4f4182cb18
encapi (the new Postgres-backed Puppet ENC replacing Cobbler) runs in k8s and reads its secrets from Vault via the Kubernetes auth backend. Grant its pods that access, mirroring artifactapi. - add k8s auth role encapi (binds SA default in namespace encapi, mount k8s/au/syd1) - add vault policy kv/service/encapi/environment/read - add vault policy kv/service/encapi/postgres-password/read
11 lines
183 B
YAML
11 lines
183 B
YAML
# Allow reading environment vars for postgres/encapi
|
|
---
|
|
rules:
|
|
- path: "kv/data/service/encapi/postgres-password"
|
|
capabilities:
|
|
- read
|
|
|
|
auth:
|
|
k8s/au/syd1:
|
|
- encapi
|