From 42351000ee91f0fe34b044c9f518b2d99061717e Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Fri, 6 Mar 2026 19:39:36 +1100
Subject: [PATCH] chore: move pgsql password to vault

- no more storing secrets in configmaps
---
 .../kv/service/artifactapi/postgres-password/read.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 policies/kv/service/artifactapi/postgres-password/read.yaml

diff --git a/policies/kv/service/artifactapi/postgres-password/read.yaml b/policies/kv/service/artifactapi/postgres-password/read.yaml
new file mode 100644
index 0000000..b2b236f
--- /dev/null
+++ b/policies/kv/service/artifactapi/postgres-password/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading environment vars for postgres/artifactapi
+---
+rules:
+  - path: "kv/data/service/artifactapi/postgres-password"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - artifactapi