From 132e5ea4d9ab0e816fe88a3aec48145a88264ba0 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 8 Jun 2026 16:11:58 +1000 Subject: [PATCH 1/3] feat: add vault policy for terraform-git webhook secrets Allow terraform-git to read webhook URLs stored in kv/data/service/gitea/webhook/* via approle and k8s auth. --- policies/kv/service/gitea/webhook.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 policies/kv/service/gitea/webhook.yaml diff --git a/policies/kv/service/gitea/webhook.yaml b/policies/kv/service/gitea/webhook.yaml new file mode 100644 index 0000000..b6ea85a --- /dev/null +++ b/policies/kv/service/gitea/webhook.yaml @@ -0,0 +1,11 @@ +--- +rules: + - path: "kv/data/service/gitea/webhook/*" + capabilities: + - read + +auth: + approle: + - terraform_git + k8s/au/syd1: + - woodpecker_terraform_git -- 2.47.3 From 12680f93cd689ab88ae05b5213dcd944d2b97267 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 8 Jun 2026 16:17:00 +1000 Subject: [PATCH 2/3] feat: replace webhook secrets policy with woodpecker token policy Webhook URLs are now managed by the Woodpecker terraform provider instead of being stored in Vault. Add read policy for the Woodpecker API token at kv/data/service/woodpecker/tokens/terraform-git. --- .../webhook.yaml => woodpecker/tokens/terraform-git.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename policies/kv/service/{gitea/webhook.yaml => woodpecker/tokens/terraform-git.yaml} (67%) diff --git a/policies/kv/service/gitea/webhook.yaml b/policies/kv/service/woodpecker/tokens/terraform-git.yaml similarity index 67% rename from policies/kv/service/gitea/webhook.yaml rename to policies/kv/service/woodpecker/tokens/terraform-git.yaml index b6ea85a..372f7f9 100644 --- a/policies/kv/service/gitea/webhook.yaml +++ b/policies/kv/service/woodpecker/tokens/terraform-git.yaml @@ -1,6 +1,6 @@ --- rules: - - path: "kv/data/service/gitea/webhook/*" + - path: "kv/data/service/woodpecker/tokens/terraform-git" capabilities: - read -- 2.47.3 From a29ff9fe6a045a744098ff97bb74dd7ed63bd96a Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 8 Jun 2026 19:08:12 +1000 Subject: [PATCH 3/3] fix: use gitadmin woodpecker token path --- .../woodpecker/tokens/{terraform-git.yaml => gitadmin.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename policies/kv/service/woodpecker/tokens/{terraform-git.yaml => gitadmin.yaml} (67%) diff --git a/policies/kv/service/woodpecker/tokens/terraform-git.yaml b/policies/kv/service/woodpecker/tokens/gitadmin.yaml similarity index 67% rename from policies/kv/service/woodpecker/tokens/terraform-git.yaml rename to policies/kv/service/woodpecker/tokens/gitadmin.yaml index 372f7f9..21c843e 100644 --- a/policies/kv/service/woodpecker/tokens/terraform-git.yaml +++ b/policies/kv/service/woodpecker/tokens/gitadmin.yaml @@ -1,6 +1,6 @@ --- rules: - - path: "kv/data/service/woodpecker/tokens/terraform-git" + - path: "kv/data/service/woodpecker/tokens/gitadmin" capabilities: - read -- 2.47.3