From 4cf1b43960252ef190e54d39fdd7f8071784a6cf Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 26 Nov 2025 21:00:18 +1100 Subject: [PATCH] chore: update k8s csi roles - ensure the new service accounts can read cephrbd/cephfs - ensure correct namespace is allowed --- auth_kubernetes_roles.tf | 17 ++++++++++++----- .../au/syd1/csi/ceph-cephfs-secret/read.hcl | 3 +++ 2 files changed, 15 insertions(+), 5 deletions(-) create mode 100644 policies/kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read.hcl diff --git a/auth_kubernetes_roles.tf b/auth_kubernetes_roles.tf index 74b2622..35b38b1 100644 --- a/auth_kubernetes_roles.tf +++ b/auth_kubernetes_roles.tf @@ -61,13 +61,20 @@ resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" { } resource "vault_kubernetes_auth_backend_role" "ceph-csi" { - backend = vault_auth_backend.kubernetes.path - role_name = "ceph-csi" - bound_service_account_names = ["ceph-csi-rbd-csi-rbdplugin-provisioner"] - bound_service_account_namespaces = ["ceph-csi"] - token_ttl = 60 + backend = vault_auth_backend.kubernetes.path + role_name = "ceph-csi" + bound_service_account_names = [ + "ceph-csi-rbd-csi-rbd-provisioner", + "ceph-csi-cephfs-csi-cephfs-provisioner", + ] + bound_service_account_namespaces = [ + "csi-cephrbd", + "csi-cephfs", + ] + token_ttl = 60 token_policies = [ "kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read", + "kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read", ] audience = "vault" } diff --git a/policies/kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read.hcl b/policies/kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read.hcl new file mode 100644 index 0000000..b937320 --- /dev/null +++ b/policies/kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read.hcl @@ -0,0 +1,3 @@ +path "kv/data/service/kubernetes/au/syd1/csi/ceph-cephfs-secret" { + capabilities = ["read"] +} -- 2.47.3