Add Vault access for forgebot service #76

Closed
unkinben wants to merge 7 commits from feature/forgebot-vault-access into master
Owner

Summary

  • Add K8s auth role for forgebot namespace binding default and forgebot-operator service accounts
  • Add KV read policies for forgebot secrets: environment, litellm-api-key, gitea-token, postgres-credentials, webhook-secret
  • All policies bind to k8s/au/syd1: forgebot auth role

Context

Forgebot is a new K8s operator + API service for dispatching AI agent jobs from Gitea slash commands. It needs Vault access for:

  • environment: general env config
  • litellm-api-key: API key for LiteLLM model access
  • gitea-token: token for Gitea API (webhooks, comments)
  • postgres-credentials: database connection credentials
  • webhook-secret: HMAC secret for webhook signature verification

Test plan

  • terragrunt plan shows expected additions (1 K8s auth role, 5 policies)
  • No unexpected changes to existing resources
## Summary - Add K8s auth role for `forgebot` namespace binding `default` and `forgebot-operator` service accounts - Add KV read policies for forgebot secrets: environment, litellm-api-key, gitea-token, postgres-credentials, webhook-secret - All policies bind to `k8s/au/syd1: forgebot` auth role ## Context Forgebot is a new K8s operator + API service for dispatching AI agent jobs from Gitea slash commands. It needs Vault access for: - **environment**: general env config - **litellm-api-key**: API key for LiteLLM model access - **gitea-token**: token for Gitea API (webhooks, comments) - **postgres-credentials**: database connection credentials - **webhook-secret**: HMAC secret for webhook signature verification ## Test plan - [ ] `terragrunt plan` shows expected additions (1 K8s auth role, 5 policies) - [ ] No unexpected changes to existing resources
unkinben added 4 commits 2026-06-08 22:53:47 +10:00
feat: add vault policy for terraform-git webhook secrets
ci/woodpecker/pr/plan Pipeline failed
ci/woodpecker/pr/pre-commit Pipeline failed
132e5ea4d9
Allow terraform-git to read webhook URLs stored in
kv/data/service/gitea/webhook/* via approle and k8s auth.
feat: replace webhook secrets policy with woodpecker token policy
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
12680f93cd
Webhook URLs are now managed by the Woodpecker terraform provider
instead of being stored in Vault. Add read policy for the Woodpecker
API token at kv/data/service/woodpecker/tokens/terraform-git.
fix: use gitadmin woodpecker token path
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
a29ff9fe6a
Add Vault access for forgebot service
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was canceled
2c4d0d7f64
K8s auth role binding for forgebot namespace (default + forgebot-operator
service accounts) and KV read policies for environment config, LiteLLM
API key, Gitea token, PostgreSQL credentials, and webhook secret.
unkinben added 1 commit 2026-06-08 22:55:05 +10:00
Simplify: use default templated policy for forgebot KV access
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
f5803605d6
The default K8s auth policy already provides namespace-scoped access to
kv/data/kubernetes/namespace/{namespace}/{sa}/* via identity templating.
Forgebot secrets should be stored at kv/kubernetes/namespace/forgebot/default/*
instead of kv/service/forgebot/*, eliminating the need for 5 individual
policies. The forgebot K8s auth role is kept for the forgebot-operator SA.
benvin added 1 commit 2026-06-08 22:57:55 +10:00
Merge branch 'master' into feature/forgebot-vault-access
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
b9632f39e4
unkinben added 1 commit 2026-06-08 23:00:50 +10:00
Fix: add policy binding for forgebot K8s auth role
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
65f844cbe1
Every K8s auth role needs at least one entry in the policy_auth_map.
Add a policy granting the forgebot role read access to the namespace-
scoped KV path, which the operator SA needs when authenticating with
the forgebot role instead of the default role.
unkinben closed this pull request 2026-06-08 23:03:43 +10:00
All checks were successful
ci/woodpecker/pr/pre-commit Pipeline was successful
Required
Details
ci/woodpecker/pr/plan Pipeline was successful
Required
Details

Pull request closed

Sign in to join this conversation.
No Reviewers
No Label
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/terraform-vault#76