From 56e57a39aeae12ef1ba024a3516f112fccd1aa6b Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Wed, 26 Nov 2025 21:00:18 +1100
Subject: [PATCH] chore: update k8s csi roles

- ensure the new service accounts can read cephrbd/cephfs
- ensure correct namespace is allowed
---
 auth_kubernetes_roles.tf | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/auth_kubernetes_roles.tf b/auth_kubernetes_roles.tf
index 74b2622..35b38b1 100644
--- a/auth_kubernetes_roles.tf
+++ b/auth_kubernetes_roles.tf
@@ -61,13 +61,20 @@ resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" {
 }
 
 resource "vault_kubernetes_auth_backend_role" "ceph-csi" {
-  backend                          = vault_auth_backend.kubernetes.path
-  role_name                        = "ceph-csi"
-  bound_service_account_names      = ["ceph-csi-rbd-csi-rbdplugin-provisioner"]
-  bound_service_account_namespaces = ["ceph-csi"]
-  token_ttl                        = 60
+  backend   = vault_auth_backend.kubernetes.path
+  role_name = "ceph-csi"
+  bound_service_account_names = [
+    "ceph-csi-rbd-csi-rbd-provisioner",
+    "ceph-csi-cephfs-csi-cephfs-provisioner",
+  ]
+  bound_service_account_namespaces = [
+    "csi-cephrbd",
+    "csi-cephfs",
+  ]
+  token_ttl = 60
   token_policies = [
     "kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read",
+    "kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read",
   ]
   audience = "vault"
 }