feat(vault): erp prod runtime may read the shared GCS backup creds (kv_read_paths)

Adds an optional kv_read_paths list to the app_policy module (default []) so an app's env=prod runtime policy can read extra kvv2 data paths — e.g. a shared backup-creds path owned by another app. Plumbed through the root applications schema + module call (dynamic rule, read+list). Set for erp: kv_read_paths = ["kvv2/data/longhorn/gcs-backup"], so the dedicated Dolibarr backup CronJob (erp chart, gated) can read the existing GCS HMAC creds via its own VaultStaticSecret instead of borrowing the Longhorn secret cross-namespace or duplicating credentials. No-op for every other app (default []). Only the `erp` runtime policy gains one read+list rule. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-30 16:29:15 +02:00
parent 06c5eb4391
commit 2953ec3202
5 changed files with 26 additions and 5 deletions
--- a/hashicorp-vault/iac/terraform.tfvars
+++ b/hashicorp-vault/iac/terraform.tfvars
@@ -1,18 +1,22 @@
 applications = [
  { name = "webapp" },
-  { name = "erp", envs = ["prod", "sandbox"] },
+  {
+    name          = "erp"
+    envs          = ["prod", "sandbox"]
+    kv_read_paths = ["kvv2/data/longhorn/gcs-backup"] # backup CronJob reads the shared GCS creds
+  },
  { name = "dance-lessons-coach" },
  {
-    name                   = "cms"
-    ops_policies               = ["factory__cf_r2_arcodange_tf"]
+    name                  = "cms"
+    ops_policies          = ["factory__cf_r2_arcodange_tf"]
    service_account_names = ["cloudflared"]
  },
  {
-    name = "crowdsec"
+    name                       = "crowdsec"
    service_account_namespaces = ["tools"]
  },
  {
-    name = "plausible"
+    name                       = "plausible"
    service_account_namespaces = ["tools"]
  },
 ]