Simplify: use default templated policy for forgebot KV access
The default K8s auth policy already provides namespace-scoped access to
kv/data/kubernetes/namespace/{namespace}/{sa}/* via identity templating.
Forgebot secrets should be stored at kv/kubernetes/namespace/forgebot/default/*
instead of kv/service/forgebot/*, eliminating the need for 5 individual
policies. The forgebot K8s auth role is kept for the forgebot-operator SA.
This commit is contained in:
@@ -1,9 +0,0 @@
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/forgebot/environment"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- forgebot
|
||||
@@ -1,9 +0,0 @@
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/forgebot/gitea-token"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- forgebot
|
||||
@@ -1,9 +0,0 @@
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/forgebot/litellm-api-key"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- forgebot
|
||||
@@ -1,9 +0,0 @@
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/forgebot/postgres-credentials"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- forgebot
|
||||
@@ -1,9 +0,0 @@
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/forgebot/webhook-secret"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- forgebot
|
||||
Reference in New Issue
Block a user