Skip to content

refact: support secrets from env vars and include vault namespace header#45

Merged
daisieh merged 38 commits intomainfrom
refact/secrets-env-vars
Nov 13, 2025
Merged

refact: support secrets from env vars and include vault namespace header#45
daisieh merged 38 commits intomainfrom
refact/secrets-env-vars

Conversation

@v-rocheleau
Copy link
Contributor

@v-rocheleau v-rocheleau commented Oct 16, 2025
edited
Loading

Related to the deployment of pcgl-authz on Kubernetes
Problems:

  1. Mounting a shared volume at /app for the API and the OPA sidecar erases the files built in the image at that path, breaking the Flask API
  2. In k8s, pcgl-authz will not use the root Vault namespace, it needs to use a specific namespace that is managed for it. Every request made to Vault must specify the namespace
  3. In k8s, pcgl-authz must not unseal the Vault server

Solutions:

  1. Mount the shared volume at /permissions_engine in the containers, copied/modified from /app/permissions_engine present in the image. This prevents erasing application files at /app.
  2. Add support for a VAULT_NAMESPACE environment variable whose value is added to the X-Vault-Namespace header (if provided), along with X-Vault-Token
  3. Created different entrypoints for local-dev with unseal (dev.entrypoint.sh) and k8s deployment without unseal (entrypoint.sh).

@v-rocheleau v-rocheleau requested a review from daisieh October 16, 2025 21:20
v-rocheleau
v-rocheleau commented Oct 16, 2025
View reviewed changes
app/permissions_engine/vault.rego Outdated

else := "opa"

# TODO: need to pass the 'X-Vault-Namespace' header to the vault requests
Copy link
Contributor Author

@v-rocheleau v-rocheleau Oct 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not super familiar with rego, so I would like to know your opinion on the best way to do this @daisieh .
The name of the Vault namespace will be set as an environment variable VAULT_NAMESPACE in the container.
When the env var is present, we simply need to add its value in the X-Vault-Namespace header.

@v-rocheleau
Copy link
Contributor Author

v-rocheleau commented Oct 16, 2025

Will fix the tests soon

daisieh and others added 25 commits October 17, 2025 12:44
@daisieh
Fix method call
639be74
@v-rocheleau
Merge branch 'main' into refact/secrets-env-vars
6c05da2
@v-rocheleau
fix(gh-actions/pr-build): repo lower casefor image name
6550644
@v-rocheleau
fix pr build image name
18f4522
@v-rocheleau
explicit ghcr image name for consictency
0c38a6b
@v-rocheleau
build pr images to repo package path
a06dd86
@v-rocheleau
refact: copy permissions engine files to dir that can be safely shared
69361c6
@v-rocheleau
fix permissions engine dir name
1de505c
@v-rocheleau
recursive copy of permissions engine files
16de84f
@v-rocheleau
init policies dirs and permissions
5a9a946
@v-rocheleau
fix permissions engine path copy
a5915c7
@v-rocheleau
fix copying of permissions engine files again
c1137ea
@v-rocheleau
rm root token usage in renew_token
607ad69
@v-rocheleau
logging for secret id retrieval debug
0da6d1f
@v-rocheleau
debug logs
834b934
@v-rocheleau
rm debug logs
f6c368f
@v-rocheleau
comment out test roleid
063bf2c
@v-rocheleau
include namespace in token renewal script
fbf6d4c
@v-rocheleau
add missing vault namespace header
dff3bfb
@v-rocheleau
refact(rego): customize vault.rego to include namespace headers
4ceee96
@v-rocheleau
sed vault namespace in entrypoint
ee5b7f4
@v-rocheleau
fix rego syntax err
dcc7787
@v-rocheleau
rego syntax
b5c0e3c
@v-rocheleau
rego syntax fixes
0aa4ef9
@v-rocheleau
more rego syntax fixes
5e82a14
daisieh
daisieh approved these changes Nov 13, 2025
View reviewed changes
Copy link
Contributor

@daisieh daisieh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed all of the permissions-engine instances to permissions_engine and everything seems to work now. LGTM.

@daisieh daisieh merged commit 3dcbe02 into main Nov 13, 2025
4 of 5 checks passed
@daisieh daisieh deleted the refact/secrets-env-vars branch November 13, 2025 21:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daisieh daisieh daisieh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@v-rocheleau @daisieh