serviceAccountName: terraform-vault
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+11 -2
View File
@@ -3,7 +3,16 @@ when:
steps:
- name: pre-commit
image: git.unkin.net/unkin/almalinux9-base:latest
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
commands:
- dnf install uv opentofu terragrunt tflint -y
- uvx pre-commit run --all-files
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+11 -2
View File
@@ -1,10 +1,19 @@
.PHONY: init plan apply format
VAULT_AUTH_METHOD ?= approle
VAULT_K8S_ROLE ?= woodpecker_terraform_vault
VAULT_K8S_MOUNT ?= auth/k8s/au/syd1
VAULT_K8S_JWT_PATH ?= /var/run/secrets/kubernetes.io/serviceaccount/token
# Define vault_env function to set up vault environment
define vault_env
@export VAULT_ADDR="https://vault.service.consul:8200" && \
export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID) && \
export CONSUL_HTTP_TOKEN=$$(vault read -format=json consul_root/au/syd1/creds/terraform-vault | jq '.data.token')
if [ "$(VAULT_AUTH_METHOD)" = "kubernetes" ]; then \
export VAULT_TOKEN=$$(vault write -field=token $(VAULT_K8S_MOUNT)/login role=$(VAULT_K8S_ROLE) jwt=$$(cat $(VAULT_K8S_JWT_PATH))); \
else \
export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID); \
fi && \
export CONSUL_HTTP_TOKEN=$$(vault read -field=token consul_root/au/syd1/creds/terraform-vault)
endef
init:
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,7 @@
bound_service_account_names:
- default
bound_service_account_namespaces:
- artifactapi
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,6 @@
bound_service_account_names:
- default
bound_service_account_namespaces: ['*']
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,8 @@
bound_service_account_names:
- default
- forgebot-operator
bound_service_account_namespaces:
- forgebot
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,8 @@
# rpmbuilder is deployed in woodpeckerci
bound_service_account_names:
- default
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-git
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-vault
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,5 @@
consul_roles:
- terraform-git
ttl: 120
max_ttl: 300
datacenters: []
+11
View File
@@ -0,0 +1,11 @@
rule "terraform_required_providers" {
enabled = false
}
rule "terraform_required_version" {
enabled = false
}
rule "terraform_unused_declarations" {
enabled = false
}
-2
View File
@@ -265,7 +265,6 @@ module "consul_secret_backend_role" {
name = each.value.name
backend = each.value.backend
consul_roles = each.value.consul_roles
ttl = each.value.ttl
max_ttl = each.value.max_ttl
local = each.value.local
@@ -321,7 +320,6 @@ module "pki_mount_only" {
path = each.key
description = each.value.description
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
issuer_ref = each.value.issuer_ref
issuing_certificates = each.value.issuing_certificates
crl_distribution_points = each.value.crl_distribution_points
ocsp_servers = each.value.ocsp_servers
@@ -9,12 +9,6 @@ variable "name" {
}
variable "consul_roles" {
description = "List of Consul roles to attach to tokens"
type = list(string)
default = []
}
variable "ttl" {
description = "TTL for generated tokens"
@@ -13,11 +13,6 @@ variable "max_lease_ttl_seconds" {
type = number
}
variable "issuer_ref" {
description = "Reference to the PKI issuer (default, or issuer ID/name)"
type = string
default = "default"
}
variable "issuing_certificates" {
description = "List of URLs for issuing certificates"
@@ -61,12 +61,6 @@ variable "enable_templating" {
default = false
}
variable "default_issuer_ref" {
description = "Reference to the default issuer"
type = string
default = null
}
variable "default_follows_latest_issuer" {
description = "Whether the default issuer should follow the latest issuer"
type = bool
-1
View File
@@ -203,7 +203,6 @@ variable "pki_mount_only" {
type = map(object({
description = optional(string)
max_lease_ttl_seconds = optional(number, 315360000)
issuer_ref = optional(string, "default")
issuing_certificates = optional(list(string), [])
crl_distribution_points = optional(list(string), [])
ocsp_servers = optional(list(string), [])
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -21,3 +21,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -15,3 +15,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -14,3 +14,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -0,0 +1,11 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-git"
capabilities:
- read
auth:
approle:
- terraform_git
k8s/au/syd1:
- woodpecker_terraform_git
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -15,3 +15,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+16
View File
@@ -0,0 +1,16 @@
# Templated access to kv secrets for kubernetes
#
# kv/kubernetes/namespace/<namespace>/<service_account>
# kv/kubernetes/cluster/<cluster>/<namespace>/<service_account>
---
rules:
- path: "kv/data/kubernetes/namespace/{{identity.entity.aliases.auth_kubernetes_ac24966b.metadata.service_account_namespace}}/{{identity.entity.aliases.auth_kubernetes_ac24966b.metadata.service_account_name}}/*"
capabilities:
- read
- path: "kv/data/kubernetes/cluster/au/syd1/{{identity.entity.aliases.auth_kubernetes_ac24966b.metadata.service_account_namespace}}/{{identity.entity.aliases.auth_kubernetes_ac24966b.metadata.service_account_name}}/*"
capabilities:
- read
auth:
k8s/au/syd1:
- default
@@ -0,0 +1,10 @@
# Allow reading environment variables for artifactapi
---
rules:
- path: "kv/data/service/artifactapi/environment"
capabilities:
- read
auth:
k8s/au/syd1:
- artifactapi
@@ -0,0 +1,10 @@
# Allow reading environment vars for postgres/artifactapi
---
rules:
- path: "kv/data/service/artifactapi/postgres-password"
capabilities:
- read
auth:
k8s/au/syd1:
- artifactapi
@@ -0,0 +1,9 @@
---
rules:
- path: "kv/data/kubernetes/namespace/forgebot/*"
capabilities:
- read
auth:
k8s/au/syd1:
- forgebot
@@ -0,0 +1,12 @@
# Allow reading Gitea admin token
---
rules:
- path: "kv/data/service/gitea/gitadmin/tokens/terraform-git"
capabilities:
- read
auth:
approle:
- terraform_git
k8s/au/syd1:
- woodpecker_terraform_git
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- rpmbuilder
k8s/au/syd1:
- rpmbuilder
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- rpmbuilder
k8s/au/syd1:
- rpmbuilder
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -8,3 +8,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -0,0 +1,11 @@
---
rules:
- path: "kv/data/service/woodpecker/tokens/gitadmin"
capabilities:
- read
auth:
approle:
- terraform_git
k8s/au/syd1:
- woodpecker_terraform_git
@@ -0,0 +1,10 @@
# Allow reading woodpecker agent secret for auto joining more agents
---
rules:
- path: "kv/data/service/woodpecker/woodpecker-agent-secret"
capabilities:
- read
auth:
k8s/au/syd1:
- woodpecker
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -9,3 +9,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -12,3 +12,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -20,3 +20,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -16,3 +16,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
+2
View File
@@ -16,3 +16,5 @@ rules:
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -0,0 +1,7 @@
key_prefix "infra/terraform/git/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -21,6 +21,7 @@ rules:
- "logstash.k8s.elastic.co"
- "elasticsearch.k8s.elastic.co"
- "kibana.k8s.elastic.co"
- "gateway.networking.k8s.io"
resources:
- "*"
verbs:
@@ -21,6 +21,7 @@ rules:
- "logstash.k8s.elastic.co"
- "elasticsearch.k8s.elastic.co"
- "kibana.k8s.elastic.co"
- "gateway.networking.k8s.io"
resources:
- "*"
verbs: