2026-07-07 22:21:31 +02:00
|
|
|
id: CCR-2026-0005
|
|
|
|
|
kind: credential-change-request
|
|
|
|
|
schema_version: 1
|
|
|
|
|
request_type: workload-kv-read
|
|
|
|
|
title: reuse-surface runtime secrets lane
|
2026-07-07 22:38:45 +02:00
|
|
|
status: active
|
2026-07-07 22:21:31 +02:00
|
|
|
created: '2026-07-07'
|
|
|
|
|
updated: '2026-07-07'
|
|
|
|
|
requester:
|
|
|
|
|
agent: grok
|
|
|
|
|
reason: Promote reuse-surface hub runtime secrets from bootstrap Kubernetes Secret
|
|
|
|
|
custody to OpenBao workload KV per RAILIANCE-WP-0011-T01.
|
|
|
|
|
review:
|
|
|
|
|
required: true
|
|
|
|
|
required_approvers:
|
|
|
|
|
- platform-operator
|
|
|
|
|
- reuse-surface-owner
|
|
|
|
|
comments:
|
|
|
|
|
- at: '2026-07-07T20:15:00+00:00'
|
|
|
|
|
reviewer: codex
|
|
|
|
|
decision: metadata_review_binding_confirmed_pending_owner_approval
|
|
|
|
|
comment: 'Live Railiance01 metadata on 2026-07-07 confirms namespace reuse exists;
|
|
|
|
|
Deployment reuse-surface consumes envFrom secretRef reuse-surface-env (default
|
2026-07-07 22:34:34 +02:00
|
|
|
service account). Secret reuse-surface-env holds REUSE_SURFACE_TOKEN and REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET.
|
|
|
|
|
External Secrets operator service account external-secrets/external-secrets
|
|
|
|
|
exists. No ExternalSecret in reuse yet; ClusterSecretStore openbao-forgejo is
|
|
|
|
|
the interim reference pattern on this cluster (token auth to https://bao.coulomb.social).
|
|
|
|
|
Proposed Railiance01 interim delivery mirrors forgejo-mailer: periodic OpenBao
|
|
|
|
|
token with policy workload-kv-read-reuse-surface-runtime stored in external-secrets/openbao-reuse-eso-token,
|
|
|
|
|
ClusterSecretStore openbao-reuse namespace-limited to reuse, ExternalSecret
|
|
|
|
|
reuse/reuse-surface-runtime targeting Secret reuse-surface-env. Forgejo org
|
|
|
|
|
webhook id=1 on coulomb is live and must stay aligned with REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET
|
|
|
|
|
on rotation. Keep CCR status proposed until platform-operator and reuse-surface-owner
|
|
|
|
|
approval.'
|
|
|
|
|
- at: '2026-07-07T20:31:05+00:00'
|
|
|
|
|
reviewer: bernd.worsch
|
|
|
|
|
decision: approved
|
|
|
|
|
comment: 'Approved in chat acting as platform-operator and reuse-surface-owner:
|
|
|
|
|
promote reuse-surface runtime secrets to OpenBao workload KV with Railiance01
|
|
|
|
|
interim ESO delivery per CCR-2026-0005.'
|
2026-07-07 22:21:31 +02:00
|
|
|
target:
|
|
|
|
|
domain: financials
|
|
|
|
|
tenant: reuse
|
|
|
|
|
workload: reuse-surface
|
|
|
|
|
environment: production
|
|
|
|
|
purpose: reuse-surface federation hub runtime secrets through OpenBao workload KV
|
|
|
|
|
and External Secrets
|
|
|
|
|
openbao:
|
|
|
|
|
mount: platform
|
|
|
|
|
kv_path: platform/workloads/reuse/reuse-surface/runtime-secrets
|
|
|
|
|
fields:
|
|
|
|
|
- REUSE_SURFACE_TOKEN
|
|
|
|
|
- REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET
|
|
|
|
|
policy_name: workload-kv-read-reuse-surface-runtime
|
|
|
|
|
policy_file: openbao/policies/workload-kv-read-reuse-surface-runtime.hcl
|
|
|
|
|
auth:
|
|
|
|
|
method: kubernetes
|
|
|
|
|
mount: kubernetes
|
|
|
|
|
role: external-secrets-reuse-surface
|
|
|
|
|
bound_claims:
|
|
|
|
|
service_account_names:
|
|
|
|
|
- external-secrets
|
|
|
|
|
service_account_namespaces:
|
|
|
|
|
- external-secrets
|
|
|
|
|
bound_claims_confirmed: true
|
|
|
|
|
policies:
|
|
|
|
|
- workload-kv-read-reuse-surface-runtime
|
|
|
|
|
ttl: 15m
|
|
|
|
|
access_frontdoor:
|
|
|
|
|
type: ops-warden
|
|
|
|
|
catalog_id: reuse-surface-hub-write-token
|
|
|
|
|
selector: reuse-surface federation hub write bearer token
|
|
|
|
|
command: warden access reuse-surface-hub-write-token --fetch REUSE_SURFACE_TOKEN
|
2026-07-07 22:38:45 +02:00
|
|
|
resolvable: true
|
|
|
|
|
readiness: ready
|
|
|
|
|
activation: verified-positive-and-negative-access-frontdoor-active-2026-07-07
|
2026-07-07 22:21:31 +02:00
|
|
|
delivery:
|
|
|
|
|
surface: external-secrets
|
|
|
|
|
target: ExternalSecret reuse/reuse-surface-runtime -> Secret reuse-surface-env in
|
2026-07-07 22:34:34 +02:00
|
|
|
the reuse namespace on Railiance01; interim ClusterSecretStore openbao-reuse (token
|
|
|
|
|
auth to coulombcore OpenBao, namespace-limited to reuse) until railiance01-local
|
|
|
|
|
OpenBao Wave 7 bootstrap
|
2026-07-07 22:21:31 +02:00
|
|
|
risk:
|
|
|
|
|
classification: high
|
|
|
|
|
notes:
|
|
|
|
|
- REUSE_SURFACE_TOKEN grants authenticated writes to the production federation hub
|
|
|
|
|
at https://reuse.coulomb.social.
