Update v1 #89
Merged
Update v1 #89
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
mbaldessari
commented
Jan 29, 2026
mbaldessari
commented
- feat(vault): add fine-grained app policies and preserve hub-role
- Address PR review feedback for vault_app_policies
- Fix typo
- Move default_vp_vault_policies to load_secrets_common
- Introduce a common subclass for load secrets and parse secrets
- Some cleanups now that python3.11 is the minimum version
- Cleanup some complex functions
- Split up _inject_field to make it more readable
- Drop a duplicate test and add a proper test for when onMissingValue is wrong
- Simplify code a bit
- Refactor _validate_secret() a bit
- Retrict python versions and clean up whitespace
- A couple of more linting warnings
This PR adds support for application-level Vault policy segmentation: 1. vault_secrets_init.yaml: Preserve existing hub-role policies - Read current hub-role policies before updating - Merge with default policies instead of replacing - Prevents CronJob from overwriting custom policies 2. vault_app_policies.yaml: Create K8s auth policies from vaultPrefixes - Extract unique prefixes from values-secret.yaml.template - Create fine-grained policies (e.g., apps-qtodo-k8s-secret) - Update hub-role with merged policy list 3. vault_jwt.yaml: Create JWT policies for SPIFFE workloads - Read policies from vault_jwt_policies variable - Use base64 encoding for complex HCL content - Enables patterns to define custom JWT policies This enables patterns to implement least-privilege secret access by organizing secrets into isolated paths (e.g., apps/qtodo, hub/infra/keycloak) with corresponding Vault policies. Signed-off-by: Min Zhang <minzhang@redhat.com>
Changes based on reviewer feedback: - Add verbosity:1 to debug messages (show only with -v flag) - Integrate vault_app_policies into push_parsed_secrets flow - Move hardcoded default policies to defaults/main.yml - Add idempotency checks for policy and hub-role updates - Replace base64 encoding with heredoc in vault_jwt.yaml - Add vault_jwt_policies to defaults/main.yml - Refactor app_prefixes to unified dict format with prefix/jwt_role - Remove separate app_jwt_role_config (now part of app_prefixes) - Add changed_when:false to read-only vault commands - Add all app policy variables to defaults/main.yml Signed-off-by: Min Zhang <minzhang@redhat.com>
It is defined to be the exact same in load_secrets_v2 and parse_secrets_v2
This eliminates a bunch of duplicated code
Simplify the code a bit and make use of match/case to make it all a bit more readable
We can now use >= python 3.11
…only A bunch of code cleanups
…icies feat(vault): add fine-grained app policies and preserve hub-role
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.