From 132e5ea4d9ab0e816fe88a3aec48145a88264ba0 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 8 Jun 2026 16:11:58 +1000 Subject: [PATCH 1/6] feat: add vault policy for terraform-git webhook secrets Allow terraform-git to read webhook URLs stored in kv/data/service/gitea/webhook/* via approle and k8s auth. --- policies/kv/service/gitea/webhook.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 policies/kv/service/gitea/webhook.yaml diff --git a/policies/kv/service/gitea/webhook.yaml b/policies/kv/service/gitea/webhook.yaml new file mode 100644 index 0000000..b6ea85a --- /dev/null +++ b/policies/kv/service/gitea/webhook.yaml @@ -0,0 +1,11 @@ +--- +rules: + - path: "kv/data/service/gitea/webhook/*" + capabilities: + - read + +auth: + approle: + - terraform_git + k8s/au/syd1: + - woodpecker_terraform_git -- 2.47.3 From 12680f93cd689ab88ae05b5213dcd944d2b97267 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 8 Jun 2026 16:17:00 +1000 Subject: [PATCH 2/6] feat: replace webhook secrets policy with woodpecker token policy Webhook URLs are now managed by the Woodpecker terraform provider instead of being stored in Vault. Add read policy for the Woodpecker API token at kv/data/service/woodpecker/tokens/terraform-git. --- .../webhook.yaml => woodpecker/tokens/terraform-git.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename policies/kv/service/{gitea/webhook.yaml => woodpecker/tokens/terraform-git.yaml} (67%) diff --git a/policies/kv/service/gitea/webhook.yaml b/policies/kv/service/woodpecker/tokens/terraform-git.yaml similarity index 67% rename from policies/kv/service/gitea/webhook.yaml rename to policies/kv/service/woodpecker/tokens/terraform-git.yaml index b6ea85a..372f7f9 100644 --- a/policies/kv/service/gitea/webhook.yaml +++ b/policies/kv/service/woodpecker/tokens/terraform-git.yaml @@ -1,6 +1,6 @@ --- rules: - - path: "kv/data/service/gitea/webhook/*" + - path: "kv/data/service/woodpecker/tokens/terraform-git" capabilities: - read -- 2.47.3 From a29ff9fe6a045a744098ff97bb74dd7ed63bd96a Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 8 Jun 2026 19:08:12 +1000 Subject: [PATCH 3/6] fix: use gitadmin woodpecker token path --- .../woodpecker/tokens/{terraform-git.yaml => gitadmin.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename policies/kv/service/woodpecker/tokens/{terraform-git.yaml => gitadmin.yaml} (67%) diff --git a/policies/kv/service/woodpecker/tokens/terraform-git.yaml b/policies/kv/service/woodpecker/tokens/gitadmin.yaml similarity index 67% rename from policies/kv/service/woodpecker/tokens/terraform-git.yaml rename to policies/kv/service/woodpecker/tokens/gitadmin.yaml index 372f7f9..21c843e 100644 --- a/policies/kv/service/woodpecker/tokens/terraform-git.yaml +++ b/policies/kv/service/woodpecker/tokens/gitadmin.yaml @@ -1,6 +1,6 @@ --- rules: - - path: "kv/data/service/woodpecker/tokens/terraform-git" + - path: "kv/data/service/woodpecker/tokens/gitadmin" capabilities: - read -- 2.47.3 From 2c4d0d7f64393b63396c3d8e8c1e28b1d77cde96 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 8 Jun 2026 22:53:25 +1000 Subject: [PATCH 4/6] Add Vault access for forgebot service K8s auth role binding for forgebot namespace (default + forgebot-operator service accounts) and KV read policies for environment config, LiteLLM API key, Gitea token, PostgreSQL credentials, and webhook secret. --- config/auth_kubernetes_role/k8s/au/syd1/forgebot.yaml | 8 ++++++++ policies/kv/service/forgebot/environment/read.yaml | 9 +++++++++ policies/kv/service/forgebot/gitea-token/read.yaml | 9 +++++++++ policies/kv/service/forgebot/litellm-api-key/read.yaml | 9 +++++++++ .../kv/service/forgebot/postgres-credentials/read.yaml | 9 +++++++++ policies/kv/service/forgebot/webhook-secret/read.yaml | 9 +++++++++ 6 files changed, 53 insertions(+) create mode 100644 config/auth_kubernetes_role/k8s/au/syd1/forgebot.yaml create mode 100644 policies/kv/service/forgebot/environment/read.yaml create mode 100644 policies/kv/service/forgebot/gitea-token/read.yaml create mode 100644 policies/kv/service/forgebot/litellm-api-key/read.yaml create mode 100644 policies/kv/service/forgebot/postgres-credentials/read.yaml create mode 100644 policies/kv/service/forgebot/webhook-secret/read.yaml diff --git a/config/auth_kubernetes_role/k8s/au/syd1/forgebot.yaml b/config/auth_kubernetes_role/k8s/au/syd1/forgebot.yaml new file mode 100644 index 0000000..fb42247 --- /dev/null +++ b/config/auth_kubernetes_role/k8s/au/syd1/forgebot.yaml @@ -0,0 +1,8 @@ +bound_service_account_names: + - default + - forgebot-operator +bound_service_account_namespaces: + - forgebot +token_ttl: 600 +token_max_ttl: 600 +audience: vault diff --git a/policies/kv/service/forgebot/environment/read.yaml b/policies/kv/service/forgebot/environment/read.yaml new file mode 100644 index 0000000..29fd998 --- /dev/null +++ b/policies/kv/service/forgebot/environment/read.yaml @@ -0,0 +1,9 @@ +--- +rules: + - path: "kv/data/service/forgebot/environment" + capabilities: + - read + +auth: + k8s/au/syd1: + - forgebot diff --git a/policies/kv/service/forgebot/gitea-token/read.yaml b/policies/kv/service/forgebot/gitea-token/read.yaml new file mode 100644 index 0000000..d75ecb1 --- /dev/null +++ b/policies/kv/service/forgebot/gitea-token/read.yaml @@ -0,0 +1,9 @@ +--- +rules: + - path: "kv/data/service/forgebot/gitea-token" + capabilities: + - read + +auth: + k8s/au/syd1: + - forgebot diff --git a/policies/kv/service/forgebot/litellm-api-key/read.yaml b/policies/kv/service/forgebot/litellm-api-key/read.yaml new file mode 100644 index 0000000..e915454 --- /dev/null +++ b/policies/kv/service/forgebot/litellm-api-key/read.yaml @@ -0,0 +1,9 @@ +--- +rules: + - path: "kv/data/service/forgebot/litellm-api-key" + capabilities: + - read + +auth: + k8s/au/syd1: + - forgebot diff --git a/policies/kv/service/forgebot/postgres-credentials/read.yaml b/policies/kv/service/forgebot/postgres-credentials/read.yaml new file mode 100644 index 0000000..32228c1 --- /dev/null +++ b/policies/kv/service/forgebot/postgres-credentials/read.yaml @@ -0,0 +1,9 @@ +--- +rules: + - path: "kv/data/service/forgebot/postgres-credentials" + capabilities: + - read + +auth: + k8s/au/syd1: + - forgebot diff --git a/policies/kv/service/forgebot/webhook-secret/read.yaml b/policies/kv/service/forgebot/webhook-secret/read.yaml new file mode 100644 index 0000000..6d5385c --- /dev/null +++ b/policies/kv/service/forgebot/webhook-secret/read.yaml @@ -0,0 +1,9 @@ +--- +rules: + - path: "kv/data/service/forgebot/webhook-secret" + capabilities: + - read + +auth: + k8s/au/syd1: + - forgebot -- 2.47.3 From f5803605d61e68781c6f806cdef439b31fbc725c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 8 Jun 2026 22:54:58 +1000 Subject: [PATCH 5/6] Simplify: use default templated policy for forgebot KV access The default K8s auth policy already provides namespace-scoped access to kv/data/kubernetes/namespace/{namespace}/{sa}/* via identity templating. Forgebot secrets should be stored at kv/kubernetes/namespace/forgebot/default/* instead of kv/service/forgebot/*, eliminating the need for 5 individual policies. The forgebot K8s auth role is kept for the forgebot-operator SA. --- policies/kv/service/forgebot/environment/read.yaml | 9 --------- policies/kv/service/forgebot/gitea-token/read.yaml | 9 --------- policies/kv/service/forgebot/litellm-api-key/read.yaml | 9 --------- .../kv/service/forgebot/postgres-credentials/read.yaml | 9 --------- policies/kv/service/forgebot/webhook-secret/read.yaml | 9 --------- 5 files changed, 45 deletions(-) delete mode 100644 policies/kv/service/forgebot/environment/read.yaml delete mode 100644 policies/kv/service/forgebot/gitea-token/read.yaml delete mode 100644 policies/kv/service/forgebot/litellm-api-key/read.yaml delete mode 100644 policies/kv/service/forgebot/postgres-credentials/read.yaml delete mode 100644 policies/kv/service/forgebot/webhook-secret/read.yaml diff --git a/policies/kv/service/forgebot/environment/read.yaml b/policies/kv/service/forgebot/environment/read.yaml deleted file mode 100644 index 29fd998..0000000 --- a/policies/kv/service/forgebot/environment/read.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -rules: - - path: "kv/data/service/forgebot/environment" - capabilities: - - read - -auth: - k8s/au/syd1: - - forgebot diff --git a/policies/kv/service/forgebot/gitea-token/read.yaml b/policies/kv/service/forgebot/gitea-token/read.yaml deleted file mode 100644 index d75ecb1..0000000 --- a/policies/kv/service/forgebot/gitea-token/read.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -rules: - - path: "kv/data/service/forgebot/gitea-token" - capabilities: - - read - -auth: - k8s/au/syd1: - - forgebot diff --git a/policies/kv/service/forgebot/litellm-api-key/read.yaml b/policies/kv/service/forgebot/litellm-api-key/read.yaml deleted file mode 100644 index e915454..0000000 --- a/policies/kv/service/forgebot/litellm-api-key/read.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -rules: - - path: "kv/data/service/forgebot/litellm-api-key" - capabilities: - - read - -auth: - k8s/au/syd1: - - forgebot diff --git a/policies/kv/service/forgebot/postgres-credentials/read.yaml b/policies/kv/service/forgebot/postgres-credentials/read.yaml deleted file mode 100644 index 32228c1..0000000 --- a/policies/kv/service/forgebot/postgres-credentials/read.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -rules: - - path: "kv/data/service/forgebot/postgres-credentials" - capabilities: - - read - -auth: - k8s/au/syd1: - - forgebot diff --git a/policies/kv/service/forgebot/webhook-secret/read.yaml b/policies/kv/service/forgebot/webhook-secret/read.yaml deleted file mode 100644 index 6d5385c..0000000 --- a/policies/kv/service/forgebot/webhook-secret/read.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -rules: - - path: "kv/data/service/forgebot/webhook-secret" - capabilities: - - read - -auth: - k8s/au/syd1: - - forgebot -- 2.47.3 From 65f844cbe109ab9439fb8280716643742c0fba63 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 8 Jun 2026 23:00:22 +1000 Subject: [PATCH 6/6] Fix: add policy binding for forgebot K8s auth role Every K8s auth role needs at least one entry in the policy_auth_map. Add a policy granting the forgebot role read access to the namespace- scoped KV path, which the operator SA needs when authenticating with the forgebot role instead of the default role. --- policies/kv/service/forgebot/config/read.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 policies/kv/service/forgebot/config/read.yaml diff --git a/policies/kv/service/forgebot/config/read.yaml b/policies/kv/service/forgebot/config/read.yaml new file mode 100644 index 0000000..d4547d5 --- /dev/null +++ b/policies/kv/service/forgebot/config/read.yaml @@ -0,0 +1,9 @@ +--- +rules: + - path: "kv/data/kubernetes/namespace/forgebot/*" + capabilities: + - read + +auth: + k8s/au/syd1: + - forgebot -- 2.47.3