Add Vault access for forgebot service #76

Closed
unkinben wants to merge 7 commits from feature/forgebot-vault-access into master

7 Commits

Author SHA1 Message Date
unkinben 65f844cbe1 Fix: add policy binding for forgebot K8s auth role
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Every K8s auth role needs at least one entry in the policy_auth_map.
Add a policy granting the forgebot role read access to the namespace-
scoped KV path, which the operator SA needs when authenticating with
the forgebot role instead of the default role.
2026-06-08 23:00:35 +10:00
benvin b9632f39e4 Merge branch 'master' into feature/forgebot-vault-access
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
2026-06-08 22:57:54 +10:00
unkinben f5803605d6 Simplify: use default templated policy for forgebot KV access
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
The default K8s auth policy already provides namespace-scoped access to
kv/data/kubernetes/namespace/{namespace}/{sa}/* via identity templating.
Forgebot secrets should be stored at kv/kubernetes/namespace/forgebot/default/*
instead of kv/service/forgebot/*, eliminating the need for 5 individual
policies. The forgebot K8s auth role is kept for the forgebot-operator SA.
2026-06-08 22:54:58 +10:00
unkinben 2c4d0d7f64 Add Vault access for forgebot service
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was canceled
K8s auth role binding for forgebot namespace (default + forgebot-operator
service accounts) and KV read policies for environment config, LiteLLM
API key, Gitea token, PostgreSQL credentials, and webhook secret.
2026-06-08 22:53:25 +10:00
unkinben a29ff9fe6a fix: use gitadmin woodpecker token path
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
2026-06-08 19:08:12 +10:00
unkinben 12680f93cd feat: replace webhook secrets policy with woodpecker token policy
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Webhook URLs are now managed by the Woodpecker terraform provider
instead of being stored in Vault. Add read policy for the Woodpecker
API token at kv/data/service/woodpecker/tokens/terraform-git.
2026-06-08 16:17:00 +10:00
unkinben 132e5ea4d9 feat: add vault policy for terraform-git webhook secrets
ci/woodpecker/pr/plan Pipeline failed
ci/woodpecker/pr/pre-commit Pipeline failed
Allow terraform-git to read webhook URLs stored in
kv/data/service/gitea/webhook/* via approle and k8s auth.
2026-06-08 16:11:58 +10:00