Page MenuHomeDevCentral
Differential D3987

Allow all servers to read IPsec in Vault
ClosedPublic
Actions

Authored by Duranzed on Mar 2 2026, 18:15.
Tags
Referenced Files
Unknown Object (File)
Sun, Apr 5, 12:42
Unknown Object (File)
Sun, Apr 5, 12:42
Unknown Object (File)
Sat, Apr 4, 11:10
Unknown Object (File)
Thu, Apr 2, 10:09
Unknown Object (File)
Tue, Mar 31, 17:23
Unknown Object (File)
Sun, Mar 29, 01:33
Unknown Object (File)
Fri, Mar 27, 02:39
Unknown Object (File)
Thu, Mar 26, 05:26
View All 57 Files
Subscribers
None

Details

Reviewers
dereckson
Maniphest Tasks
T2268: Configure IPsec tunnels on Saltstack
Commits
rOPS7a20ee8b442c: Allow all servers to read IPsec in Vault
Summary

Allow to add to every node policy keys from the new pillar entry
vault_secrets_ubiquity.

Ref T2268

Test Plan

salt complector state.sls_id salt-node-cloudhugger roles/vault/policies test=True

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Passed
Unit
No Test Coverage
Branch
strongswan
Build Status
Buildable 6389
Build 6673: arc lint + arc unit

Event Timeline

Duranzed requested review of this revision.Mar 2 2026, 18:15
Duranzed created this revision.
Harbormaster completed remote builds in B6389: Diff 10341.Mar 2 2026, 18:15
Duranzed edited the summary of this revision. (Show Details)Mar 2 2026, 18:17
Duranzed added a task: T2268: Configure IPsec tunnels on Saltstack .
Duranzed added a comment.Mar 2 2026, 18:20
$ sudo salt complector state.sls_id salt-node-cloudhugger roles/vault/policies test=True
complector:
----------
          ID: salt-node-cloudhugger
    Function: vault.policy_present
      Result: None
     Comment: Policy would be changed
     Started: 18:09:21.668208
    Duration: 841.275 ms
     Changes:   
              ----------
              salt-node-cloudhugger:
                  ----------
                  change:
                      --- 
                      +++ 
                      @@ -10,3 +10,7 @@
                       path "ops/data/secrets/nasqueron/opensearch/infra-logs/internal_users/dashboards" {
                           capabilities = [ "read" ]
                       }
                      +
                      +path "ops/data/secrets/network/ipsec/key" {
                      +    capabilities = [ "read" ]
                      +}

Summary for complector
------------
Succeeded: 1 (unchanged=1, changed=1)
Failed:    0
------------
Total states run:     1
Total run time: 841.275 ms
dereckson retitled this revision from Vault configuration to read ipsec key to Allow all servers to read IPsec in Vault.Mar 4 2026, 07:01
dereckson edited the summary of this revision. (Show Details)
dereckson edited the test plan for this revision. (Show Details)
dereckson accepted this revision.Mar 4 2026, 07:03
This revision is now accepted and ready to land.Mar 4 2026, 07:03
dereckson mentioned this in D3988: Configure strongSwan as IPsec implementation.Mar 4 2026, 07:14
Duranzed added a project: User-Duranzed.Mar 5 2026, 12:46
Closed by commit rOPS7a20ee8b442c: Allow all servers to read IPsec in Vault (authored by Duranzed, committed by yousra). · Explain WhyMar 5 2026, 12:52
This revision was automatically updated to reflect the committed changes.
yousra added a commit: rOPS7a20ee8b442c: Allow all servers to read IPsec in Vault.

Revision Contents
Changeset List

PathSize
_modules/
9 lines
pillar/
credentials/
6 lines

Diff 10341

View Options

_modules/credentials.py

Loading...
View Options

pillar/credentials/vault.sls

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator