Sync: Automated sync from main to public branch.

Author: lj020326

image/Dockerfile

@@ -12,11 +12,15 @@ ARG BUILD_ID=devel
 LABEL build=$BUILD_ID
 
 # Install dependencies
-RUN apk add --no-cache curl
-RUN apk add --no-cache ansible
-RUN apk add --no-cache jq
-RUN apk add --no-cache python3 py3-pip py3-yaml
-RUN apk add --no-cache bash  # Added: For re-encryption subprocess
+RUN apk add --no-cache \
+    curl \
+    ansible \
+    jq \
+    python3 \
+    py3-pip \
+    py3-yaml \
+    bash \
+    openssl
 RUN python3 -m venv /opt/venv && \
     /opt/venv/bin/pip install --no-cache-dir hvac pyyaml
 

test/openbao_config.yml

@@ -10,12 +10,48 @@ policies:
       path "pki-intermediate/*" {
         capabilities = ["read", "list"]
       }
-      path "kv/data/trusted_external" {
+      # issue/sign for deploys
+      path "pki-intermediate/issue/*" {
+        capabilities = ["create", "update"]
+      }
+      path "pki-intermediate/issue/internal-api" {
+        capabilities = ["create", "update"]
+      }
+      path "pki-intermediate/sign/*" {
+        capabilities = ["create", "update"]
+      }
+      path "pki-intermediate/config/*" {
+        capabilities = ["read"]
+      }
+      path "pki-intermediate/roles/*" {
+        capabilities = ["read"]
+      }
+      # Allow full access to the PKI KV Cache
+      path "secret/data/pki_cache/*" {
+        capabilities = ["create", "read", "update", "delete", "list"]
+      }
+      # If using KV version 1, or for listing metadata in KV version 2
+      path "secret/metadata/pki_cache/*" {
+        capabilities = ["list", "read"]
+      }
+      path "secret/data/trusted_internal/*" {
+        capabilities = ["read"]
+      }
+      path "secret/metadata/trusted_internal" {
+        capabilities = ["list"]
+      }
+      path "secret/data/trusted_external/*" {
         capabilities = ["read"]
       }
+      path "secret/metadata/trusted_external" {
+        capabilities = ["list"]
+      }
       path "auth/token/lookup*" {
         capabilities = ["read"]
       }
+      path "sys/mounts" {
+        capabilities = ["read"]
+      }
   user:
     hcl_content: |
       path "secret/*" {