Files
terraform-vault/policies/kv/service/encapi/postgres-password/read.yaml
T
unkinben 4f4182cb18
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
add vault auth for encapi
encapi (the new Postgres-backed Puppet ENC replacing Cobbler) runs in k8s and
reads its secrets from Vault via the Kubernetes auth backend. Grant its pods
that access, mirroring artifactapi.

- add k8s auth role encapi (binds SA default in namespace encapi, mount k8s/au/syd1)
- add vault policy kv/service/encapi/environment/read
- add vault policy kv/service/encapi/postgres-password/read
2026-07-04 23:26:35 +10:00

11 lines
183 B
YAML

# Allow reading environment vars for postgres/encapi
---
rules:
- path: "kv/data/service/encapi/postgres-password"
capabilities:
- read
auth:
k8s/au/syd1:
- encapi