From 56d858f900f7f705a69878531ac191bd3fcf5f54 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 4 Jan 2026 23:36:43 +1100
Subject: [PATCH 1/2] feat: add prowlarr access

- enable kubernetes access to prowlarr secrets
---
 auth_kubernetes_roles.tf                         | 1 +
 policies/kv/service/media-apps/prowlarr/read.hcl | 3 +++
 2 files changed, 4 insertions(+)
 create mode 100644 policies/kv/service/media-apps/prowlarr/read.hcl

diff --git a/auth_kubernetes_roles.tf b/auth_kubernetes_roles.tf
index d4edeac..ec67d63 100644
--- a/auth_kubernetes_roles.tf
+++ b/auth_kubernetes_roles.tf
@@ -90,6 +90,7 @@ resource "vault_kubernetes_auth_backend_role" "media-apps" {
   ]
   token_ttl = 60
   token_policies = [
+    "kv/service/media-apps/prowlarr/read",
     "kv/service/media-apps/radarr/read",
     "kv/service/media-apps/sonarr/read",
   ]
diff --git a/policies/kv/service/media-apps/prowlarr/read.hcl b/policies/kv/service/media-apps/prowlarr/read.hcl
new file mode 100644
index 0000000..8d96503
--- /dev/null
+++ b/policies/kv/service/media-apps/prowlarr/read.hcl
@@ -0,0 +1,3 @@
+path "kv/data/service/media-apps/prowlarr" {
+  capabilities = ["read"]
+}

From 25e3d48337323b179e4ef2a55580bbfe9988ddef Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Mon, 26 Jan 2026 18:30:49 +1100
Subject: [PATCH 2/2] chore: add nzbget secrets

- add policy for nzbget secrets
- enable the media-apps kubernetes role to use policy
---
 auth_kubernetes_roles.tf                       | 1 +
 policies/kv/service/media-apps/nzbget/read.hcl | 3 +++
 2 files changed, 4 insertions(+)
 create mode 100644 policies/kv/service/media-apps/nzbget/read.hcl

diff --git a/auth_kubernetes_roles.tf b/auth_kubernetes_roles.tf
index ec67d63..895adf6 100644
--- a/auth_kubernetes_roles.tf
+++ b/auth_kubernetes_roles.tf
@@ -90,6 +90,7 @@ resource "vault_kubernetes_auth_backend_role" "media-apps" {
   ]
   token_ttl = 60
   token_policies = [
+    "kv/service/media-apps/nzbget/read",
     "kv/service/media-apps/prowlarr/read",
     "kv/service/media-apps/radarr/read",
     "kv/service/media-apps/sonarr/read",
diff --git a/policies/kv/service/media-apps/nzbget/read.hcl b/policies/kv/service/media-apps/nzbget/read.hcl
new file mode 100644
index 0000000..02571d2
--- /dev/null
+++ b/policies/kv/service/media-apps/nzbget/read.hcl
@@ -0,0 +1,3 @@
+path "kv/data/service/media-apps/nzbget" {
+  capabilities = ["read"]
+}