feat(vault): erp prod runtime may read the shared GCS backup creds (kv_read_paths) #5

arcodange · 2026-06-30T16:29:46+02:00

arcodange commented

2026-06-30 16:29:46 +02:00

Active les creds du CronJob de backup Dolibarr dédié (erp#32) sans dupliquer de secret ni emprunter le secret Longhorn cross-namespace.

Ajoute une liste optionnelle kv_read_paths au module app_policy (défaut []) : la policy runtime env=prod d'une app peut lire des paths kvv2 supplémentaires. Plumbée dans le schéma applications + l'appel du module (règle dynamic, read+list).

Posée pour erp :

kv_read_paths = ["kvv2/data/longhorn/gcs-backup"]

→ le VaultStaticSecret du CronJob (chart erp, gated) lit les creds HMAC GCS existants avec le rôle Vault d'erp.

Surface : no-op pour toutes les autres apps (défaut []). Seule la policy runtime erp gagne une règle read,list. Validé tofu init (graphe parse OK ; l'erreur validate restante = auth JWT du provider, fournie par la CI).

🤖 Generated with Claude Code

Active les creds du **CronJob de backup Dolibarr dédié** ([erp#32](https://gitea.arcodange.lab/arcodange-org/erp/pulls/32)) sans dupliquer de secret ni emprunter le secret Longhorn cross-namespace. Ajoute une liste optionnelle **`kv_read_paths`** au module `app_policy` (défaut `[]`) : la policy runtime **env=prod** d'une app peut lire des paths kvv2 supplémentaires. Plumbée dans le schéma `applications` + l'appel du module (règle `dynamic`, `read`+`list`). Posée pour erp : ```hcl kv_read_paths = ["kvv2/data/longhorn/gcs-backup"] ``` → le `VaultStaticSecret` du CronJob (chart erp, gated) lit les creds HMAC GCS existants avec le rôle Vault d'erp. **Surface :** no-op pour toutes les autres apps (défaut `[]`). Seule la policy runtime `erp` gagne **une** règle `read,list`. Validé `tofu init` (graphe parse OK ; l'erreur `validate` restante = auth JWT du provider, fournie par la CI). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

arcodange added 1 commit 2026-06-30 16:29:48 +02:00

feat(vault): erp prod runtime may read the shared GCS backup creds (kv_read_paths)

Helm Charts / Detect changed charts (push) Successful in 21s

Details

Helm Charts / Library charts tool (push) Has been skipped

Details

Helm Charts / Application charts pgcat (push) Has been skipped

Details

Helm Charts / Detect changed charts (pull_request) Successful in 14s

Details

Helm Charts / Library charts tool (pull_request) Has been skipped

Details

Helm Charts / Application charts pgcat (pull_request) Has been skipped

Details

2953ec3202

Adds an optional kv_read_paths list to the app_policy module (default []) so an
app's env=prod runtime policy can read extra kvv2 data paths — e.g. a shared
backup-creds path owned by another app. Plumbed through the root applications
schema + module call (dynamic rule, read+list).

Set for erp: kv_read_paths = ["kvv2/data/longhorn/gcs-backup"], so the dedicated
Dolibarr backup CronJob (erp chart, gated) can read the existing GCS HMAC creds
via its own VaultStaticSecret instead of borrowing the Longhorn secret
cross-namespace or duplicating credentials.

No-op for every other app (default []). Only the `erp` runtime policy gains one
read+list rule.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

arcodange merged commit 5b24738dcf into main

2026-06-30 17:40:34 +02:00

arcodange deleted branch claude/erp-backup-vault-read

2026-06-30 17:40:35 +02:00

arcodange referenced this issue from a commit

2026-06-30 17:40:36 +02:00

Merge pull request 'feat(vault): erp prod runtime may read the shared GCS backup creds (kv_read_paths)' (#5) from claude/erp-backup-vault-read into main

arcodange referenced this pull request from arcodange-org/erp

2026-06-30 17:42:02 +02:00

feat(backup): enable the daily backup CronJob on prod (Vault creds wired) #33

Sign in to join this conversation.