Skip to content

feat(vault): reorganize secrets with fine-grained policies#96

Merged
sabre1041 merged 1 commit intovalidatedpatterns:mainfrom
minmzzhang:secrets-reorganization-pr
Jan 31, 2026
Merged

feat(vault): reorganize secrets with fine-grained policies#96
sabre1041 merged 1 commit intovalidatedpatterns:mainfrom
minmzzhang:secrets-reorganization-pr

Conversation

@minmzzhang
Copy link
Collaborator

@minmzzhang minmzzhang commented Jan 23, 2026
edited
Loading

Reorganize Vault secrets into segmented paths for least-privilege access:

Secret Path Structure:

  • apps/<app-name>/ - Application-specific secrets (e.g., apps/qtodo/)
  • hub/infra/<component>/ - Infrastructure secrets (e.g., hub/infra/keycloak/)
  • global/ - Shared secrets (unchanged)
  • hub/ - Hub-level secrets (unchanged)

Policy Naming Convention:

  • K8s auth policies: -k8s-secret (for ClusterSecretStore/ExternalSecrets)
  • JWT auth policies: -jwt-secret (for SPIFFE workload identity)

Changes:

  • Update vaultPrefixes in values-secret.yaml.template for new paths
  • Update ExternalSecret references in chart values.yaml files
  • Add JWT policies to values-hub.yaml for SPIFFE workload authentication
  • Pass JWT policies to vault-config-jwt ansible task via vault-utils.sh

This enables application-level secret isolation where each app only has access to its own secrets, following zero-trust principles.

Depends on: rhvp/rhvp.cluster_utils PR validatedpatterns/rhvp.cluster_utils#87 for auto-creating K8s auth policies

Secrets Structure

secret/data/
├── global/                           # VP Framework Default
│   └── config-demo/                  # Demo/test secrets
│       └── secret
│
├── apps/                             # Application Secrets (fine-grained isolation)
│   └── qtodo/                        # QTodo Application
│       ├── qtodo-db/                 # Database credentials
│       │   ├── admin-password
│       │   └── db-password
│       ├── qtodo-oidc-client/        # OIDC client secret
│       │   └── client-secret
│       └── qtodo-truststore/         # Truststore password
│           └── truststore-password
│
└── hub/                              # Hub Infrastructure Secrets
    └── infra/
        ├── keycloak/                 # Keycloak Infrastructure
        │   └── keycloak/
        │       ├── admin-password
        │       └── db-password
        │
        ├── rhtpa/                    # RHTPA Infrastructure
        │   ├── rhtpa-db/
        │   │   └── db-password
        │   └── rhtpa-oidc-cli/
        │       └── client-secret
        │
        ├── users/                    # User Credentials (managed by Keycloak)
        │   └── keycloak-users/
        │       ├── qtodo-admin-password
        │       ├── qtodo-user1-password
        │       ├── rhtas-user-password
        │       └── rhtpa-user-password
        │
        └── quay/                     # Quay Registry
            └── quay-users/
                ├── quay-admin-password
                └── quay-user-password

@minmzzhang minmzzhang force-pushed the secrets-reorganization-pr branch 2 times, most recently from 908984c to 8eee878 Compare January 26, 2026 21:56
@mlorenzofr mlorenzofr self-requested a review January 30, 2026 15:03
mlorenzofr
mlorenzofr approved these changes Jan 30, 2026
View reviewed changes
Copy link
Collaborator

@mlorenzofr mlorenzofr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested and everything worked as expected, good job 👍

LGTM

sabre1041
sabre1041 requested changes Jan 30, 2026
View reviewed changes
Copy link
Collaborator

@sabre1041 sabre1041 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks really good @minmzzhang and will make it much easier for end users to be able to both located and understand the purpose of each secret stored in Vault.

One item to update if possible. Can you update qtodo-user -> qtodo-user1 in

https://github.com/validatedpatterns/layered-zero-trust/blob/main/docs/multi-tier.md?plain=1#L35

@minmzzhang
feat(vault): reorganize secrets with fine-grained policies
fd4287e 
Reorganize Vault secrets into segmented paths for least-privilege access:

Secret Path Structure:
- apps/<app-name>/ - Application-specific secrets (e.g., apps/qtodo/)
- hub/infra/<component>/ - Infrastructure secrets (e.g., hub/infra/keycloak/)
- global/ - Shared secrets (unchanged)
- hub/ - Hub-level secrets (unchanged)

Policy Naming Convention:
- K8s auth policies: <path>-k8s-secret (for ClusterSecretStore/ExternalSecrets)
- JWT auth policies: <path>-jwt-secret (for SPIFFE workload identity)

Changes:
- Update vaultPrefixes in values-secret.yaml.template for new paths
- Update ExternalSecret references in chart values.yaml files
- Add JWT policies to values-hub.yaml for SPIFFE workload authentication
- Pass JWT policies to vault-config-jwt ansible task via vault-utils.sh

This enables application-level secret isolation where each app only has
access to its own secrets, following zero-trust principles.

Depends on: rhvp/rhvp.cluster_utils PR for auto-creating K8s auth policies

Signed-off-by: Min Zhang <minzhang@redhat.com>
@minmzzhang minmzzhang force-pushed the secrets-reorganization-pr branch from 8eee878 to fd4287e Compare January 30, 2026 21:52
@minmzzhang
Copy link
Collaborator Author

minmzzhang commented Jan 30, 2026

This looks really good @minmzzhang and will make it much easier for end users to be able to both located and understand the purpose of each secret stored in Vault.

One item to update if possible. Can you update qtodo-user -> qtodo-user1 in

https://github.com/validatedpatterns/layered-zero-trust/blob/main/docs/multi-tier.md?plain=1#L35

updated..

sabre1041
sabre1041 approved these changes Jan 31, 2026
View reviewed changes
Copy link
Collaborator

@sabre1041 sabre1041 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sabre1041 sabre1041 merged commit ca463ef into validatedpatterns:main Jan 31, 2026
3 checks passed
@minmzzhang minmzzhang deleted the secrets-reorganization-pr branch February 11, 2026 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sabre1041 sabre1041 sabre1041 approved these changes

@mlorenzofr mlorenzofr mlorenzofr approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@minmzzhang @sabre1041 @mlorenzofr