Merge pull request #87 from minmzzhang/app-vault-policies

feat(vault): add fine-grained app policies and preserve hub-role

Author: mbaldessari

playbooks/process_secrets.yml

@@ -48,3 +48,4 @@
         kubernetes_secret_objects: "{{ secrets_results['kubernetes_secret_objects'] }}"
         vault_policies: "{{ secrets_results['vault_policies'] }}"
         parsed_secrets: "{{ secrets_results['parsed_secrets'] }}"
+        unique_vault_prefixes: "{{ secrets_results['unique_vault_prefixes'] | default([]) }}"

plugins/module_utils/parse_secrets_v2.py

@@ -388,3 +388,19 @@ def _inject_field(self, secret_name, f):
             self.parsed_secrets[secret_name]["fields"][f["name"]] = secret
 
         return
+
+    def get_unique_vault_prefixes(self):
+        """
+        Extract all unique vault prefixes from parsed secrets.
+
+        This is useful for creating fine-grained Vault policies for each
+        unique prefix path (e.g., apps/qtodo, hub/infra/keycloak).
+
+        Returns:
+            list: Sorted list of unique vault prefixes
+        """
+        prefixes = set()
+        for secret in self.parsed_secrets.values():
+            for prefix in secret.get("vault_prefixes", []):
+                prefixes.add(prefix)
+        return sorted(list(prefixes))

plugins/modules/parse_secrets_info.py

@@ -152,6 +152,7 @@ def run(module):
     results["parsed_secrets"] = parsed_secret_obj.parsed_secrets
     results["kubernetes_secret_objects"] = parsed_secret_obj.kubernetes_secret_objects
     results["secret_store_namespace"] = parsed_secret_obj.secret_store_namespace
+    results["unique_vault_prefixes"] = parsed_secret_obj.get_unique_vault_prefixes()
 
     module.exit_json(**results)
 

roles/vault_utils/defaults/main.yml

@@ -30,3 +30,33 @@ unseal_secret: "vaultkeys"
 unseal_namespace: "imperative"
 vault_jwt_config: false
 vault_jwt_roles: []
+
+# Default policies that VP framework requires for hub-role
+# Patterns can extend this list but these are always included
+vault_hub_role_default_policies:
+  - default
+  - "{{ vault_global_policy }}-secret"
+  - "{{ vault_pushsecrets_policy }}-secret"
+  - "{{ vault_hub }}-secret"
+
+# JWT auth policies for workloads needing direct Vault access
+# List of {name: "policy-name", policy: "HCL policy content"}
+vault_jwt_policies: []
+
+# App-specific Vault policy configuration (vault_app_policies.yaml)
+# List of app configs, each with 'prefix' and optional 'jwt_role' settings
+# Example:
+#   app_prefixes:
+#     - prefix: apps/qtodo
+#       jwt_role:
+#         service_account_names: "qtodo-sa"
+#         service_account_namespaces: "qtodo"
+#         ttl: "15m"
+#     - prefix: hub/infra/keycloak
+app_prefixes: []
+# Capabilities for app policies
+app_capabilities: '[\"read\"]'
+# Whether to update hub-role with new app policies
+app_update_hub_role: true
+# Whether to create JWT roles per app (only for entries with jwt_role defined)
+app_create_jwt_roles: false

roles/vault_utils/tasks/push_parsed_secrets.yaml

@@ -46,3 +46,23 @@
   when:
     - parsed_secrets is defined
     - parsed_secrets | length > 0
+
+# Create app-specific Vault policies for custom vaultPrefixes
+# Filter out 'global' and 'hub' as they're handled by the VP framework
+- name: Filter custom vault prefixes for app policies
+  ansible.builtin.set_fact:
+    _custom_vault_prefixes: "{{ unique_vault_prefixes | default([]) | reject('equalto', 'global') | reject('equalto', 'hub') | list }}"
+
+# Convert string list to dict format expected by vault_app_policies.yaml
+- name: Convert prefixes to app_prefixes format
+  ansible.builtin.set_fact:
+    _app_prefixes_list: "{{ _custom_vault_prefixes | map('regex_replace', '^(.*)$', '{\"prefix\": \"\\1\"}') | map('from_json') | list }}"
+  when: _custom_vault_prefixes | length > 0
+
+- name: Create app-specific Vault policies
+  ansible.builtin.include_tasks:
+    file: vault_app_policies.yaml
+  vars:
+    app_prefixes: "{{ _app_prefixes_list }}"
+    app_update_hub_role: true
+  when: _custom_vault_prefixes | length > 0

