Adds an optional kv_read_paths list to the app_policy module (default []) so an
app's env=prod runtime policy can read extra kvv2 data paths — e.g. a shared
backup-creds path owned by another app. Plumbed through the root applications
schema + module call (dynamic rule, read+list).
Set for erp: kv_read_paths = ["kvv2/data/longhorn/gcs-backup"], so the dedicated
Dolibarr backup CronJob (erp chart, gated) can read the existing GCS HMAC creds
via its own VaultStaticSecret instead of borrowing the Longhorn secret
cross-namespace or duplicating credentials.
No-op for every other app (default []). Only the `erp` runtime policy gains one
read+list rule.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ADR-0002 Phase D, Vault layer. `erp` gains `envs = ["prod", "sandbox"]`,
which flows into the app_policy module (main.tf:81 `envs = each.value.envs`).
For erp the module now resolves instances = ["erp", "erp-sandbox"], so the
apply:
- ADDS vault_policy.app_non_prod["erp-sandbox"] — the runtime policy
named `erp-sandbox` (read kvv2/data/erp-sandbox/* +
postgres/creds/erp-sandbox*), consumed by the sandbox pod's VSO.
- UPDATES vault_policy.ops["erp"] in place — the `erp-ops` CI policy
gains the erp-sandbox kvv2 data/delete/undelete/destroy/metadata
rules + the erp-sandbox values in the k8s-role allowed_parameter
lists, so CI can manage the sandbox instance. The glob rules
(postgres/roles/erp*, kvv1/cloudflare/erp*, auth/kubernetes/role/erp*)
already covered erp-sandbox, so they don't change.
No destroy/replace. prod `erp` runtime policy + every other app render
byte-identical (their envs still default to ["prod"]).
Diff kept to the single erp line — the pre-existing cms/crowdsec/plausible
alignment is left as-is on main (not reformatting unrelated entries).
D2 of Phase D. D1 (postgres DB+role) = factory#17 (merged). D3 (erp iac
creds + KV) and D4 (ArgoCD) follow.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
