From 9e98c714f9cc7bb091a87d380bd5c4cf775fee70 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 14 Feb 2026 19:11:30 +1100
Subject: [PATCH] feat: add ldap groups for kubernetes/vault

need to separate the permissions inside vault into different groups, one
per-permission.

- add group for each kubernetes role in vault
---
 hieradata/roles/infra/auth/glauth.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/hieradata/roles/infra/auth/glauth.yaml b/hieradata/roles/infra/auth/glauth.yaml
index cce9ed5..4681a6a 100644
--- a/hieradata/roles/infra/auth/glauth.yaml
+++ b/hieradata/roles/infra/auth/glauth.yaml
@@ -66,6 +66,9 @@ glauth::users:
       - 20025   # jupyterhub_admin
       - 20026   # jupyterhub_user
       - 20027   # grafana_user
+      - 20028   # k8s/au/syd1 operator
+      - 20029   # k8s/au/syd1 admin
+      - 20030   # k8s/au/syd1 root
     loginshell: '/bin/bash'
     homedir: '/home/benvin'
     passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
@@ -385,3 +388,12 @@ glauth::groups:
   grafana_user:
     group_name: 'grafana_user'
     gidnumber: 20027
+  kubernetes_au_syd1_cluster_operator:
+    group_name: 'kubernetes_au_syd1_cluster_operator'
+    gidnumber: 20028
+  kubernetes_au_syd1_cluster_admin:
+    group_name: 'kubernetes_au_syd1_cluster_admin'
+    gidnumber: 20029
+  kubernetes_au_syd1_cluster_root:
+    group_name: 'kubernetes_au_syd1_cluster_root'
+    gidnumber: 20030