From 2c4d0d7f64393b63396c3d8e8c1e28b1d77cde96 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 8 Jun 2026 22:53:25 +1000 Subject: [PATCH] Add Vault access for forgebot service K8s auth role binding for forgebot namespace (default + forgebot-operator service accounts) and KV read policies for environment config, LiteLLM API key, Gitea token, PostgreSQL credentials, and webhook secret. --- config/auth_kubernetes_role/k8s/au/syd1/forgebot.yaml | 8 ++++++++ policies/kv/service/forgebot/environment/read.yaml | 9 +++++++++ policies/kv/service/forgebot/gitea-token/read.yaml | 9 +++++++++ policies/kv/service/forgebot/litellm-api-key/read.yaml | 9 +++++++++ .../kv/service/forgebot/postgres-credentials/read.yaml | 9 +++++++++ policies/kv/service/forgebot/webhook-secret/read.yaml | 9 +++++++++ 6 files changed, 53 insertions(+) create mode 100644 config/auth_kubernetes_role/k8s/au/syd1/forgebot.yaml create mode 100644 policies/kv/service/forgebot/environment/read.yaml create mode 100644 policies/kv/service/forgebot/gitea-token/read.yaml create mode 100644 policies/kv/service/forgebot/litellm-api-key/read.yaml create mode 100644 policies/kv/service/forgebot/postgres-credentials/read.yaml create mode 100644 policies/kv/service/forgebot/webhook-secret/read.yaml diff --git a/config/auth_kubernetes_role/k8s/au/syd1/forgebot.yaml b/config/auth_kubernetes_role/k8s/au/syd1/forgebot.yaml new file mode 100644 index 0000000..fb42247 --- /dev/null +++ b/config/auth_kubernetes_role/k8s/au/syd1/forgebot.yaml @@ -0,0 +1,8 @@ +bound_service_account_names: + - default + - forgebot-operator +bound_service_account_namespaces: + - forgebot +token_ttl: 600 +token_max_ttl: 600 +audience: vault diff --git a/policies/kv/service/forgebot/environment/read.yaml b/policies/kv/service/forgebot/environment/read.yaml new file mode 100644 index 0000000..29fd998 --- /dev/null +++ b/policies/kv/service/forgebot/environment/read.yaml @@ -0,0 +1,9 @@ +--- +rules: + - path: "kv/data/service/forgebot/environment" + capabilities: + - read + +auth: + k8s/au/syd1: + - forgebot diff --git a/policies/kv/service/forgebot/gitea-token/read.yaml b/policies/kv/service/forgebot/gitea-token/read.yaml new file mode 100644 index 0000000..d75ecb1 --- /dev/null +++ b/policies/kv/service/forgebot/gitea-token/read.yaml @@ -0,0 +1,9 @@ +--- +rules: + - path: "kv/data/service/forgebot/gitea-token" + capabilities: + - read + +auth: + k8s/au/syd1: + - forgebot diff --git a/policies/kv/service/forgebot/litellm-api-key/read.yaml b/policies/kv/service/forgebot/litellm-api-key/read.yaml new file mode 100644 index 0000000..e915454 --- /dev/null +++ b/policies/kv/service/forgebot/litellm-api-key/read.yaml @@ -0,0 +1,9 @@ +--- +rules: + - path: "kv/data/service/forgebot/litellm-api-key" + capabilities: + - read + +auth: + k8s/au/syd1: + - forgebot diff --git a/policies/kv/service/forgebot/postgres-credentials/read.yaml b/policies/kv/service/forgebot/postgres-credentials/read.yaml new file mode 100644 index 0000000..32228c1 --- /dev/null +++ b/policies/kv/service/forgebot/postgres-credentials/read.yaml @@ -0,0 +1,9 @@ +--- +rules: + - path: "kv/data/service/forgebot/postgres-credentials" + capabilities: + - read + +auth: + k8s/au/syd1: + - forgebot diff --git a/policies/kv/service/forgebot/webhook-secret/read.yaml b/policies/kv/service/forgebot/webhook-secret/read.yaml new file mode 100644 index 0000000..6d5385c --- /dev/null +++ b/policies/kv/service/forgebot/webhook-secret/read.yaml @@ -0,0 +1,9 @@ +--- +rules: + - path: "kv/data/service/forgebot/webhook-secret" + capabilities: + - read + +auth: + k8s/au/syd1: + - forgebot