roles/vault_utils/tasks/vault_app_policies.yaml

@@ -0,0 +1,196 @@
+---
+# vault_app_policies.yaml
+# Creates fine-grained Vault policies for application-level isolation
+#
+# This task file creates individual policies for each vaultPrefix provided.
+# Each application gets its own policy that only allows access to its
+# specific path, enabling application-level secret isolation.
+#
+# Required variables:
+#   app_prefixes: List of app configs with 'prefix' key and optional 'jwt_role'
+#                 e.g., [{prefix: "apps/qtodo"}, {prefix: "hub/infra/keycloak"}]
+#
+# Optional variables:
+#   app_capabilities: Capabilities for app policies (default: read)
+#   app_update_hub_role: Whether to update hub-role with new policies (default: true)
+#   app_create_jwt_roles: Whether to create JWT roles per app (default: false)
+#
+# Example usage:
+#   - name: Create app-specific vault policies
+#     ansible.builtin.include_tasks:
+#       file: vault_app_policies.yaml
+#     vars:
+#       app_prefixes:
+#         - prefix: apps/qtodo
+#           jwt_role:
+#             service_account_names: "qtodo-sa"
+#             service_account_namespaces: "qtodo"
+#         - prefix: hub/infra/keycloak
+#       app_update_hub_role: true
+
+- name: Debug - Show app prefixes to process
+  ansible.builtin.debug:
+    msg: "Processing app prefixes: {{ app_prefixes }}"
+    verbosity: 1
+  when: app_prefixes is defined and app_prefixes | length > 0
+
+- name: Skip if no app prefixes defined
+  ansible.builtin.debug:
+    msg: "No app_prefixes defined, skipping app policy creation"
+    verbosity: 1
+  when: app_prefixes is not defined or app_prefixes | length == 0
+
+# Build list of policy names we need
+- name: Build app policy names list
+  ansible.builtin.set_fact:
+    _app_policy_names: "{{ app_prefixes | map(attribute='prefix') | map('replace', '/', '-') | map('regex_replace', '$', '-k8s-secret') | list }}"
+  when: app_prefixes is defined and app_prefixes | length > 0
+
+# Get existing policies from Vault to check what needs to be created
+- name: Get existing Vault policies
+  kubernetes.core.k8s_exec:
+    namespace: "{{ vault_ns }}"
+    pod: "{{ vault_pod }}"
+    command: vault policy list -format=json
+  register: _existing_policies_result
+  changed_when: false
+  when: app_prefixes is defined and app_prefixes | length > 0
+
+- name: Parse existing policies
+  ansible.builtin.set_fact:
+    _existing_policies: "{{ _existing_policies_result.stdout | from_json }}"
+  when:
+    - app_prefixes is defined and app_prefixes | length > 0
+    - _existing_policies_result.rc == 0
+
+# Filter to only policies that don't already exist
+- name: Determine policies to create
+  ansible.builtin.set_fact:
+    _policies_to_create: "{{ _app_policy_names | difference(_existing_policies | default([])) }}"
+  when: app_prefixes is defined and app_prefixes | length > 0
+
+- name: Debug - Show policies to create
+  ansible.builtin.debug:
+    msg: "Policies to create: {{ _policies_to_create | default([]) }} (existing: {{ _existing_policies | default([]) }})"
+    verbosity: 1
+  when: app_prefixes is defined and app_prefixes | length > 0
+
+# Create only policies that don't exist
+- name: Configure app policy in Vault
+  kubernetes.core.k8s_exec:
+    namespace: "{{ vault_ns }}"
+    pod: "{{ vault_pod }}"
+    command: >
+      bash -e -c "echo 'path \"secret/data/{{ _prefix }}/*\" { capabilities = [\"read\"] }' |
+      vault policy write {{ _prefix | replace('/', '-') }}-k8s-secret -"
+  loop: "{{ app_prefixes }}"
+  loop_control:
+    label: "Writing policy {{ _prefix | replace('/', '-') }}-k8s-secret"
+  vars:
+    _prefix: "{{ item.prefix }}"
+    _policy_name: "{{ item.prefix | replace('/', '-') }}-k8s-secret"
+  when:
+    - app_prefixes is defined and app_prefixes | length > 0
+    - _policy_name in (_policies_to_create | default([]))
+
+# Get current hub-role policies
+- name: Get current hub-role policies
+  kubernetes.core.k8s_exec:
+    namespace: "{{ vault_ns }}"
+    pod: "{{ vault_pod }}"
+    command: >
+      vault read -format=json auth/{{ vault_hub }}/role/{{ vault_hub }}-role
