mosaicstack/stack
1
0
Fork 0
Code Issues 22 Pull Requests 7 Actions Packages Projects Releases 13 Wiki Activity

chore(framework): canonize Vault-as-SSOT + ESO-default secrets policy #519

Open
jason.woltje wants to merge 2 commits from chore/canonize-vault-secrets-policy into main
pull from: chore/canonize-vault-secrets-policy
merge into: mosaicstack:main
Conversation 0 Commits 2 Files Changed 5 +28 -8
2 changed files with 28 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit e88a89f34d - Show all commits

18
guides/VAULT-SECRETS.md
View File

@@ -355,7 +355,6 @@ package config
import ( import (
"fmt" "fmt"
"os"
"github.com/kelseyhightower/envconfig" "github.com/kelseyhightower/envconfig"
) )
@@ -373,10 +372,16 @@ func Load() (*Config, error) {
} }
return &cfg, nil return &cfg, nil
} }
```
// In main(): In your `main.go`:
// cfg, err := config.Load()
// if err != nil { fmt.Fprintln(os.Stderr, err); os.Exit(1) } ```go
cfg, err := config.Load()
if err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
``` ```
--- ---
@@ -399,7 +404,12 @@ Use this pattern ONLY when a documented dynamic-secrets requirement applies (DB
vault auth enable approle vault auth enable approle
# Create a Vault policy for the app # Create a Vault policy for the app
# Note: KV v2 paths require both the exact path (for the top-level secret) and the
# wildcard (for sub-paths). Always include both to avoid permission denied errors.
vault policy write <app>-policy - <<EOF vault policy write <app>-policy - <<EOF
path "secret/data/k3s/<app>" {
capabilities = ["read"]
}
path "secret/data/k3s/<app>/*" { path "secret/data/k3s/<app>/*" {
capabilities = ["read"] capabilities = ["read"]
} }

18
packages/mosaic/framework/guides/VAULT-SECRETS.md
View File

@@ -355,7 +355,6 @@ package config
import ( import (
"fmt" "fmt"
"os"
"github.com/kelseyhightower/envconfig" "github.com/kelseyhightower/envconfig"
) )
@@ -373,10 +372,16 @@ func Load() (*Config, error) {
} }
return &cfg, nil return &cfg, nil
} }
```
// In main(): In your `main.go`:
// cfg, err := config.Load()
// if err != nil { fmt.Fprintln(os.Stderr, err); os.Exit(1) } ```go
cfg, err := config.Load()
if err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
``` ```
--- ---
@@ -399,7 +404,12 @@ Use this pattern ONLY when a documented dynamic-secrets requirement applies (DB
vault auth enable approle vault auth enable approle
# Create a Vault policy for the app # Create a Vault policy for the app
# Note: KV v2 paths require both the exact path (for the top-level secret) and the
# wildcard (for sub-paths). Always include both to avoid permission denied errors.
vault policy write <app>-policy - <<EOF vault policy write <app>-policy - <<EOF
path "secret/data/k3s/<app>" {
capabilities = ["read"]
}
path "secret/data/k3s/<app>/*" { path "secret/data/k3s/<app>/*" {
capabilities = ["read"] capabilities = ["read"]
} }