Add Vault access for forgebot service
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was canceled

K8s auth role binding for forgebot namespace (default + forgebot-operator
service accounts) and KV read policies for environment config, LiteLLM
API key, Gitea token, PostgreSQL credentials, and webhook secret.
This commit is contained in:
2026-06-08 22:53:25 +10:00
parent a29ff9fe6a
commit 2c4d0d7f64
6 changed files with 53 additions and 0 deletions
@@ -0,0 +1,8 @@
bound_service_account_names:
- default
- forgebot-operator
bound_service_account_namespaces:
- forgebot
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,9 @@
---
rules:
- path: "kv/data/service/forgebot/environment"
capabilities:
- read
auth:
k8s/au/syd1:
- forgebot
@@ -0,0 +1,9 @@
---
rules:
- path: "kv/data/service/forgebot/gitea-token"
capabilities:
- read
auth:
k8s/au/syd1:
- forgebot
@@ -0,0 +1,9 @@
---
rules:
- path: "kv/data/service/forgebot/litellm-api-key"
capabilities:
- read
auth:
k8s/au/syd1:
- forgebot
@@ -0,0 +1,9 @@
---
rules:
- path: "kv/data/service/forgebot/postgres-credentials"
capabilities:
- read
auth:
k8s/au/syd1:
- forgebot
@@ -0,0 +1,9 @@
---
rules:
- path: "kv/data/service/forgebot/webhook-secret"
capabilities:
- read
auth:
k8s/au/syd1:
- forgebot