Closed itsouvalas closed 2 years ago
I do not believe we should be allowing the sudo capability without explicit user input. We should be following the principle of least privilege.
We might want to add the patch capability
I am confused as to what this is trying to accomplish. I agree with Norm regarding the granting of sudo should be minimized if not refused altogether. Has something changes recently that has made how we've been doing this for years no longer viable? It simply looks like the vault token used doesn't have the correct permissions/policy in place to read secrets/(meta)data/handshake, which the standard policy sets up.
After investigation, I see you're trying to use the concourse approle for the genesis-pipeline, when you should be using the genesis-pipeline approle. The concourse approle is intended to allow concourse to read concourse/* to fetch secrets inside concourse, which populates ((variables)) in the pipeline YAML files. genesis-pipeline approle is to be provided in the those secrets to be made available to the workers to access safe under genesis.
Concourse pipelines rely on
safe exists secret/handshake
to confirm connectivity to vault:Although this could be addressed by adding
path "secret/data/handshake"
, the rest of the pipeline requires secrets that are stored undersecret/*
:The lines bellow add the following policy line and alone for the pipeline to proceed accordingly