feat(vault): erp prod runtime may read the shared GCS backup creds (kv_read_paths)
All checks were successful
Helm Charts / Detect changed charts (push) Successful in 21s
Helm Charts / Library charts tool (push) Has been skipped
Helm Charts / Application charts pgcat (push) Has been skipped
Helm Charts / Detect changed charts (pull_request) Successful in 14s
Helm Charts / Library charts tool (pull_request) Has been skipped
Helm Charts / Application charts pgcat (pull_request) Has been skipped
All checks were successful
Helm Charts / Detect changed charts (push) Successful in 21s
Helm Charts / Library charts tool (push) Has been skipped
Helm Charts / Application charts pgcat (push) Has been skipped
Helm Charts / Detect changed charts (pull_request) Successful in 14s
Helm Charts / Library charts tool (pull_request) Has been skipped
Helm Charts / Application charts pgcat (pull_request) Has been skipped
Adds an optional kv_read_paths list to the app_policy module (default []) so an app's env=prod runtime policy can read extra kvv2 data paths — e.g. a shared backup-creds path owned by another app. Plumbed through the root applications schema + module call (dynamic rule, read+list). Set for erp: kv_read_paths = ["kvv2/data/longhorn/gcs-backup"], so the dedicated Dolibarr backup CronJob (erp chart, gated) can read the existing GCS HMAC creds via its own VaultStaticSecret instead of borrowing the Longhorn secret cross-namespace or duplicating credentials. No-op for every other app (default []). Only the `erp` runtime policy gains one read+list rule. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -178,6 +178,14 @@ data "vault_policy_document" "app" {
|
||||
path = "postgres/creds/${local.name}*"
|
||||
capabilities = ["read"]
|
||||
}
|
||||
# Extra shared paths this app's prod runtime may read (e.g. backup creds).
|
||||
dynamic "rule" {
|
||||
for_each = var.kv_read_paths
|
||||
content {
|
||||
path = rule.value
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
}
|
||||
}
|
||||
resource "vault_policy" "app" {
|
||||
name = local.name
|
||||
|
||||
@@ -22,4 +22,9 @@ variable "service_account_namespaces" {
|
||||
type = list(string)
|
||||
default = []
|
||||
description = "var.name will always be included by default - whitelist service account namespaces that can take this policy"
|
||||
}
|
||||
variable "kv_read_paths" {
|
||||
type = list(string)
|
||||
default = []
|
||||
description = "Extra kvv2 data paths the env=prod runtime policy may read (read,list) — e.g. a shared backup-creds path owned by another app (kvv2/data/longhorn/gcs-backup). Default none."
|
||||
}
|
||||
Reference in New Issue
Block a user