f2c54888de
ci/woodpecker/push/apply Pipeline was successful
## Why terraform-authentik now reads OAuth2 client secrets from Vault (`data.vault_kv_secret_v2`) rather than committing them (terraform-authentik #2). But the `terraform_authentik` approle / `woodpecker_terraform_authentik` k8s role only had the consul-creds policy, so `plan` fails with permission denied on the grafana oauth path. ## Change Add `policies/kv/service/terraform/authentik.yaml` granting read on `kv/data/kubernetes/namespace/+/default/oauth-credentials` for both the approle and the woodpecker k8s role. Reviewed-on: #81 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
16 lines
496 B
YAML
16 lines
496 B
YAML
# Allow the Terraform Authentik runner to read OAuth2/OIDC client secrets that
|
|
# back authentik providers. Secrets live under each target service's kv
|
|
# namespace path (kv/kubernetes/namespace/<ns>/default/oauth-credentials) and
|
|
# are read by the module's data.vault_kv_secret_v2 lookups.
|
|
---
|
|
rules:
|
|
- path: "kv/data/kubernetes/namespace/+/default/oauth-credentials"
|
|
capabilities:
|
|
- read
|
|
|
|
auth:
|
|
approle:
|
|
- terraform_authentik
|
|
k8s/au/syd1:
|
|
- woodpecker_terraform_authentik
|