Skip to content

Commit 0815516

Browse files
minmzzhangminmzzhang
committed
revert: remove supply-chain enablement from this PR
Revert values-hub.yaml and values-vault-jwt.yaml to main. This PR should only contain the rhbk chart generalization and the pipeline git-clone fix. Signed-off-by: Min Zhang <minzhang@redhat.com>
1 parent a858cdf commit 0815516

2 files changed

Lines changed: 458 additions & 292 deletions

File tree

overrides/values-vault-jwt.yaml

Lines changed: 29 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -6,36 +6,36 @@ vault_jwt_policies:
66
# Only define policies for apps that need direct Vault access
77
# K8s auth policies (<prefix>-k8s-secret) are auto-created by Ansible
88
# ============================================================
9-
- name: apps-qtodo-jwt-secret
10-
policy: |
11-
path "secret/data/apps/qtodo/*" {
12-
capabilities = ["read"]
13-
}
14-
- name: hub-infra-rhtpa-jwt-secret
15-
policy: |
16-
path "secret/data/hub/infra/rhtpa/*" {
17-
capabilities = ["read"]
18-
}
19-
- name: hub-supply-chain-jwt-secret
20-
policy: |
21-
path "secret/data/hub/infra/quay/*" {
22-
capabilities = ["read"]
23-
}
24-
path "secret/data/hub/infra/registry/*" {
25-
capabilities = ["read", "create", "update"]
26-
}
27-
path "secret/data/hub/infra/rhtpa/rhtpa-oidc-cli" {
28-
capabilities = ["read"]
29-
}
30-
path "secret/data/hub/supply-chain/*" {
31-
capabilities = ["read"]
32-
}
9+
- name: apps-qtodo-jwt-secret
10+
policy: |
11+
path "secret/data/apps/qtodo/*" {
12+
capabilities = ["read"]
13+
}
14+
- name: hub-infra-rhtpa-jwt-secret
15+
policy: |
16+
path "secret/data/hub/infra/rhtpa/*" {
17+
capabilities = ["read"]
18+
}
19+
- name: hub-supply-chain-jwt-secret
20+
policy: |
21+
path "secret/data/hub/infra/quay/*" {
22+
capabilities = ["read"]
23+
}
24+
path "secret/data/hub/infra/registry/*" {
25+
capabilities = ["read", "create", "update"]
26+
}
27+
path "secret/data/hub/infra/rhtpa/rhtpa-oidc-cli" {
28+
capabilities = ["read"]
29+
}
30+
path "secret/data/hub/supply-chain/*" {
31+
capabilities = ["read"]
32+
}
3333
vault_jwt_roles:
34-
- name: qtodo
35-
audience: https://keycloak.apps.{{ $.Values.global.clusterDomain }}/realms/ztvp
36-
subject: spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/qtodo/sa/qtodo
37-
policies:
38-
- apps-qtodo-jwt-secret
34+
- name: qtodo
35+
audience: https://keycloak.apps.{{ $.Values.global.clusterDomain }}/realms/ztvp
36+
subject: spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/qtodo/sa/qtodo
37+
policies:
38+
- apps-qtodo-jwt-secret
3939
# RHTPA vault role
4040
# - name: rhtpa
4141
# audience: rhtpa
@@ -48,16 +48,6 @@ vault_jwt_roles:
4848
# subject: spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/{{ $.Values.global.pattern }}-hub/sa/pipeline
4949
# policies:
5050
# - hub-supply-chain-jwt-secret
51-
- name: rhtpa
52-
audience: rhtpa
53-
subject: "spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/trusted-profile-analyzer/sa/rhtpa"
54-
policies:
55-
- hub-infra-rhtpa-jwt-secret
56-
- name: supply-chain
57-
audience: supply-chain
58-
subject: "spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/{{ $.Values.global.pattern }}-hub/sa/pipeline"
59-
policies:
60-
- hub-supply-chain-jwt-secret
6151
oidc_discovery_url: https://spire-spiffe-oidc-discovery-provider.zero-trust-workload-identity-manager.svc.cluster.local
6252
# oidcDiscoveryCa: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt
6353
# defaultRole: qtodo

0 commit comments

Comments
 (0)