4f4182cb18
encapi (the new Postgres-backed Puppet ENC replacing Cobbler) runs in k8s and reads its secrets from Vault via the Kubernetes auth backend. Grant its pods that access, mirroring artifactapi. - add k8s auth role encapi (binds SA default in namespace encapi, mount k8s/au/syd1) - add vault policy kv/service/encapi/environment/read - add vault policy kv/service/encapi/postgres-password/read
8 lines
136 B
YAML
8 lines
136 B
YAML
bound_service_account_names:
|
|
- default
|
|
bound_service_account_namespaces:
|
|
- encapi
|
|
token_ttl: 600
|
|
token_max_ttl: 600
|
|
audience: vault
|