chore: update k8s csi roles

- ensure the new service accounts can read cephrbd/cephfs
- ensure correct namespace is allowed

auth_kubernetes_roles.tf

@@ -61,13 +61,20 @@ resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" {
 }
 
 resource "vault_kubernetes_auth_backend_role" "ceph-csi" {
-  backend                          = vault_auth_backend.kubernetes.path
+  backend   = vault_auth_backend.kubernetes.path
-  role_name                        = "ceph-csi"
+  role_name = "ceph-csi"
-  bound_service_account_names      = ["ceph-csi-rbd-csi-rbdplugin-provisioner"]
+  bound_service_account_names = [
-  bound_service_account_namespaces = ["ceph-csi"]
+    "ceph-csi-rbd-csi-rbd-provisioner",
-  token_ttl                        = 60
+    "ceph-csi-cephfs-csi-cephfs-provisioner",
+  ]
+  bound_service_account_namespaces = [
+    "csi-cephrbd",
+    "csi-cephfs",
+  ]
+  token_ttl = 60
   token_policies = [
     "kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read",
+    "kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read",
   ]
   audience = "vault"
 }

policies/kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read.hcl

@@ -0,0 +1,3 @@
+path "kv/data/service/kubernetes/au/syd1/csi/ceph-cephfs-secret" {
+  capabilities = ["read"]
+}