Merge pull request 'fix: kubernetes auth fixes' (#53 ) from benvin/kubernetes_fixes into master

Reviewed-on: #53
fix: kubernetes auth fixes
2026-02-15 13:08:43 +11:00 · 2026-02-15 13:06:08 +11:00
10 changed files with 10 additions and 10 deletions
--- a/config/auth_kubernetes_backend/k8s/au/syd1.yaml
+++ b/config/auth_kubernetes_backend/k8s/au/syd1.yaml
@ -1,5 +1,5 @@
 kubernetes_host: https://api-k8s.service.consul:6443
 disable_iss_validation: true
-use_annotations_as_alias_metadata: true
+use_annotations_as_alias_metadata: false # doesnt work with openbao yet
 default_lease_ttl: 1h
 max_lease_ttl: 24h
--- a/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml
@ -4,5 +4,5 @@ bound_service_account_names:
 bound_service_account_namespaces:
  - csi-cephrbd
  - csi-cephfs
-token_ttl: 60
+token_ttl: 600
 audience: vault
--- a/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml
@ -2,5 +2,5 @@ bound_service_account_names:
  - cert-manager-vault-issuer
 bound_service_account_namespaces:
  - cert-manager
-token_ttl: 60
+token_ttl: 600
 audience: vault
--- a/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml
@ -2,5 +2,5 @@ bound_service_account_names:
  - externaldns
 bound_service_account_namespaces:
  - externaldns
-token_ttl: 60
+token_ttl: 600
 audience: vault
--- a/config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml
@ -2,5 +2,5 @@ bound_service_account_names:
  - default
 bound_service_account_namespaces:
  - huntarr
-token_ttl: 60
+token_ttl: 600
 audience: vault
--- a/config/auth_kubernetes_role/k8s/au/syd1/identity.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/identity.yaml
@ -2,5 +2,5 @@ bound_service_account_names:
  - default
 bound_service_account_namespaces:
  - identity
-token_ttl: 60
+token_ttl: 600
 audience: vault
--- a/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml
@ -2,5 +2,5 @@ bound_service_account_names:
  - media-apps-vault-reader
 bound_service_account_namespaces:
  - media-apps
-token_ttl: 60
+token_ttl: 600
 audience: vault
--- a/config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml
@ -2,5 +2,5 @@ bound_service_account_names:
  - default
 bound_service_account_namespaces:
  - puppet
-token_ttl: 60
+token_ttl: 600
 audience: vault
--- a/config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml
@ -2,5 +2,5 @@ bound_service_account_names:
  - rancher
 bound_service_account_namespaces:
  - cattle-system
-token_ttl: 60
+token_ttl: 600
 audience: vault
--- a/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml
@ -2,5 +2,5 @@ bound_service_account_names:
  - default
 bound_service_account_namespaces:
  - repoflow
-token_ttl: 60
+token_ttl: 600
 audience: vault
Author	SHA1	Message	Date
Ben Vincent	d398911108	Merge pull request 'fix: kubernetes auth fixes' (#53 ) from benvin/kubernetes_fixes into master Reviewed-on: #53	2026-02-15 13:08:43 +11:00
Ben Vincent	c093d5830d	fix: kubernetes auth fixes - annotations as alias metadata does not work with openbao (idempotency issue) - set token_ttl to be 600 for all auth roles for kubernetes (min)	2026-02-15 13:06:08 +11:00