From d9e07e432ef7c79a0350eaa42fa62065f1e1a746 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Fri, 6 Mar 2026 18:47:31 +1100
Subject: [PATCH] chore: add artifactapi k8s role

- enable access to read artifactapi secrets
---
 .../auth_kubernetes_role/k8s/au/syd1/artifactapi.yaml  |  7 +++++++
 policies/kv/service/artifactapi/environment/read.yaml  | 10 ++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 config/auth_kubernetes_role/k8s/au/syd1/artifactapi.yaml
 create mode 100644 policies/kv/service/artifactapi/environment/read.yaml

diff --git a/config/auth_kubernetes_role/k8s/au/syd1/artifactapi.yaml b/config/auth_kubernetes_role/k8s/au/syd1/artifactapi.yaml
new file mode 100644
index 0000000..4a0fc35
--- /dev/null
+++ b/config/auth_kubernetes_role/k8s/au/syd1/artifactapi.yaml
@@ -0,0 +1,7 @@
+bound_service_account_names:
+  - default
+bound_service_account_namespaces:
+  - artifactapi
+token_ttl: 600
+token_max_ttl: 600
+audience: vault
diff --git a/policies/kv/service/artifactapi/environment/read.yaml b/policies/kv/service/artifactapi/environment/read.yaml
new file mode 100644
index 0000000..b405c4a
--- /dev/null
+++ b/policies/kv/service/artifactapi/environment/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading environment variables for artifactapi
+---
+rules:
+  - path: "kv/data/service/artifactapi/environment"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - artifactapi
-- 
2.47.3