From f5803605d61e68781c6f806cdef439b31fbc725c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 8 Jun 2026 22:54:58 +1000 Subject: [PATCH] Simplify: use default templated policy for forgebot KV access The default K8s auth policy already provides namespace-scoped access to kv/data/kubernetes/namespace/{namespace}/{sa}/* via identity templating. Forgebot secrets should be stored at kv/kubernetes/namespace/forgebot/default/* instead of kv/service/forgebot/*, eliminating the need for 5 individual policies. The forgebot K8s auth role is kept for the forgebot-operator SA. --- policies/kv/service/forgebot/environment/read.yaml | 9 --------- policies/kv/service/forgebot/gitea-token/read.yaml | 9 --------- policies/kv/service/forgebot/litellm-api-key/read.yaml | 9 --------- .../kv/service/forgebot/postgres-credentials/read.yaml | 9 --------- policies/kv/service/forgebot/webhook-secret/read.yaml | 9 --------- 5 files changed, 45 deletions(-) delete mode 100644 policies/kv/service/forgebot/environment/read.yaml delete mode 100644 policies/kv/service/forgebot/gitea-token/read.yaml delete mode 100644 policies/kv/service/forgebot/litellm-api-key/read.yaml delete mode 100644 policies/kv/service/forgebot/postgres-credentials/read.yaml delete mode 100644 policies/kv/service/forgebot/webhook-secret/read.yaml diff --git a/policies/kv/service/forgebot/environment/read.yaml b/policies/kv/service/forgebot/environment/read.yaml deleted file mode 100644 index 29fd998..0000000 --- a/policies/kv/service/forgebot/environment/read.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -rules: - - path: "kv/data/service/forgebot/environment" - capabilities: - - read - -auth: - k8s/au/syd1: - - forgebot diff --git a/policies/kv/service/forgebot/gitea-token/read.yaml b/policies/kv/service/forgebot/gitea-token/read.yaml deleted file mode 100644 index d75ecb1..0000000 --- a/policies/kv/service/forgebot/gitea-token/read.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -rules: - - path: "kv/data/service/forgebot/gitea-token" - capabilities: - - read - -auth: - k8s/au/syd1: - - forgebot diff --git a/policies/kv/service/forgebot/litellm-api-key/read.yaml b/policies/kv/service/forgebot/litellm-api-key/read.yaml deleted file mode 100644 index e915454..0000000 --- a/policies/kv/service/forgebot/litellm-api-key/read.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -rules: - - path: "kv/data/service/forgebot/litellm-api-key" - capabilities: - - read - -auth: - k8s/au/syd1: - - forgebot diff --git a/policies/kv/service/forgebot/postgres-credentials/read.yaml b/policies/kv/service/forgebot/postgres-credentials/read.yaml deleted file mode 100644 index 32228c1..0000000 --- a/policies/kv/service/forgebot/postgres-credentials/read.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -rules: - - path: "kv/data/service/forgebot/postgres-credentials" - capabilities: - - read - -auth: - k8s/au/syd1: - - forgebot diff --git a/policies/kv/service/forgebot/webhook-secret/read.yaml b/policies/kv/service/forgebot/webhook-secret/read.yaml deleted file mode 100644 index 6d5385c..0000000 --- a/policies/kv/service/forgebot/webhook-secret/read.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -rules: - - path: "kv/data/service/forgebot/webhook-secret" - capabilities: - - read - -auth: - k8s/au/syd1: - - forgebot