Add Vault access for forgebot service #76
Reference in New Issue
Block a user
Delete Branch "feature/forgebot-vault-access"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
forgebotnamespace bindingdefaultandforgebot-operatorservice accountsk8s/au/syd1: forgebotauth roleContext
Forgebot is a new K8s operator + API service for dispatching AI agent jobs from Gitea slash commands. It needs Vault access for:
Test plan
terragrunt planshows expected additions (1 K8s auth role, 5 policies)The default K8s auth policy already provides namespace-scoped access to kv/data/kubernetes/namespace/{namespace}/{sa}/* via identity templating. Forgebot secrets should be stored at kv/kubernetes/namespace/forgebot/default/* instead of kv/service/forgebot/*, eliminating the need for 5 individual policies. The forgebot K8s auth role is kept for the forgebot-operator SA.Pull request closed