fix: [nomad-step-5] S5.1 — nomad/jobs/edge.hcl (Caddy + dispatcher sidecar) (#988)

2026-04-18 06:47:35 +00:00 · 2026-04-18 06:47:35 +00:00 · 72aecff8d8
commit 72aecff8d8
parent 84d63d49b5
3 changed files with 225 additions and 3 deletions
--- a/vault/policies/service-dispatcher.hcl
+++ b/vault/policies/service-dispatcher.hcl
@ -0,0 +1,29 @@
+# vault/policies/service-dispatcher.hcl
+#
+# Edge dispatcher policy: needs to enumerate the runner secret namespace
+# (to check secret presence before dispatching) and read the shared
+# ops-repo credentials (token + clone URL) it uses to fetch action TOMLs.
+#
+# Scope:
+#   - kv/disinto/runner/*       — read all per-secret values + list keys
+#   - kv/disinto/shared/ops-repo/* — read the ops-repo creds bundle
+#
+# The actual ephemeral runner container created per dispatch gets the
+# narrow runner-<NAME> policies, NOT this one. This policy stays bound
+# to the long-running dispatcher only.
+
+path "kv/data/disinto/runner/*" {
+  capabilities = ["read"]
+}
+
+path "kv/metadata/disinto/runner/*" {
+  capabilities = ["list", "read"]
+}
+
+path "kv/data/disinto/shared/ops-repo" {
+  capabilities = ["read"]
+}
+
+path "kv/metadata/disinto/shared/ops-repo" {
+  capabilities = ["list", "read"]
+}
--- a/vault/roles.yaml
+++ b/vault/roles.yaml
@ -121,10 +121,10 @@ roles:
    job_id:    bot-vault

  # ── Edge dispatcher ────────────────────────────────────────────────────────
-  - name:      dispatcher
-    policy:    dispatcher
+  - name:      service-dispatcher
+    policy:    service-dispatcher
    namespace: default
-    job_id:    dispatcher
+    job_id:    edge

  # ── Per-secret runner roles ────────────────────────────────────────────────
  # vault-runner (Step 5) composes runner-<NAME> policies onto each