Add nerc-common-reader policy

This grants access to any secrets stored under nerc/common/. We grant all clusters access to this path so that we can place common secrets here and have them accessible to all clusters.
OCP-on-NERC · Feb 13, 2024 · 8b08553 · 8b08553
1 parent 10f11f9
commit 8b08553
Showing 3 changed files with 10 additions and 0 deletions.
diff --git a/config/global/policies.jsonnet b/config/global/policies.jsonnet
@@ -12,6 +12,12 @@
         policy: importstr 'policies/default.hcl',
       },
     },
+    {
+      path: '/v1/sys/policy/nerc-common-reader',
+      payload: {
+        policy: importstr 'policies/nerc-common-reader.hcl',
+      },
+    },
     {
       path: '/v1/sys/policy/nerc-all-reader',
       payload: {

diff --git a/lib/cluster.libsonnet b/lib/cluster.libsonnet
@@ -41,6 +41,7 @@ function(
         ],
         bound_service_account_namespaces: service_account_namespaces,
         token_policies: [
+          "nerc-common-reader",
           std.format("%s-reader", cluster_name),
         ],
       },

diff --git a/lib/policies/nerc-common-reader.hcl b/lib/policies/nerc-common-reader.hcl
@@ -0,0 +1,3 @@
+path "nerc/data/common/*" {
+  capabilities = ["read"]
+}