apiVersion: v1
kind: ConfigMap
metadata:
  name: vault-policies
  namespace: dev-tools
  annotations:
    argocd.argoproj.io/sync-wave: "0"
data:
  client-self.hcl: |
    path "auth/token/lookup-self" { capabilities = ["read"] }
    path "auth/token/renew-self"  { capabilities = ["update"] }

  eso-read-general.hcl: |
    path "general-secrets/data/*"     { capabilities = ["read"] }
    path "general-secrets/metadata/*" { capabilities = ["list"] }

  eso-read-cicd.hcl: |
    path "cicd/data/*"     { capabilities = ["read"] }
    path "cicd/metadata/*" { capabilities = ["list"] }

  eso-read-internal-users.hcl: |
    path "internal-users/data/*"     { capabilities = ["read"] }
    path "internal-users/metadata/*" { capabilities = ["list"] }

  eso-read-oidc.hcl: |
    path "oidc-secrets/data/*"     { capabilities = ["read"] }
    path "oidc-secrets/metadata/*" { capabilities = ["list"] }