From f0baa619dc370b3b5125768252eb8dfbd3f516c2 Mon Sep 17 00:00:00 2001 From: codex Date: Tue, 21 Apr 2026 01:12:25 -0300 Subject: [PATCH] refactor(ariadne): split vault policy definitions --- ariadne/services/vault.py | 260 +---------------------------- ariadne/services/vault_policies.py | 258 ++++++++++++++++++++++++++++ ci/loc_hygiene_waivers.tsv | 1 - 3 files changed, 261 insertions(+), 258 deletions(-) create mode 100644 ariadne/services/vault_policies.py diff --git a/ariadne/services/vault.py b/ariadne/services/vault.py index 07ae7d5..c2e4d5b 100644 --- a/ariadne/services/vault.py +++ b/ariadne/services/vault.py @@ -8,6 +8,9 @@ import httpx from ..settings import settings from ..utils.logging import get_logger +from .vault_policies import DEV_KV_POLICY as _DEV_KV_POLICY +from .vault_policies import K8S_ROLES as _K8S_ROLES +from .vault_policies import VAULT_ADMIN_POLICY as _VAULT_ADMIN_POLICY logger = get_logger(__name__) @@ -45,263 +48,6 @@ def _build_policy(read_paths: str, write_paths: str) -> str: ) return "\n".join(policy_parts).strip() + "\n" - -_K8S_ROLES: list[dict[str, str]] = [ - { - "role": "outline", - "namespace": "outline", - "service_accounts": "outline-vault", - "read_paths": "outline/* shared/postmark-relay", - "write_paths": "", - }, - { - "role": "planka", - "namespace": "planka", - "service_accounts": "planka-vault", - "read_paths": "planka/* shared/postmark-relay", - "write_paths": "", - }, - { - "role": "bstein-dev-home", - "namespace": "bstein-dev-home", - "service_accounts": "bstein-dev-home,bstein-dev-home-vault-sync", - "read_paths": "portal/* shared/chat-ai-keys-runtime shared/portal-e2e-client shared/postmark-relay " - "mailu/mailu-initial-account-secret shared/harbor-pull", - "write_paths": "", - }, - { - "role": "gitea", - "namespace": "gitea", - "service_accounts": "gitea-vault", - "read_paths": "gitea/*", - "write_paths": "", - }, - { - "role": "vaultwarden", - "namespace": "vaultwarden", - "service_accounts": "vaultwarden-vault", - "read_paths": "vaultwarden/* mailu/mailu-initial-account-secret", - "write_paths": "", - }, - { - "role": "sso", - "namespace": "sso", - "service_accounts": "sso-vault,sso-vault-sync,mas-secrets-ensure", - "read_paths": "sso/* portal/bstein-dev-home-keycloak-admin shared/keycloak-admin " - "shared/portal-e2e-client shared/postmark-relay shared/harbor-pull", - "write_paths": "", - }, - { - "role": "mailu-mailserver", - "namespace": "mailu-mailserver", - "service_accounts": "mailu-vault-sync", - "read_paths": "mailu/* shared/postmark-relay shared/harbor-pull", - "write_paths": "", - }, - { - "role": "harbor", - "namespace": "harbor", - "service_accounts": "harbor-vault-sync", - "read_paths": "harbor/* shared/harbor-pull", - "write_paths": "", - }, - { - "role": "nextcloud", - "namespace": "nextcloud", - "service_accounts": "nextcloud-vault", - "read_paths": "nextcloud/* shared/keycloak-admin shared/postmark-relay", - "write_paths": "", - }, - { - "role": "comms", - "namespace": "comms", - "service_accounts": "comms-vault,atlasbot", - "read_paths": "comms/* shared/chat-ai-keys-runtime shared/harbor-pull", - "write_paths": "", - }, - { - "role": "jenkins", - "namespace": "jenkins", - "service_accounts": "jenkins", - "read_paths": "jenkins/*", - "write_paths": "", - }, - { - "role": "monitoring", - "namespace": "monitoring", - "service_accounts": "monitoring-vault-sync", - "read_paths": "monitoring/* shared/postmark-relay shared/harbor-pull", - "write_paths": "", - }, - { - "role": "logging", - "namespace": "logging", - "service_accounts": "logging-vault-sync", - "read_paths": "logging/* shared/harbor-pull", - "write_paths": "", - }, - { - "role": "pegasus", - "namespace": "jellyfin", - "service_accounts": "pegasus-vault-sync", - "read_paths": "pegasus/* shared/harbor-pull", - "write_paths": "", - }, - { - "role": "crypto", - "namespace": "crypto", - "service_accounts": "crypto-vault-sync", - "read_paths": "crypto/* shared/harbor-pull", - "write_paths": "", - }, - { - "role": "health", - "namespace": "health", - "service_accounts": "health-vault-sync", - "read_paths": "health/*", - "write_paths": "", - }, - { - "role": "maintenance", - "namespace": "maintenance", - "service_accounts": "ariadne,maintenance-vault-sync", - "read_paths": "maintenance/ariadne-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret " - "mailu/mailu-initial-account-secret comms/synapse-admin shared/harbor-pull", - "write_paths": "", - }, - { - "role": "finance", - "namespace": "finance", - "service_accounts": "finance-vault", - "read_paths": "finance/* shared/postmark-relay", - "write_paths": "", - }, - { - "role": "finance-secrets", - "namespace": "finance", - "service_accounts": "finance-secrets-ensure", - "read_paths": "", - "write_paths": "finance/*", - }, - { - "role": "longhorn", - "namespace": "longhorn-system", - "service_accounts": "longhorn-vault,longhorn-vault-sync", - "read_paths": "longhorn/* shared/harbor-pull", - "write_paths": "", - }, - { - "role": "postgres", - "namespace": "postgres", - "service_accounts": "postgres-vault", - "read_paths": "postgres/postgres-db", - "write_paths": "", - }, - { - "role": "vault", - "namespace": "vault", - "service_accounts": "vault", - "read_paths": "vault/*", - "write_paths": "", - }, - { - "role": "sso-secrets", - "namespace": "sso", - "service_accounts": "mas-secrets-ensure", - "read_paths": "shared/keycloak-admin", - "write_paths": "harbor/harbor-oidc vault/vault-oidc-config comms/synapse-oidc " - "logging/oauth2-proxy-logs-oidc finance/actual-oidc", - }, - { - "role": "crypto-secrets", - "namespace": "crypto", - "service_accounts": "crypto-secrets-ensure", - "read_paths": "", - "write_paths": "crypto/wallet-monero-temp-rpc-auth", - }, - { - "role": "comms-secrets", - "namespace": "comms", - "service_accounts": "comms-secrets-ensure,mas-db-ensure,mas-admin-client-secret-writer,othrys-synapse-signingkey-job", - "read_paths": "", - "write_paths": "comms/turn-shared-secret comms/livekit-api comms/synapse-redis comms/synapse-macaroon " - "comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin comms/synapse-registration " - "comms/mas-db comms/mas-admin-client-runtime comms/mas-secrets-runtime comms/othrys-synapse-signingkey", - }, -] - - -_VAULT_ADMIN_POLICY = """ -path "sys/auth" { - capabilities = ["read"] -} -path "sys/auth/*" { - capabilities = ["create", "update", "delete", "sudo", "read"] -} -path "auth/kubernetes/*" { - capabilities = ["create", "update", "read"] -} -path "auth/oidc/*" { - capabilities = ["create", "update", "read"] -} -path "sys/policies/acl" { - capabilities = ["list"] -} -path "sys/policies/acl/*" { - capabilities = ["create", "update", "read"] -} -path "sys/internal/ui/mounts" { - capabilities = ["read"] -} -path "sys/mounts" { - capabilities = ["read"] -} -path "sys/mounts/auth/*" { - capabilities = ["read", "update", "sudo"] -} -path "kv/data/atlas/vault/*" { - capabilities = ["read"] -} -path "kv/metadata/atlas/vault/*" { - capabilities = ["list"] -} -path "kv/data/*" { - capabilities = ["create", "update", "read", "delete", "patch"] -} -path "kv/metadata" { - capabilities = ["list"] -} -path "kv/metadata/*" { - capabilities = ["read", "list", "delete"] -} -path "kv/data/atlas/shared/*" { - capabilities = ["create", "update", "read", "patch"] -} -path "kv/metadata/atlas/shared/*" { - capabilities = ["list"] -} -""".strip() - - -_DEV_KV_POLICY = """ -path "kv/metadata" { - capabilities = ["list"] -} -path "kv/metadata/atlas" { - capabilities = ["list"] -} -path "kv/metadata/atlas/shared" { - capabilities = ["list"] -} -path "kv/metadata/atlas/shared/*" { - capabilities = ["list"] -} -path "kv/data/atlas/shared/*" { - capabilities = ["read"] -} -""".strip() - - class VaultClient: """Minimal HTTP client for Vault API requests.""" diff --git