Paths

Table of Contentst

Differential D3987

Allow all servers to read IPsec in Vault
ClosedPublic
Actions

Authored by Duranzed on Mar 2 2026, 18:15.

Tags

Referenced Files

	F30689598: D3987.id10341.diff
	Tue, May 26, 03:01

	Unknown Object (File)
	Mon, May 18, 23:39

	Unknown Object (File)
	Thu, May 14, 15:26

	Unknown Object (File)
	Wed, May 13, 22:20

	Unknown Object (File)
	Sat, May 9, 10:02

	Unknown Object (File)
	Sat, May 9, 00:24

	Unknown Object (File)
	Thu, May 7, 12:02

	Unknown Object (File)
	Tue, May 5, 20:29

View All 74 Files

Subscribers

None

Details

Reviewers

Maniphest Tasks

T2268: Configure IPsec tunnels on Saltstack

Commits

rOPS7a20ee8b442c: Allow all servers to read IPsec in Vault

Summary

Allow to add to every node policy keys from the new pillar entry
vault_secrets_ubiquity.

Test Plan

salt complector state.sls_id salt-node-cloudhugger roles/vault/policies test=True

Diff Detail

Repository

rOPS Nasqueron Operations

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

Duranzed requested review of this revision.Mar 2 2026, 18:15

Duranzed created this revision.

Harbormaster completed remote builds in B6389: Diff 10341.Mar 2 2026, 18:15

Duranzed edited the summary of this revision. (Show Details)Mar 2 2026, 18:17

Duranzed added a task: T2268: Configure IPsec tunnels on Saltstack .

$ sudo salt complector state.sls_id salt-node-cloudhugger roles/vault/policies test=True
complector:
----------
          ID: salt-node-cloudhugger
    Function: vault.policy_present
      Result: None
     Comment: Policy would be changed
     Started: 18:09:21.668208
    Duration: 841.275 ms
     Changes:   
              ----------
              salt-node-cloudhugger:
                  ----------
                  change:
                      --- 
                      +++ 
                      @@ -10,3 +10,7 @@
                       path "ops/data/secrets/nasqueron/opensearch/infra-logs/internal_users/dashboards" {
                           capabilities = [ "read" ]
                       }
                      +
                      +path "ops/data/secrets/network/ipsec/key" {
                      +    capabilities = [ "read" ]
                      +}

Summary for complector
------------
Succeeded: 1 (unchanged=1, changed=1)
Failed:    0
------------
Total states run:     1
Total run time: 841.275 ms

dereckson retitled this revision from Vault configuration to read ipsec key to Allow all servers to read IPsec in Vault.Mar 4 2026, 07:01

dereckson edited the summary of this revision. (Show Details)

dereckson edited the test plan for this revision. (Show Details)

dereckson accepted this revision.Mar 4 2026, 07:03

This revision is now accepted and ready to land.Mar 4 2026, 07:03

dereckson mentioned this in D3988: Configure strongSwan as IPsec implementation.Mar 4 2026, 07:14

Duranzed added a project: User-Duranzed.Mar 5 2026, 12:46

Closed by commit rOPS7a20ee8b442c: Allow all servers to read IPsec in Vault (authored by Duranzed, committed by yousra). · Explain WhyMar 5 2026, 12:52

This revision was automatically updated to reflect the committed changes.

yousra added a commit: rOPS7a20ee8b442c: Allow all servers to read IPsec in Vault.

Revision Contents
Changeset List

Path

Size

_modules/

9 lines

pillar/

credentials/

6 lines

Diff 10384

_modules/credentials.py

Loading...

pillar/credentials/vault.sls

Loading...