Grant vault deployer access to import + manage the gpg engine #88
Reference in New Issue
Block a user
Delete Branch "benvin/gpg-deployer-access"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Why
Applying the gpg mount (#87) needs two grants the deployer (
tf_vaultapprole /woodpecker_terraform_vaultk8s role) doesn't have. terraform-vault registers the plugin itself (vault_plugin→sys/plugins/catalog, a sudo-protected path) and manages keys via the gpgvaultsecret provider (gpg/keys/*). The deployer already hassys/mounts/*but neither of these, so apply would 403 on the plugin registration and ongpg/keyswrites — the same failure mode as #84.Changes
policies/gpg/admin.yamlgranting:create/read/update/delete/sudoonsys/plugins/catalog/secret/vault-plugin-secrets-gpg— to import (register/deregister) the plugin.gpg/keys/*(+gpg/keyslist) — to manage keys.tf_vault(approle) +woodpecker_terraform_vault(k8s/au/syd1), mirroringpolicies/litellm/admin.yaml(#84).Should merge/apply before #87 so the deployer can register the plugin and create the
passkey.