a/ariadne/services/vault_policies.py b/ariadne/services/vault_policies.py new file mode 100644 index 0000000..39f144a --- /dev/null +++ b/ariadne/services/vault_policies.py @@ -0,0 +1,258 @@ +"""Vault role and policy definitions used by Ariadne Vault reconciliation.""" + +from __future__ import annotations + +K8S_ROLES: list[dict[str, str]] = [ + { + "role": "outline", + "namespace": "outline", + "service_accounts": "outline-vault", + "read_paths": "outline/* shared/postmark-relay", + "write_paths": "", + }, + { + "role": "planka", + "namespace": "planka", + "service_accounts": "planka-vault", + "read_paths": "planka/* shared/postmark-relay", + "write_paths": "", + }, + { + "role": "bstein-dev-home", + "namespace": "bstein-dev-home", + "service_accounts": "bstein-dev-home,bstein-dev-home-vault-sync", + "read_paths": "portal/* shared/chat-ai-keys-runtime shared/portal-e2e-client shared/postmark-relay " + "mailu/mailu-initial-account-secret shared/harbor-pull", + "write_paths": "", + }, + { + "role": "gitea", + "namespace": "gitea", + "service_accounts": "gitea-vault", + "read_paths": "gitea/*", + "write_paths": "", + }, + { + "role": "vaultwarden", + "namespace": "vaultwarden", + "service_accounts": "vaultwarden-vault", + "read_paths": "vaultwarden/* mailu/mailu-initial-account-secret", + "write_paths": "", + }, + { + "role": "sso", + "namespace": "sso", + "service_accounts": "sso-vault,sso-vault-sync,mas-secrets-ensure", + "read_paths": "sso/* portal/bstein-dev-home-keycloak-admin shared/keycloak-admin " + "shared/portal-e2e-client shared/postmark-relay shared/harbor-pull", + "write_paths": "", + }, + { + "role": "mailu-mailserver", + "namespace": "mailu-mailserver", + "service_accounts": "mailu-vault-sync", + "read_paths": "mailu/* shared/postmark-relay shared/harbor-pull", + "write_paths": "", + }, + { + "role": "harbor", + "namespace": "harbor", + "service_accounts": "harbor-vault-sync", + "read_paths": "harbor/* shared/harbor-pull", + "write_paths": "", + }, + { + "role": "nextcloud", + "namespace": "nextcloud", + "service_accounts": "nextcloud-vault", + "read_paths": "nextcloud/* shared/keycloak-admin shared/postmark-relay", + "write_paths": "", + }, + { + "role": "comms", + "namespace": "comms", + "service_accounts": "comms-vault,atlasbot", + "read_paths": "comms/* shared/chat-ai-keys-runtime shared/harbor-pull", + "write_paths": "", + }, + { + "role": "jenkins", + "namespace": "jenkins", + "service_accounts": "jenkins", + "read_paths": "jenkins/*", + "write_paths": "", + }, + { + "role": "monitoring", + "namespace": "monitoring", + "service_accounts": "monitoring-vault-sync", + "read_paths": "monitoring/* shared/postmark-relay shared/harbor-pull", + "write_paths": "", + }, + { + "role": "logging", + "namespace": "logging", + "service_accounts": "logging-vault-sync", + "read_paths": "logging/* shared/harbor-pull", + "write_paths": "", + }, + { + "role": "pegasus", + "namespace": "jellyfin", + "service_accounts": "pegasus-vault-sync", + "read_paths": "pegasus/* shared/harbor-pull", + "write_paths": "", + }, + { + "role": "crypto", + "namespace": "crypto", + "service_accounts": "crypto-vault-sync", + "read_paths": "crypto/* shared/harbor-pull", + "write_paths": "", + }, + { + "role": "health", + "namespace": "health", + "service_accounts": "health-vault-sync", + "read_paths": "health/*", + "write_paths": "", + }, + { + "role": "maintenance", + "namespace": "maintenance", + "service_accounts": "ariadne,maintenance-vault-sync", + "read_paths": "maintenance/ariadne-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret " + "mailu/mailu-initial-account-secret comms/synapse-admin