From c093d5830d17db3b58956b12dcee0c9e5e38922b Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 15 Feb 2026 13:06:08 +1100
Subject: [PATCH] fix: kubernetes auth fixes

- annotations as alias metadata does not work with openbao (idempotency issue)
- set token_ttl to be 600 for all auth roles for kubernetes (min)
---
 config/auth_kubernetes_backend/k8s/au/syd1.yaml                 | 2 +-
 config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml           | 2 +-
 .../auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml   | 2 +-
 config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml        | 2 +-
 config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml    | 2 +-
 config/auth_kubernetes_role/k8s/au/syd1/identity.yaml           | 2 +-
 config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml         | 2 +-
 config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml             | 2 +-
 config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml            | 2 +-
 config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml           | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/config/auth_kubernetes_backend/k8s/au/syd1.yaml b/config/auth_kubernetes_backend/k8s/au/syd1.yaml
index 55c3135..f14d915 100644
--- a/config/auth_kubernetes_backend/k8s/au/syd1.yaml
+++ b/config/auth_kubernetes_backend/k8s/au/syd1.yaml
@@ -1,5 +1,5 @@
 kubernetes_host: https://api-k8s.service.consul:6443
 disable_iss_validation: true
-use_annotations_as_alias_metadata: true
+use_annotations_as_alias_metadata: false # doesnt work with openbao yet
 default_lease_ttl: 1h
 max_lease_ttl: 24h
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml b/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml
index 31767b9..84f7572 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml
@@ -4,5 +4,5 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - csi-cephrbd
   - csi-cephfs
-token_ttl: 60
+token_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml b/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml
index f9e136a..836776c 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml
@@ -2,5 +2,5 @@ bound_service_account_names:
   - cert-manager-vault-issuer
 bound_service_account_namespaces:
   - cert-manager
-token_ttl: 60
+token_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml b/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml
index fc7b521..4d594b7 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml
@@ -2,5 +2,5 @@ bound_service_account_names:
   - externaldns
 bound_service_account_namespaces:
   - externaldns
-token_ttl: 60
+token_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml b/config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml
index 552f488..25fba47 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml
@@ -2,5 +2,5 @@ bound_service_account_names:
   - default
 bound_service_account_namespaces:
   - huntarr
-token_ttl: 60
+token_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/identity.yaml b/config/auth_kubernetes_role/k8s/au/syd1/identity.yaml
index 87cef5c..d200a9a 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/identity.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/identity.yaml
@@ -2,5 +2,5 @@ bound_service_account_names:
   - default
 bound_service_account_namespaces:
   - identity
-token_ttl: 60
+token_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml b/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml
index 5d51fb0..cf6d07a 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml
@@ -2,5 +2,5 @@ bound_service_account_names:
   - media-apps-vault-reader
 bound_service_account_namespaces:
   - media-apps
-token_ttl: 60
+token_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml b/config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml
index 161f4fe..1059164 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml
@@ -2,5 +2,5 @@ bound_service_account_names:
   - default
 bound_service_account_namespaces:
   - puppet
-token_ttl: 60
+token_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml b/config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml
index 8f30ebf..8b0ed1a 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml
@@ -2,5 +2,5 @@ bound_service_account_names:
   - rancher
 bound_service_account_namespaces:
   - cattle-system
-token_ttl: 60
+token_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml b/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml
index a819345..0263419 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml
@@ -2,5 +2,5 @@ bound_service_account_names:
   - default
 bound_service_account_namespaces:
   - repoflow
-token_ttl: 60
+token_ttl: 600
 audience: vault
-- 
2.47.3