diff --git a/config/auth_kubernetes_role/k8s/au/syd1/encapi.yaml b/config/auth_kubernetes_role/k8s/au/syd1/encapi.yaml new file mode 100644 index 0000000..5884fc9 --- /dev/null +++ b/config/auth_kubernetes_role/k8s/au/syd1/encapi.yaml @@ -0,0 +1,7 @@ +bound_service_account_names: + - default +bound_service_account_namespaces: + - encapi +token_ttl: 600 +token_max_ttl: 600 +audience: vault diff --git a/policies/kv/service/encapi/environment/read.yaml b/policies/kv/service/encapi/environment/read.yaml new file mode 100644 index 0000000..a532bfd --- /dev/null +++ b/policies/kv/service/encapi/environment/read.yaml @@ -0,0 +1,10 @@ +# Allow reading environment variables for encapi +--- +rules: + - path: "kv/data/service/encapi/environment" + capabilities: + - read + +auth: + k8s/au/syd1: + - encapi diff --git a/policies/kv/service/encapi/postgres-password/read.yaml b/policies/kv/service/encapi/postgres-password/read.yaml new file mode 100644 index 0000000..45af8d6 --- /dev/null +++ b/policies/kv/service/encapi/postgres-password/read.yaml @@ -0,0 +1,10 @@ +# Allow reading environment vars for postgres/encapi +--- +rules: + - path: "kv/data/service/encapi/postgres-password" + capabilities: + - read + +auth: + k8s/au/syd1: + - encapi