shared/harbor-pull", + "write_paths": "", + }, + { + "role": "finance", + "namespace": "finance", + "service_accounts": "finance-vault", + "read_paths": "finance/* shared/postmark-relay", + "write_paths": "", + }, + { + "role": "finance-secrets", + "namespace": "finance", + "service_accounts": "finance-secrets-ensure", + "read_paths": "", + "write_paths": "finance/*", + }, + { + "role": "longhorn", + "namespace": "longhorn-system", + "service_accounts": "longhorn-vault,longhorn-vault-sync", + "read_paths": "longhorn/* shared/harbor-pull", + "write_paths": "", + }, + { + "role": "postgres", + "namespace": "postgres", + "service_accounts": "postgres-vault", + "read_paths": "postgres/postgres-db", + "write_paths": "", + }, + { + "role": "vault", + "namespace": "vault", + "service_accounts": "vault", + "read_paths": "vault/*", + "write_paths": "", + }, + { + "role": "sso-secrets", + "namespace": "sso", + "service_accounts": "mas-secrets-ensure", + "read_paths": "shared/keycloak-admin", + "write_paths": "harbor/harbor-oidc vault/vault-oidc-config comms/synapse-oidc " + "logging/oauth2-proxy-logs-oidc finance/actual-oidc", + }, + { + "role": "crypto-secrets", + "namespace": "crypto", + "service_accounts": "crypto-secrets-ensure", + "read_paths": "", + "write_paths": "crypto/wallet-monero-temp-rpc-auth", + }, + { + "role": "comms-secrets", + "namespace": "comms", + "service_accounts": "comms-secrets-ensure,mas-db-ensure,mas-admin-client-secret-writer,othrys-synapse-signingkey-job", + "read_paths": "", + "write_paths": "comms/turn-shared-secret comms/livekit-api comms/synapse-redis comms/synapse-macaroon " + "comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin comms/synapse-registration " + "comms/mas-db comms/mas-admin-client-runtime comms/mas-secrets-runtime comms/othrys-synapse-signingkey", + }, +] + + +VAULT_ADMIN_POLICY = """ +path "sys/auth" { + capabilities = ["read"] +} +path "sys/auth/*" { + capabilities = ["create", "update", "delete", "sudo", "read"] +} +path "auth/kubernetes/*" { + capabilities = ["create", "update", "read"] +} +path "auth/oidc/*" { + capabilities = ["create", "update", "read"] +} +path "sys/policies/acl" { + capabilities = ["list"] +} +path "sys/policies/acl/*" { + capabilities = ["create", "update", "read"] +} +path "sys/internal/ui/mounts" { + capabilities = ["read"] +} +path "sys/mounts" { + capabilities = ["read"] +} +path "sys/mounts/auth/*" { + capabilities = ["read", "update", "sudo"] +} +path "kv/data/atlas/vault/*" { + capabilities = ["read"] +} +path "kv/metadata/atlas/vault/*" { + capabilities = ["list"] +} +path "kv/data/*" { + capabilities = ["create", "update", "read", "delete", "patch"] +} +path "kv/metadata" { + capabilities = ["list"] +} +path "kv/metadata/*" { + capabilities = ["read", "list", "delete"] +} +path "kv/data/atlas/shared/*" { + capabilities = ["create", "update", "read", "patch"] +} +path "kv/metadata/atlas/shared/*" { + capabilities = ["list"] +} +""".strip() + + +DEV_KV_POLICY = """ +path "kv/metadata" { + capabilities = ["list"] +} +path "kv/metadata/atlas" { + capabilities = ["list"] +} +path "kv/metadata/atlas/shared" { + capabilities = ["list"] +} +path "kv/metadata/atlas/shared/*" { + capabilities = ["list"] +} +path "kv/data/atlas/shared/*" { + capabilities = ["read"] +} +""".strip() diff --git a/ci/loc_hygiene_waivers.tsv b/ci/loc_hygiene_waivers.tsv index d090ebb..edab0af 100644 --- a/ci/loc_hygiene_waivers.tsv +++ b/ci/loc_hygiene_waivers.tsv @@ -8,7 +8,6 @@ ariadne/services/firefly.py split planned; provider methods pending partition ariadne/settings.py split planned; settings schema + helpers pending split ariadne/services/jenkins_workspace_cleanup.py split planned; job orchestration pending extraction ariadne/services/wger.py split planned; provider methods pending partition -ariadne/services/vault.py split planned; auth + data access helpers pending split tests/test_provisioning.py test module split planned; broad provisioning coverage retained meanwhile tests/test_services.py test module split planned; broad service contract coverage retained meanwhile tests/test_app.py test module split planned; API coverage retained meanwhile