feat: add repoflow service vault configuration

- add secrets for s3, elasticsearch, hasura, postgres and repoflow

auth_kubernetes_roles.tf

@@ -95,3 +95,23 @@ resource "vault_kubernetes_auth_backend_role" "media-apps" {
   ]
   audience = "vault"
 }
+
+resource "vault_kubernetes_auth_backend_role" "repoflow" {
+  backend   = vault_auth_backend.kubernetes.path
+  role_name = "repoflow"
+  bound_service_account_names = [
+    "default",
+  ]
+  bound_service_account_namespaces = [
+    "repoflow",
+  ]
+  token_ttl = 60
+  token_policies = [
+    "kv/service/repoflow/au/syd1/ceph-s3/read",
+    "kv/service/repoflow/au/syd1/elasticsearch/read",
+    "kv/service/repoflow/au/syd1/hasura/read",
+    "kv/service/repoflow/au/syd1/postgres/read",
+    "kv/service/repoflow/au/syd1/repoflow-server/read",
+  ]
+  audience = "vault"
+}

policies/kv/service/repoflow/au/syd1/ceph-s3/read.hcl

@@ -0,0 +1,3 @@
+path "kv/data/service/repoflow/au/syd1/ceph-s3" {
+  capabilities = ["read"]
+}

policies/kv/service/repoflow/au/syd1/elasticsearch/read.hcl

@@ -0,0 +1,3 @@
+path "kv/data/service/repoflow/au/syd1/elasticsearch" {
+  capabilities = ["read"]
+}

policies/kv/service/repoflow/au/syd1/hasura/read.hcl

@@ -0,0 +1,3 @@
+path "kv/data/service/repoflow/au/syd1/hasura" {
+  capabilities = ["read"]
+}

policies/kv/service/repoflow/au/syd1/postgres/read.hcl

@@ -0,0 +1,3 @@
+path "kv/data/service/repoflow/au/syd1/postgres" {
+  capabilities = ["read"]
+}

policies/kv/service/repoflow/au/syd1/repoflow-server/read.hcl

@@ -0,0 +1,3 @@
+path "kv/data/service/repoflow/au/syd1/repoflow-server" {
+  capabilities = ["read"]
+}