117 lines
4.4 KiB
YAML
117 lines
4.4 KiB
YAML
|
|
id: CCR-2026-0004
|
||
|
|
kind: credential-change-request
|
||
|
|
schema_version: 1
|
||
|
|
request_type: workload-kv-read
|
||
|
|
title: Railiance offsite backup lane (Nextcloud WebDAV + age recovery)
|
||
|
|
status: active
|
||
|
|
created: '2026-07-07'
|
||
|
|
updated: '2026-07-07'
|
||
|
|
requester:
|
||
|
|
agent: grok
|
||
|
|
reason: Move railiance-backup / forgejo-backup credentials from hardcoded script
|
||
|
|
values into OpenBao custody per DISCTL-WP-0003 credential-separation policy.
|
||
|
|
review:
|
||
|
|
required: true
|
||
|
|
required_approvers:
|
||
|
|
- platform-operator
|
||
|
|
comments:
|
||
|
|
- at: '2026-07-07T15:00:00+00:00'
|
||
|
|
reviewer: bernd.worsch
|
||
|
|
decision: approved
|
||
|
|
comment: "Approved in chat \u2014 establish backup lane credentials in OpenBao\
|
||
|
|
\ for workstation forgejo-backup and railiance-backup tooling (Option A Nextcloud)."
|
||
|
|
target:
|
||
|
|
domain: financials
|
||
|
|
tenant: railiance
|
||
|
|
workload: backup
|
||
|
|
environment: production
|
||
|
|
purpose: age-encrypted offsite backup upload through Nextcloud WebDAV file drop
|
||
|
|
openbao:
|
||
|
|
mount: platform
|
||
|
|
kv_path: platform/workloads/railiance/backup/offsite-lane
|
||
|
|
fields:
|
||
|
|
- NC_WEBDAV_TOKEN
|
||
|
|
- NC_WEBDAV_URL
|
||
|
|
- AGE_PRIVATE_KEY
|
||
|
|
policy_name: workload-kv-read-railiance-backup-offsite-lane
|
||
|
|
policy_file: openbao/policies/workload-kv-read-railiance-backup-offsite-lane.hcl
|
||
|
|
auth:
|
||
|
|
method: oidc
|
||
|
|
mount: netkingdom
|
||
|
|
role: railiance-backup-workload-kv-read
|
||
|
|
allowed_redirect_uris:
|
||
|
|
- https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
|
||
|
|
- http://localhost:8250/oidc/callback
|
||
|
|
- http://127.0.0.1:8250/oidc/callback
|
||
|
|
oidc_scopes:
|
||
|
|
- openid
|
||
|
|
- profile
|
||
|
|
- email
|
||
|
|
- groups
|
||
|
|
user_claim: sub
|
||
|
|
groups_claim: groups
|
||
|
|
bound_claims:
|
||
|
|
groups:
|
||
|
|
- net-kingdom-admins
|
||
|
|
bound_claims_confirmed: true
|
||
|
|
policies:
|
||
|
|
- workload-kv-read-railiance-backup-offsite-lane
|
||
|
|
ttl: 15m
|
||
|
|
access_frontdoor:
|
||
|
|
type: ops-warden
|
||
|
|
catalog_id: railiance-backup-offsite-lane
|
||
|
|
selector: railiance backup nextcloud webdav token
|
||
|
|
command: warden access railiance-backup-offsite-lane --fetch NC_WEBDAV_TOKEN
|
||
|
|
resolvable: false
|
||
|
|
readiness: applied-pending-verify
|
||
|
|
delivery:
|
||
|
|
surface: operator-workstation
|
||
|
|
target: railiance-platform lib/railiance-backup-common.sh and forgejo-backup via
|
||
|
|
RAILIANCE_BACKUP_NC_TOKEN env (fetched through OpenBao or warden access)
|
||
|
|
risk:
|
||
|
|
classification: high
|
||
|
|
notes:
|
||
|
|
- NC_WEBDAV_TOKEN grants upload to the offsite backup file drop.
|
||
|
|
- "AGE_PRIVATE_KEY decrypts all age-encrypted backup artifacts \u2014 recovery escrow\
|
||
|
|
\ only."
|
||
|
|
- Credentials must not be stored on production hosts with delete permission.
|
||
|
|
- ops-warden must proxy reads as the caller and must not retain values.
|
||
|
|
verification:
|
||
|
|
positive:
|
||
|
|
- Approved net-kingdom-admins identity can read NC_WEBDAV_TOKEN and AGE_PRIVATE_KEY
|
||
|
|
through OpenBao or ops-warden without printing values.
|
||
|
|
negative:
|
||
|
|
- default-policy token denied on the KV data path.
|
||
|
|
activation_conditions:
|
||
|
|
- Policy and OIDC role applied with platform-admin/operator authority.
|
||
|
|
- Secret values provisioned through approved operator custody from existing sources.
|
||
|
|
- Positive and negative verification recorded with non-secret audit references.
|
||
|
|
evidence:
|
||
|
|
- at: '2026-07-07T15:14:59+00:00'
|
||
|
|
actor: grok
|
||
|
|
kind: delegated_metadata_apply
|
||
|
|
result: passed
|
||
|
|
details:
|
||
|
|
- Delegated metadata applier ran as grok using local bao CLI ambient authority.
|
||
|
|
- 'Policy metadata write: sys/policies/acl/workload-kv-read-railiance-backup-offsite-lane'
|
||
|
|
- 'Auth role metadata write: auth/netkingdom/role/railiance-backup-workload-kv-read'
|
||
|
|
- No secret values were read, written, printed, or accepted in argv.
|
||
|
|
- at: '2026-07-07T15:15:28+00:00'
|
||
|
|
actor: grok
|
||
|
|
kind: secret_provisioned
|
||
|
|
result: passed
|
||
|
|
details:
|
||
|
|
- KV path platform/workloads/railiance/backup/offsite-lane provisioned with NC_WEBDAV_TOKEN,
|
||
|
|
NC_WEBDAV_URL, AGE_PRIVATE_KEY; field presence verified without printing values
|
||
|
|
- 'Delegated metadata apply: policy workload-kv-read-railiance-backup-offsite-lane
|
||
|
|
and OIDC role railiance-backup-workload-kv-read'
|
||
|
|
lifecycle:
|
||
|
|
deactivate: Disable ops-warden catalog entry and detach OIDC role policy; rotate
|
||
|
|
Nextcloud file-drop token at provider.
|
||
|
|
rotate: Mint a new Nextcloud upload token, update NC_WEBDAV_TOKEN in OpenBao, and
|
||
|
|
record non-secret rotation evidence.
|
||
|
|
compromised: Deactivate front door, rotate Nextcloud token and age key, re-encrypt
|
||
|
|
and re-upload backup artifacts where feasible, record blast-radius notes.
|
||
|
|
state_hub:
|
||
|
|
workplan_id: DISCTL-WP-0003
|