Simplify: use default templated policy for forgebot KV access
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed

The default K8s auth policy already provides namespace-scoped access to
kv/data/kubernetes/namespace/{namespace}/{sa}/* via identity templating.
Forgebot secrets should be stored at kv/kubernetes/namespace/forgebot/default/*
instead of kv/service/forgebot/*, eliminating the need for 5 individual
policies. The forgebot K8s auth role is kept for the forgebot-operator SA.
This commit is contained in:
2026-06-08 22:54:58 +10:00
parent 2c4d0d7f64
commit f5803605d6
5 changed files with 0 additions and 45 deletions
@@ -1,9 +0,0 @@
---
rules:
- path: "kv/data/service/forgebot/environment"
capabilities:
- read
auth:
k8s/au/syd1:
- forgebot
@@ -1,9 +0,0 @@
---
rules:
- path: "kv/data/service/forgebot/gitea-token"
capabilities:
- read
auth:
k8s/au/syd1:
- forgebot
@@ -1,9 +0,0 @@
---
rules:
- path: "kv/data/service/forgebot/litellm-api-key"
capabilities:
- read
auth:
k8s/au/syd1:
- forgebot
@@ -1,9 +0,0 @@
---
rules:
- path: "kv/data/service/forgebot/postgres-credentials"
capabilities:
- read
auth:
k8s/au/syd1:
- forgebot
@@ -1,9 +0,0 @@
---
rules:
- path: "kv/data/service/forgebot/webhook-secret"
capabilities:
- read
auth:
k8s/au/syd1:
- forgebot