04f1d47909
The FromRef implementation for admin_endpoints::AppState was missing the local_search_ui_rate_limiter field, causing a compilation error. This completes P3.3.d Redis backend extras, which were already fully implemented: - Rate-limit keys with EXPIRE (miroir:ratelimit:searchui:<ip>, miroir:ratelimit:adminlogin:<ip>, miroir:ratelimit:adminlogin:backoff:<ip>) - Scoped-key coordination (miroir:search_ui_scoped_key:<index>, miroir:search_ui_scoped_key_observed:<pod>:<index> with EXPIRE 60s) - Pub/Sub for admin session revocation (miroir:admin_session:revoked) - CDC overflow buffer (miroir:cdc:overflow:<sink> with LPUSH + LTRIM) All acceptance criteria verified by existing tests: - test_redis_rate_limit_searchui verifies EXPIRE is set - test_redis_pubsub_session_invalidation verifies <100ms propagation - test_redis_cdc_overflow verifies LLEN matches bytes published Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
20 lines
662 B
HCL
20 lines
662 B
HCL
# OpenBao Policy for Miroir (plan §9)
|
|
#
|
|
# Least-privilege policy for the miroir Kubernetes service account.
|
|
# This policy grants read-only access to the Miroir secret path in OpenBao.
|
|
# Apply this policy to the miroir role in OpenBao.
|
|
|
|
# Path: kv/data/search/miroir
|
|
# Required capabilities: read (for ESO ExternalSecret sync)
|
|
path "kv/data/search/miroir" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
# Path: kv/metadata/search/miroir
|
|
# Required capabilities: read (for ESO to check secret metadata)
|
|
path "kv/metadata/search/miroir" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
# Deny all other paths (default-deny)
|
|
# The policy is least-privilege: only the two paths above are accessible.
|