layered-zero-trust/values-secret.yaml.template at main · validatedpatterns/layered-zero-trust · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
# A more formal description of this format can be found here:
# https://github.com/validatedpatterns/rhvp.cluster_utils/tree/main/roles/vault_utils#values-secret-file-format

version: "2.0"
# Ideally you NEVER COMMIT THESE VALUES TO GIT (although if all passwords are
# automatically generated inside the vault this should not really matter)

# Vault Secret Organization:
# --------------------------
# Secrets are organized for least-privilege access:
#
# Application Secrets (fine-grained isolation):
#   apps/qtodo/           - QTodo application secrets (app-level isolation)
#   apps/<myapp>/         - Add your app here for isolated secrets
#
# Infrastructure Secrets (hub/infra/*):
#   hub/infra/keycloak/   - Keycloak infrastructure secrets
#   hub/infra/rhtpa/      - RHTPA infrastructure secrets
#   hub/infra/quay/       - Quay registry credentials
#   hub/infra/users/      - User credentials managed by IdP
#
# Framework Secrets:
#   global/               - VP framework default (config-demo, etc.)
#
# Each path has a corresponding Vault policy granting access ONLY to its
# specific path (e.g., apps-qtodo-secret grants read to secret/data/apps/qtodo/*).

vaultPolicies:
  basicPolicy: |
    length=10
    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
    rule "charset" { charset = "0123456789" min-chars = 1 }

  advancedPolicy: |
    length=20
    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
    rule "charset" { charset = "0123456789" min-chars = 1 }
    rule "charset" { charset = "!@#^&*" min-chars = 1 }

  alphaNumericPolicy: |
    length=32
    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
    rule "charset" { charset = "0123456789" min-chars = 1 }

secrets:
  # ===========================================================================
  # GLOBAL SECRETS (global/)
  # VP framework default path for demo/test secrets
  # ===========================================================================
  - name: config-demo
    vaultPrefixes:
    - global
    fields:
    - name: secret
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy

  # ===========================================================================
  # QTODO APPLICATION SECRETS (apps/qtodo/)
  # Secrets specific to the QTodo application - isolated at app level
  # Policy: apps-qtodo-secret (read access to apps/qtodo/*)
  # ===========================================================================
  - name: qtodo-db
    vaultPrefixes:
    - apps/qtodo
    fields:
    - name: admin-password
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy
    - name: db-password
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy

  # qtodo-oidc-client secret is no longer needed — qtodo now authenticates
  # to Keycloak using SPIFFE JWT SVID (federated client assertion)
  #- name: qtodo-oidc-client
  #  vaultPrefixes:
  #  - apps/qtodo
  #  fields:
  #  - name: client-secret
  #    onMissingValue: generate
  #    vaultPolicy: alphaNumericPolicy

  - name: qtodo-truststore
    vaultPrefixes:
    - apps/qtodo
    fields:
    - name: truststore-password
      onMissingValue: generate
      vaultPolicy: alphaNumericPolicy

  # ===========================================================================
  # ACS Secrets (Uncomment to enable)
  # ===========================================================================
  - name: acs-central
    vaultPrefixes:
    - hub/infra/acs
    fields:
    - name: admin-password
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy

  # NOTE: Init bundle is NOT needed for same-cluster deployments.
  # The RHACS operator auto-generates authentication when Central and
  # SecuredCluster are on the same cluster. Only uncomment for multi-cluster
  # scenarios where you need to connect remote secured clusters.
  #- name: acs-init-bundle
  #  vaultPrefixes:
  #  - hub/infra/acs
  #  fields:
  #  - name: init-bundle
  #    onMissingValue: ignore  # Must be generated manually via roxctl

  # ===========================================================================
  # KEYCLOAK INFRASTRUCTURE SECRETS (hub/infra/keycloak/)
  # Secrets for Keycloak infrastructure deployment
  # Policy: hub-infra-keycloak-secret (read access to hub/infra/keycloak/*)
  # ===========================================================================
  - name: keycloak
    vaultPrefixes:
    - hub/infra/keycloak
    fields:
    - name: admin-password
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy
    - name: db-password
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy

  # ===========================================================================
  # RHTPA INFRASTRUCTURE SECRETS (hub/infra/rhtpa/)
  # Secrets for Red Hat Trusted Profile Analyzer infrastructure
  # Policy: hub-infra-rhtpa-secret (read access to hub/infra/rhtpa/*)
  # ===========================================================================
  - name: rhtpa-db
    vaultPrefixes:
    - hub/infra/rhtpa
    fields:
    - name: db-password
      onMissingValue: generate
      vaultPolicy: alphaNumericPolicy

  - name: rhtpa-oidc-cli
    vaultPrefixes:
    - hub/infra/rhtpa
    fields:
    - name: client-secret
      onMissingValue: generate
      vaultPolicy: alphaNumericPolicy

  # ===========================================================================
  # USER CREDENTIALS (hub/infra/users/)
  # User passwords managed by Keycloak for application access
  # Policy: hub-infra-users-secret (Keycloak needs to provision these)
  # ===========================================================================
  - name: keycloak-users
    vaultPrefixes:
    - hub/infra/users
    fields:
    - name: qtodo-admin-password
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy
    - name: qtodo-user1-password
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy
    - name: rhtas-user-password
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy
    - name: rhtpa-user-password
      onMissingValue: generate
      vaultPolicy: alphaNumericPolicy

  # ===========================================================================
  # QUAY INFRASTRUCTURE SECRETS (hub/infra/quay/)
  # Registry credentials for Quay
  # Policy: hub-infra-quay-secret (read access to hub/infra/quay/*)
  # ===========================================================================
  - name: quay-users
    vaultPrefixes:
    - hub/infra/quay
    fields:
    - name: quay-admin-password
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy
    - name: quay-user-password
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy

  # External Registry Credentials (e.g., Quay.io, Docker Hub, GHCR)
  # Reserved for future use with container signing workflows
  # Uncomment and provide your credentials when needed
  #- name: external-registry
  #  vaultPrefixes:
  #  - hub/infra
  #  fields:
  #  - name: username
  #    value: "your-registry-username"  # Replace with your username
  #    onMissingValue: error
  #  - name: password
  #    value: "your-registry-token"     # Replace with your token/password
  #    onMissingValue: error

  # ===========================================================================
  # HUB-SPECIFIC SECRETS (hub/)
  # Secrets for hub cluster management (spoke kubeconfigs, etc.)
  # Policy: hub-secret (built-in VP policy)
  # ===========================================================================
  # If you use clusterPools you will need to uncomment the following lines
  #- name: aws
  #  fields:
  #  - name: aws_access_key_id
  #    ini_file: ~/.aws/credentials
  #    ini_section: default
  #    ini_key: aws_access_key_id
  #  - name: aws_secret_access_key
  #    ini_file: ~/.aws/credentials
  #    ini_key: aws_secret_access_key
  #- name: publickey
  #  fields:
  #  - name: content
  #    path: ~/.ssh/id_rsa.pub
  #- name: privatekey
  #  fields:
  #  - name: content
  #    path: ~/.ssh/id_rsa
  #- name: openshiftPullSecret
  #  fields:
  #  - name: content
  #    path: ~/.pullsecret.json

  # If you are going to import spoke clusters, add here their kubeconfig entries
  #- name: kubeconfig-spoke-1
  #  vaultPrefixes:
  #  - hub
  #  fields:
  #  - name: content
  #    path: ~/.kube/kubeconfig-ztvp-spoke
  #- name: kubeconfig-spoke-2
  #  vaultPrefixes:
  #  - hub
  #  fields:
  #  - name: content
  #    path: ~/.kube/kubeconfig-ztvp-spoke-2