arcodange-org/tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(vault): erp prod runtime may read the shared GCS backup creds (kv_read_paths)
All checks were successful
Helm Charts / Detect changed charts (push) Successful in 21s
Details
Helm Charts / Library charts tool (push) Has been skipped
Details
Helm Charts / Application charts pgcat (push) Has been skipped
Details
Helm Charts / Detect changed charts (pull_request) Successful in 14s
Details
Helm Charts / Library charts tool (pull_request) Has been skipped
Details
Helm Charts / Application charts pgcat (pull_request) Has been skipped
Details

Browse Source 
Adds an optional kv_read_paths list to the app_policy module (default []) so an
app's env=prod runtime policy can read extra kvv2 data paths — e.g. a shared
backup-creds path owned by another app. Plumbed through the root applications
schema + module call (dynamic rule, read+list).

Set for erp: kv_read_paths = ["kvv2/data/longhorn/gcs-backup"], so the dedicated
Dolibarr backup CronJob (erp chart, gated) can read the existing GCS HMAC creds
via its own VaultStaticSecret instead of borrowing the Longhorn secret
cross-namespace or duplicating credentials.

No-op for every other app (default []). Only the `erp` runtime policy gains one
read+list rule.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Gabriel Radureau
2026-06-30 16:29:15 +02:00
parent 06c5eb4391
commit 2953ec3202
5 changed files with 26 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hashicorp-vault/iac/main.tf
View File

@@ -80,6 +80,7 @@ module "app_policies" {
name = each.value.name
envs = each.value.envs
ops_policies = each.value.ops_policies
kv_read_paths = each.value.kv_read_paths
service_account_names = each.value.service_account_names
service_account_namespaces = each.value.service_account_namespaces
gitea_app_id = var.gitea_app_id

8
hashicorp-vault/iac/modules/app_policy/main.tf
View File

@@ -178,6 +178,14 @@ data "vault_policy_document" "app" {
path = "postgres/creds/${local.name}*"
capabilities = ["read"]
}
# Extra shared paths this app's prod runtime may read (e.g. backup creds).
dynamic "rule" {
for_each = var.kv_read_paths
content {
path = rule.value
capabilities = ["read", "list"]
}
}
}
resource "vault_policy" "app" {
name = local.name

5
hashicorp-vault/iac/modules/app_policy/variables.tf
View File

@@ -23,3 +23,8 @@ variable "service_account_namespaces" {
default = []
description = "var.name will always be included by default - whitelist service account namespaces that can take this policy"
}
variable "kv_read_paths" {
type = list(string)
default = []
description = "Extra kvv2 data paths the env=prod runtime policy may read (read,list) — e.g. a shared backup-creds path owned by another app (kvv2/data/longhorn/gcs-backup). Default none."
}

6
hashicorp-vault/iac/terraform.tfvars
View File

@@ -1,6 +1,10 @@
applications = [
{ name = "webapp" },
{ name = "erp", envs = ["prod", "sandbox"] },
{
name = "erp"
envs = ["prod", "sandbox"]
kv_read_paths = ["kvv2/data/longhorn/gcs-backup"] # backup CronJob reads the shared GCS creds
},
{ name = "dance-lessons-coach" },
{
name = "cms"

3
hashicorp-vault/iac/variables.tf
View File

@@ -19,5 +19,8 @@ variable "applications" {
# every existing app — backwards compatible by the elision rule. Non-prod envs
# produce additional runtime policies named "<name>-<env>".
envs = optional(list(string), ["prod"])
# Extra kvv2 data paths the app's prod runtime policy may read (read,list) —
# e.g. a shared backup-creds path owned by another app. Default none.
kv_read_paths = optional(list(string), [])
}))
}