From c88b19a216f92f59850b22e429f211af1ed45659 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 7 Dec 2025 12:41:37 +1100
Subject: [PATCH] feat: label kubernetes ephemeral serviceaccounts

- ensure all service accounts are labelled with role/cluster
- add additional api endpoints to cluster roles
---
 engine_k8s_au_syd1.tf                         | 20 +++++++++++++++++++
 .../generated_role_rules/cluster-admin.yaml   |  3 +++
 .../cluster-operator.yaml                     |  3 +++
 3 files changed, 26 insertions(+)

diff --git a/engine_k8s_au_syd1.tf b/engine_k8s_au_syd1.tf
index bdadd84..9db2435 100644
--- a/engine_k8s_au_syd1.tf
+++ b/engine_k8s_au_syd1.tf
@@ -22,6 +22,11 @@ resource "vault_kubernetes_secret_backend_role" "media_apps_operator" {
   kubernetes_role_type          = "Role"
 
   generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml")
+
+  extra_labels = {
+    vault-region = "au-syd1"
+    vault-role   = "vault-media-apps-operator"
+  }
 }
 
 resource "vault_kubernetes_secret_backend_role" "cluster_operator" {
@@ -31,6 +36,11 @@ resource "vault_kubernetes_secret_backend_role" "cluster_operator" {
   kubernetes_role_type          = "ClusterRole"
 
   generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml")
+
+  extra_labels = {
+    vault-region = "au-syd1"
+    vault-role   = "vault-cluster-operator"
+  }
 }
 
 resource "vault_kubernetes_secret_backend_role" "cluster_admin" {
@@ -40,6 +50,11 @@ resource "vault_kubernetes_secret_backend_role" "cluster_admin" {
   kubernetes_role_type          = "ClusterRole"
 
   generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml")
+
+  extra_labels = {
+    vault-region = "au-syd1"
+    vault-role   = "vault-cluster-admin"
+  }
 }
 
 resource "vault_kubernetes_secret_backend_role" "cluster_root" {
@@ -49,4 +64,9 @@ resource "vault_kubernetes_secret_backend_role" "cluster_root" {
   kubernetes_role_type          = "ClusterRole"
 
   generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml")
+
+  extra_labels = {
+    vault-region = "au-syd1"
+    vault-role   = "vault-cluster-root"
+  }
 }
diff --git a/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml b/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml
index 80ca051..6f80bde 100644
--- a/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml
+++ b/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml
@@ -17,6 +17,9 @@ rules:
       - "nfd.k8s-sigs.io"
       - "policy"
       - "metrics.k8s.io"
+      - "logstash.k8s.elastic.co"
+      - "elasticsearch.k8s.elastic.co"
+      - "kibana.k8s.elastic.co"
     resources:
       - "*"
     verbs:
diff --git a/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml b/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml
index 480d36b..1808085 100644
--- a/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml
+++ b/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml
@@ -17,6 +17,9 @@ rules:
       - "nfd.k8s-sigs.io"
       - "policy"
       - "metrics.k8s.io"
+      - "logstash.k8s.elastic.co"
+      - "elasticsearch.k8s.elastic.co"
+      - "kibana.k8s.elastic.co"
     resources:
       - "*"
     verbs:
-- 
2.47.3