# Read secrets from vault KV
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
  capabilities = ["read"]
}

# Get a consul token to access the kv store, where patroni will manage the leader lock
path "[[ .vault.root ]]consul/creds/[[ .instance ]]" {
  capabilities = ["read"]
}

# Get a certificate for patroni REST API and Postgres
[[- $c := merge .pg.server .pg . ]]
path "[[ $c.vault.pki.path ]]/issue/postgres-server" {
  capabilities = ["update"]
}