From 7b81abfa9e1c78bd0ec6bb0414554b8c652abdde Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 13 Dec 2025 09:20:41 +1100
Subject: [PATCH] feat: add repoflow service vault configuration

- add secrets for s3, elasticsearch, hasura, postgres and repoflow
---
 auth_kubernetes_roles.tf                      | 20 +++++++++++++++++++
 .../service/repoflow/au/syd1/ceph-s3/read.hcl |  3 +++
 .../repoflow/au/syd1/elasticsearch/read.hcl   |  3 +++
 .../service/repoflow/au/syd1/hasura/read.hcl  |  3 +++
 .../repoflow/au/syd1/postgres/read.hcl        |  3 +++
 .../repoflow/au/syd1/repoflow-server/read.hcl |  3 +++
 6 files changed, 35 insertions(+)
 create mode 100644 policies/kv/service/repoflow/au/syd1/ceph-s3/read.hcl
 create mode 100644 policies/kv/service/repoflow/au/syd1/elasticsearch/read.hcl
 create mode 100644 policies/kv/service/repoflow/au/syd1/hasura/read.hcl
 create mode 100644 policies/kv/service/repoflow/au/syd1/postgres/read.hcl
 create mode 100644 policies/kv/service/repoflow/au/syd1/repoflow-server/read.hcl

diff --git a/auth_kubernetes_roles.tf b/auth_kubernetes_roles.tf
index 1cdf865..d4edeac 100644
--- a/auth_kubernetes_roles.tf
+++ b/auth_kubernetes_roles.tf
@@ -95,3 +95,23 @@ resource "vault_kubernetes_auth_backend_role" "media-apps" {
   ]
   audience = "vault"
 }
+
+resource "vault_kubernetes_auth_backend_role" "repoflow" {
+  backend   = vault_auth_backend.kubernetes.path
+  role_name = "repoflow"
+  bound_service_account_names = [
+    "default",
+  ]
+  bound_service_account_namespaces = [
+    "repoflow",
+  ]
+  token_ttl = 60
+  token_policies = [
+    "kv/service/repoflow/au/syd1/ceph-s3/read",
+    "kv/service/repoflow/au/syd1/elasticsearch/read",
+    "kv/service/repoflow/au/syd1/hasura/read",
+    "kv/service/repoflow/au/syd1/postgres/read",
+    "kv/service/repoflow/au/syd1/repoflow-server/read",
+  ]
+  audience = "vault"
+}
diff --git a/policies/kv/service/repoflow/au/syd1/ceph-s3/read.hcl b/policies/kv/service/repoflow/au/syd1/ceph-s3/read.hcl
new file mode 100644
index 0000000..c9382bf
--- /dev/null
+++ b/policies/kv/service/repoflow/au/syd1/ceph-s3/read.hcl
@@ -0,0 +1,3 @@
+path "kv/data/service/repoflow/au/syd1/ceph-s3" {
+  capabilities = ["read"]
+}
diff --git a/policies/kv/service/repoflow/au/syd1/elasticsearch/read.hcl b/policies/kv/service/repoflow/au/syd1/elasticsearch/read.hcl
new file mode 100644
index 0000000..ca884b6
--- /dev/null
+++ b/policies/kv/service/repoflow/au/syd1/elasticsearch/read.hcl
@@ -0,0 +1,3 @@
+path "kv/data/service/repoflow/au/syd1/elasticsearch" {
+  capabilities = ["read"]
+}
diff --git a/policies/kv/service/repoflow/au/syd1/hasura/read.hcl b/policies/kv/service/repoflow/au/syd1/hasura/read.hcl
new file mode 100644
index 0000000..dc09fe5
--- /dev/null
+++ b/policies/kv/service/repoflow/au/syd1/hasura/read.hcl
@@ -0,0 +1,3 @@
+path "kv/data/service/repoflow/au/syd1/hasura" {
+  capabilities = ["read"]
+}
diff --git a/policies/kv/service/repoflow/au/syd1/postgres/read.hcl b/policies/kv/service/repoflow/au/syd1/postgres/read.hcl
new file mode 100644
index 0000000..a84fa8d
--- /dev/null
+++ b/policies/kv/service/repoflow/au/syd1/postgres/read.hcl
@@ -0,0 +1,3 @@
+path "kv/data/service/repoflow/au/syd1/postgres" {
+  capabilities = ["read"]
+}
diff --git a/policies/kv/service/repoflow/au/syd1/repoflow-server/read.hcl b/policies/kv/service/repoflow/au/syd1/repoflow-server/read.hcl
new file mode 100644
index 0000000..d29383c
--- /dev/null
+++ b/policies/kv/service/repoflow/au/syd1/repoflow-server/read.hcl
@@ -0,0 +1,3 @@
+path "kv/data/service/repoflow/au/syd1/repoflow-server" {
+  capabilities = ["read"]
+}