Simplify: use default templated policy for forgebot KV access
The default K8s auth policy already provides namespace-scoped access to
kv/data/kubernetes/namespace/{namespace}/{sa}/* via identity templating.
Forgebot secrets should be stored at kv/kubernetes/namespace/forgebot/default/*
instead of kv/service/forgebot/*, eliminating the need for 5 individual
policies. The forgebot K8s auth role is kept for the forgebot-operator SA.
This commit is contained in:
@@ -1,9 +0,0 @@
|
|||||||
---
|
|
||||||
rules:
|
|
||||||
- path: "kv/data/service/forgebot/environment"
|
|
||||||
capabilities:
|
|
||||||
- read
|
|
||||||
|
|
||||||
auth:
|
|
||||||
k8s/au/syd1:
|
|
||||||
- forgebot
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
---
|
|
||||||
rules:
|
|
||||||
- path: "kv/data/service/forgebot/gitea-token"
|
|
||||||
capabilities:
|
|
||||||
- read
|
|
||||||
|
|
||||||
auth:
|
|
||||||
k8s/au/syd1:
|
|
||||||
- forgebot
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
---
|
|
||||||
rules:
|
|
||||||
- path: "kv/data/service/forgebot/litellm-api-key"
|
|
||||||
capabilities:
|
|
||||||
- read
|
|
||||||
|
|
||||||
auth:
|
|
||||||
k8s/au/syd1:
|
|
||||||
- forgebot
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
---
|
|
||||||
rules:
|
|
||||||
- path: "kv/data/service/forgebot/postgres-credentials"
|
|
||||||
capabilities:
|
|
||||||
- read
|
|
||||||
|
|
||||||
auth:
|
|
||||||
k8s/au/syd1:
|
|
||||||
- forgebot
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
---
|
|
||||||
rules:
|
|
||||||
- path: "kv/data/service/forgebot/webhook-secret"
|
|
||||||
capabilities:
|
|
||||||
- read
|
|
||||||
|
|
||||||
auth:
|
|
||||||
k8s/au/syd1:
|
|
||||||
- forgebot
|
|
||||||
Reference in New Issue
Block a user