Grant vault deployer access to import + manage the gpg engine (#88)
ci/woodpecker/push/apply Pipeline was successful
ci/woodpecker/push/apply Pipeline was successful
## Why Applying the gpg mount (#87) needs two grants the deployer (`tf_vault` approle / `woodpecker_terraform_vault` k8s role) doesn't have. terraform-vault **registers the plugin itself** (`vault_plugin` → `sys/plugins/catalog`, a sudo-protected path) and **manages keys** via the gpgvaultsecret provider (`gpg/keys/*`). The deployer already has `sys/mounts/*` but neither of these, so apply would 403 on the plugin registration and on `gpg/keys` writes — the same failure mode as #84. ## Changes - Add `policies/gpg/admin.yaml` granting: - `create/read/update/delete/sudo` on `sys/plugins/catalog/secret/vault-plugin-secrets-gpg` — to **import** (register/deregister) the plugin. - full management of `gpg/keys/*` (+ `gpg/keys` list) — to **manage keys**. - assigned to `tf_vault` (approle) + `woodpecker_terraform_vault` (k8s/au/syd1), mirroring `policies/litellm/admin.yaml` (#84). Should merge/apply **before** #87 so the deployer can register the plugin and create the `pass` key. Reviewed-on: #88 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
This commit was merged in pull request #88.
This commit is contained in:
@@ -0,0 +1,35 @@
|
|||||||
|
# Allow the vault deployer to import the gpg plugin and manage its OpenPGP keys.
|
||||||
|
#
|
||||||
|
# terraform-vault registers the plugin itself (vault_plugin -> sys/plugins/catalog,
|
||||||
|
# a sudo-protected path) and manages keys via the gpgvaultsecret provider, so the
|
||||||
|
# deployer needs catalog access on top of the mount access it already has
|
||||||
|
# (sys/mounts/*). Without this, apply 403s on the plugin registration and on
|
||||||
|
# gpg/keys writes.
|
||||||
|
---
|
||||||
|
rules:
|
||||||
|
# Import / register (and deregister) the gpg plugin in the catalog.
|
||||||
|
- path: "sys/plugins/catalog/secret/vault-plugin-secrets-gpg"
|
||||||
|
capabilities:
|
||||||
|
- create
|
||||||
|
- read
|
||||||
|
- update
|
||||||
|
- delete
|
||||||
|
- sudo
|
||||||
|
# Manage keys (create/rotate/config/delete) in the gpg mount.
|
||||||
|
- path: "gpg/keys/*"
|
||||||
|
capabilities:
|
||||||
|
- create
|
||||||
|
- read
|
||||||
|
- update
|
||||||
|
- delete
|
||||||
|
- list
|
||||||
|
- path: "gpg/keys"
|
||||||
|
capabilities:
|
||||||
|
- read
|
||||||
|
- list
|
||||||
|
|
||||||
|
auth:
|
||||||
|
approle:
|
||||||
|
- tf_vault
|
||||||
|
k8s/au/syd1:
|
||||||
|
- woodpecker_terraform_vault
|
||||||
Reference in New Issue
Block a user