+  register: _hub_role_result
+  failed_when: false
+  changed_when: false
+  when:
+    - app_prefixes is defined and app_prefixes | length > 0
+    - app_update_hub_role | default(true) | bool
+
+# Parse current policies and merge with new ones
+- name: Set current policies fact
+  ansible.builtin.set_fact:
+    _current_policies: "{{ (_hub_role_result.stdout | from_json).data.token_policies | default(vault_hub_role_default_policies) }}"
+  when:
+    - app_prefixes is defined and app_prefixes | length > 0
+    - app_update_hub_role | default(true) | bool
+    - _hub_role_result.rc == 0
+
+- name: Set default policies if hub-role not found
+  ansible.builtin.set_fact:
+    _current_policies: "{{ vault_hub_role_default_policies }}"
+  when:
+    - app_prefixes is defined and app_prefixes | length > 0
+    - app_update_hub_role | default(true) | bool
+    - _hub_role_result.rc != 0
+
+# Merge current and new policies (removing duplicates)
+- name: Merge policies
+  ansible.builtin.set_fact:
+    _merged_policies: "{{ (_current_policies + _app_policy_names) | unique }}"
+  when:
+    - app_prefixes is defined and app_prefixes | length > 0
+    - app_update_hub_role | default(true) | bool
+
+# Check if hub-role policies need updating
+- name: Check if hub-role policies changed
+  ansible.builtin.set_fact:
+    _hub_role_policies_changed: "{{ _current_policies | sort != _merged_policies | sort }}"
+  when:
+    - app_prefixes is defined and app_prefixes | length > 0
+    - app_update_hub_role | default(true) | bool
+
+- name: Debug - Hub role policy change status
+  ansible.builtin.debug:
+    msg: "Hub role policies changed: {{ _hub_role_policies_changed }} (current: {{ _current_policies | sort }}, merged: {{ _merged_policies | sort }})"
+    verbosity: 1
+  when:
+    - app_prefixes is defined and app_prefixes | length > 0
+    - app_update_hub_role | default(true) | bool
+
+# Update hub-role only if policies have changed
+- name: Update hub-role with app policies
+  kubernetes.core.k8s_exec:
+    namespace: "{{ vault_ns }}"
+    pod: "{{ vault_pod }}"
+    command: >
+      vault write auth/{{ vault_hub }}/role/{{ vault_hub }}-role
+        bound_service_account_names="{{ active_external_secrets_sa | default('golang-external-secrets') }}"
+        bound_service_account_namespaces="{{ active_external_secrets_ns | default('golang-external-secrets') }}"
+        policies="{{ _merged_policies | join(',') }}"
+        ttl="{{ vault_hub_ttl }}"
+  when:
+    - app_prefixes is defined and app_prefixes | length > 0
+    - app_update_hub_role | default(true) | bool
+    - _hub_role_policies_changed | bool
+
+- name: Display updated hub-role policies
+  ansible.builtin.debug:
+    msg: "hub-role policies updated to: {{ _merged_policies | join(', ') }}"
+    verbosity: 1
+  when:
+    - app_prefixes is defined and app_prefixes | length > 0
+    - app_update_hub_role | default(true) | bool
+    - _hub_role_policies_changed | bool
+
+# Optionally create JWT roles for app-level isolation
+# Only creates roles for entries that have jwt_role defined
+- name: Configure JWT role for app (if configured)
+  kubernetes.core.k8s_exec:
+    namespace: "{{ vault_ns }}"
+    pod: "{{ vault_pod }}"
+    command: >
+      vault write auth/"{{ vault_hub }}"/role/"{{ _app_name }}"-role
+        bound_service_account_names="{{ item.jwt_role.service_account_names }}"
+        bound_service_account_namespaces="{{ item.jwt_role.service_account_namespaces }}"
+        policies="default,{{ vault_global_policy }}-secret,{{ item.prefix | replace('/', '-') }}-k8s-secret"
+        ttl="{{ item.jwt_role.ttl | default(vault_hub_ttl) }}"
+  loop: "{{ app_prefixes }}"
+  loop_control:
+    label: "Creating JWT role for {{ _app_name }}"
+  vars:
+    _app_name: "{{ item.prefix | basename }}"
+  when:
+    - app_prefixes is defined and app_prefixes | length > 0
+    - app_create_jwt_roles | default(false) | bool
+    - item.jwt_role is defined

roles/vault_utils/tasks/vault_jwt.yaml

@@ -102,6 +102,21 @@
         not jwt_config_oidc_discovery_url == oidc_discovery_url or
         not jwt_config_default_role == default_role | default('default')
 
