feat(vault): erp prod runtime may read the shared GCS backup creds (kv_read_paths) #5

Merged

arcodange merged 1 commits from claude/erp-backup-vault-read into main

2026-06-30 17:40:34 +02:00

Author	SHA1	Message	Date
Gabriel Radureau	2953ec3202	feat(vault): erp prod runtime may read the shared GCS backup creds (kv_read_paths) All checks were successful Helm Charts / Detect changed charts (push) Successful in 21s Details Helm Charts / Library charts tool (push) Has been skipped Details Helm Charts / Application charts pgcat (push) Has been skipped Details Helm Charts / Detect changed charts (pull_request) Successful in 14s Details Helm Charts / Library charts tool (pull_request) Has been skipped Details Helm Charts / Application charts pgcat (pull_request) Has been skipped Details Adds an optional kv_read_paths list to the app_policy module (default []) so an app's env=prod runtime policy can read extra kvv2 data paths — e.g. a shared backup-creds path owned by another app. Plumbed through the root applications schema + module call (dynamic rule, read+list). Set for erp: kv_read_paths = ["kvv2/data/longhorn/gcs-backup"], so the dedicated Dolibarr backup CronJob (erp chart, gated) can read the existing GCS HMAC creds via its own VaultStaticSecret instead of borrowing the Longhorn secret cross-namespace or duplicating credentials. No-op for every other app (default []). Only the `erp` runtime policy gains one read+list rule. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-30 16:29:15 +02:00

Author

SHA1

Message

Date

Gabriel Radureau

2953ec3202

feat(vault): erp prod runtime may read the shared GCS backup creds (kv_read_paths)

Helm Charts / Detect changed charts (push) Successful in 21s

Details

Helm Charts / Library charts tool (push) Has been skipped

Details

Helm Charts / Application charts pgcat (push) Has been skipped

Details

Helm Charts / Detect changed charts (pull_request) Successful in 14s

Details

Helm Charts / Library charts tool (pull_request) Has been skipped

Details

Helm Charts / Application charts pgcat (pull_request) Has been skipped

Details

Adds an optional kv_read_paths list to the app_policy module (default []) so an
app's env=prod runtime policy can read extra kvv2 data paths — e.g. a shared
backup-creds path owned by another app. Plumbed through the root applications
schema + module call (dynamic rule, read+list).

Set for erp: kv_read_paths = ["kvv2/data/longhorn/gcs-backup"], so the dedicated
Dolibarr backup CronJob (erp chart, gated) can read the existing GCS HMAC creds
via its own VaultStaticSecret instead of borrowing the Longhorn secret
cross-namespace or duplicating credentials.

No-op for every other app (default []). Only the `erp` runtime policy gains one
read+list rule.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-06-30 16:29:15 +02:00

feat(vault): erp prod runtime may read the shared GCS backup creds (kv_read_paths) #5

1 Commits