From 75e9db1aa617d09e080ed70ba93ec0a454c727fa Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 1 Feb 2026 14:54:23 +1100
Subject: [PATCH] chore: add puppet k8s role

- add role and policies
---
 config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml      | 6 ++++++
 .../kv/service/puppet/puppetboard-secret-key/read.yaml   | 9 +++++++++
 .../puppet/puppetdb-postgresql-credentials/read.yaml     | 9 +++++++++
 .../kubernetes/au/syd1/roles/cluster-admin.yaml          | 1 +
 .../kubernetes/au/syd1/roles/cluster-operator.yaml       | 1 +
 5 files changed, 26 insertions(+)
 create mode 100644 config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml
 create mode 100644 policies/kv/service/puppet/puppetboard-secret-key/read.yaml
 create mode 100644 policies/kv/service/puppet/puppetdb-postgresql-credentials/read.yaml

diff --git a/config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml b/config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml
new file mode 100644
index 0000000..161f4fe
--- /dev/null
+++ b/config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml
@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - default
+bound_service_account_namespaces:
+  - puppet
+token_ttl: 60
+audience: vault
diff --git a/policies/kv/service/puppet/puppetboard-secret-key/read.yaml b/policies/kv/service/puppet/puppetboard-secret-key/read.yaml
new file mode 100644
index 0000000..289e3ab
--- /dev/null
+++ b/policies/kv/service/puppet/puppetboard-secret-key/read.yaml
@@ -0,0 +1,9 @@
+---
+rules:
+  - path: "kv/data/service/puppet/puppetboard-secret-key"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - puppet
diff --git a/policies/kv/service/puppet/puppetdb-postgresql-credentials/read.yaml b/policies/kv/service/puppet/puppetdb-postgresql-credentials/read.yaml
new file mode 100644
index 0000000..01e69b5
--- /dev/null
+++ b/policies/kv/service/puppet/puppetdb-postgresql-credentials/read.yaml
@@ -0,0 +1,9 @@
+---
+rules:
+  - path: "kv/data/service/puppet/puppetdb-postgresql-credentials"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - puppet
diff --git a/resources/secret_backend/kubernetes/au/syd1/roles/cluster-admin.yaml b/resources/secret_backend/kubernetes/au/syd1/roles/cluster-admin.yaml
index 6f80bde..1329682 100644
--- a/resources/secret_backend/kubernetes/au/syd1/roles/cluster-admin.yaml
+++ b/resources/secret_backend/kubernetes/au/syd1/roles/cluster-admin.yaml
@@ -3,6 +3,7 @@ rules:
   - apiGroups:
       - ""
       - "postgresql.cnpg.io"
+      - "poolers.postgresql.cnpg.io"
       - "cert-manager.io"
       - "rbac.authorization.k8s.io"
       - "batch"
diff --git a/resources/secret_backend/kubernetes/au/syd1/roles/cluster-operator.yaml b/resources/secret_backend/kubernetes/au/syd1/roles/cluster-operator.yaml
index 1808085..e682c2e 100644
--- a/resources/secret_backend/kubernetes/au/syd1/roles/cluster-operator.yaml
+++ b/resources/secret_backend/kubernetes/au/syd1/roles/cluster-operator.yaml
@@ -3,6 +3,7 @@ rules:
   - apiGroups:
       - ""
       - "postgresql.cnpg.io"
+      - "poolers.postgresql.cnpg.io"
       - "cert-manager.io"
       - "rbac.authorization.k8s.io"
       - "batch"
-- 
2.47.3