+# Create JWT auth policies from vault_jwt_policies variable
+# These are manually defined policies for SPIFFE workloads that need direct Vault access
+- name: Write JWT policies directly to Vault
+  kubernetes.core.k8s_exec:
+    namespace: "{{ vault_ns }}"
+    pod: "{{ vault_pod }}"
+    command: |
+      bash -e -c 'cat <<EOF | vault policy write {{ item.name }} -
+      {{ item.policy }}
+      EOF'
+  loop: "{{ vault_jwt_policies | default([]) }}"
+  loop_control:
+    label: "Writing JWT policy {{ item.name }}"
+  when: vault_jwt_policies is defined and vault_jwt_policies | length > 0
+
 - name: Run JWT role tasks
   ansible.builtin.include_tasks: vault_jwt_roles.yaml
   loop: "{{ vault_jwt_roles | default([]) }}"

roles/vault_utils/tasks/vault_secrets_init.yaml

@@ -130,12 +130,51 @@
     pod: "{{ vault_pod }}"
     command: "vault policy write {{ vault_hub }}-secret /tmp/policy-{{ vault_hub }}.hcl"
 
-- name: Configure kubernetes role for hub
+# Get current hub-role policies to preserve any custom policies added by patterns
+- name: Get current hub-role policies
+  kubernetes.core.k8s_exec:
+    namespace: "{{ vault_ns }}"
+    pod: "{{ vault_pod }}"
+    command: >
+      vault read -format=json auth/{{ vault_hub }}/role/{{ vault_hub }}-role
+  register: _hub_role_result
+  failed_when: false
+  changed_when: false
+
+# Get existing policies (empty list if role doesn't exist yet)
+- name: Set current policies fact from existing hub-role
+  ansible.builtin.set_fact:
+    _current_hub_policies: "{{ (_hub_role_result.stdout | from_json).data.token_policies | default([]) }}"
+  when: _hub_role_result.rc == 0
+
+- name: Set empty current policies if hub-role not found
+  ansible.builtin.set_fact:
+    _current_hub_policies: []
+  when: _hub_role_result.rc != 0
+
+# Merge existing policies with defaults (preserves custom policies, ensures defaults present)
+- name: Merge hub-role policies
+  ansible.builtin.set_fact:
+    _merged_hub_policies: "{{ (_current_hub_policies + vault_hub_role_default_policies) | unique }}"
+
+# Determine if we need to update the hub-role
+- name: Check if hub-role policies need updating
+  ansible.builtin.set_fact:
+    _hub_role_needs_update: "{{ (_hub_role_result.rc != 0) or (_current_hub_policies | sort != _merged_hub_policies | sort) }}"
+
+- name: Debug - Hub role update status
+  ansible.builtin.debug:
+    msg: "Hub role needs update: {{ _hub_role_needs_update }} (role exists: {{ _hub_role_result.rc == 0 }}, current: {{ _current_hub_policies | sort }}, merged: {{ _merged_hub_policies | sort }})"
+    verbosity: 1
+
+- name: Configure kubernetes role for hub with merged policies
   kubernetes.core.k8s_exec:
     namespace: "{{ vault_ns }}"
     pod: "{{ vault_pod }}"
     command: >
       vault write auth/"{{ vault_hub }}"/role/"{{ vault_hub }}"-role
         bound_service_account_names="{{ active_external_secrets_sa }}"
         bound_service_account_namespaces="{{ active_external_secrets_ns }}"
-        policies="default,{{ vault_global_policy }}-secret,{{ vault_pushsecrets_policy }}-secret,{{ vault_hub }}-secret" ttl="{{ vault_hub_ttl }}"
+        policies="{{ _merged_hub_policies | join(',') }}"
+        ttl="{{ vault_hub_ttl }}"
+  when: _hub_role_needs_update | bool