policies: let terraform-authentik read oauth client secrets from kv #81

Merged
benvin merged 1 commits from benvin/authentik-oauth-kv into master 2026-07-06 23:05:21 +10:00

1 Commits

Author SHA1 Message Date
unkinben e01deb13d6 policies: let terraform-authentik read oauth client secrets from kv
ci/woodpecker/pr/plan Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
The terraform-authentik module now reads OAuth2 client secrets from Vault
(data.vault_kv_secret_v2) instead of committing them, but the
terraform_authentik approle / woodpecker_terraform_authentik k8s role only
had the consul creds policy, so plan failed with permission denied.

Grant read on kv/data/kubernetes/namespace/+/default/oauth-credentials so
the runner can read the client secret for any namespace's OIDC provider
(e.g. grafana).
2026-07-06 22:20:40 +10:00