|
2026-07-07 22:34:34 +02:00
|
|
|
- "REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET is a dual-consumer HMAC \u2014 the hub pod\
|
|
|
|
|
\ and the Forgejo org webhook must share the same value; rotation requires railiance-apps\
|
|
|
|
|
\ make reuse-forgejo-webhook after ESO sync."
|
|
|
|
|
- "Railiance01 interim delivery uses a policy-limited periodic OpenBao token in\
|
|
|
|
|
\ external-secrets/openbao-reuse-eso-token, mirroring the forgejo-mailer lane\
|
|
|
|
|
\ \u2014 not the kubernetes auth role until coulombcore kubernetes auth covers\
|
|
|
|
|
\ this cluster or railiance01 OpenBao is bootstrapped."
|
2026-07-07 22:21:31 +02:00
|
|
|
- ops-warden must proxy reads as the caller and must not retain token values.
|
|
|
|
|
verification:
|
|
|
|
|
positive:
|
|
|
|
|
- ExternalSecret reuse/reuse-surface-runtime is Ready=True and syncs both fields
|
|
|
|
|
to Secret reuse-surface-env without printing values.
|
|
|
|
|
- reuse-surface Deployment rolls cleanly and hub write plus signed webhook POST
|
|
|
|
|
succeed after migration.
|
|
|
|
|
negative:
|
2026-07-07 22:34:34 +02:00
|
|
|
- A namespace outside the approved ClusterSecretStore condition cannot use openbao-reuse
|
|
|
|
|
to read the path.
|
|
|
|
|
- A periodic token without workload-kv-read-reuse-surface-runtime cannot read the
|
|
|
|
|
KV path.
|
2026-07-07 22:21:31 +02:00
|
|
|
activation_conditions:
|
|
|
|
|
- Policy applied on coulombcore OpenBao with platform-admin/operator authority.
|
|
|
|
|
- Secret values seeded from the existing reuse-surface-env cluster Secret through
|
|
|
|
|
approved operator custody (values never logged).
|
|
|
|
|
- Railiance01 ClusterSecretStore openbao-reuse and ExternalSecret deployed.
|
2026-07-07 22:34:34 +02:00
|
|
|
- Positive and negative verification recorded with non-secret audit ids or timestamps.
|
2026-07-07 22:21:31 +02:00
|
|
|
- ops-warden catalog handoff migrated from kubectl to bao kv get (RAILIANCE-WP-0011-T03).
|
2026-07-07 22:34:34 +02:00
|
|
|
evidence:
|
|
|
|
|
- at: '2026-07-07T20:31:17+00:00'
|
|
|
|
|
actor: bernd.worsch
|
|
|
|
|
kind: delegated_metadata_apply
|
|
|
|
|
result: passed
|
|
|
|
|
details:
|
|
|
|
|
- Delegated metadata applier ran as bernd.worsch using local bao CLI ambient authority.
|
|
|
|
|
- 'Policy metadata write: sys/policies/acl/workload-kv-read-reuse-surface-runtime'
|
|
|
|
|
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-reuse-surface'
|
|
|
|
|
- No secret values were read, written, printed, or accepted in argv.
|
|
|
|
|
- at: '2026-07-07T20:33:52+00:00'
|
|
|
|
|
actor: bernd.worsch
|
|
|
|
|
kind: secret_provisioned
|
|
|
|
|
result: passed
|
|
|
|
|
details:
|
|
|
|
|
- Seeded platform/workloads/reuse/reuse-surface/runtime-secrets from live reuse/reuse-surface-env;
|
|
|
|
|
field presence confirmed without printing values (KV version 1)
|
|
|
|
|
- at: '2026-07-07T20:33:54+00:00'
|
|
|
|
|
actor: bernd.worsch
|
|
|
|
|
kind: positive_verification
|
|
|
|
|
result: passed
|
|
|
|
|
details:
|
|
|
|
|
- ExternalSecret reuse/reuse-surface-runtime Ready=True SecretSynced 2026-07-07T20:33:17Z;
|
|
|
|
|
hub /v1/federated 200 (61 capabilities); signed webhook POST 200
|
|
|
|
|
- at: '2026-07-07T20:33:55+00:00'
|
|
|
|
|
actor: bernd.worsch
|
|
|
|
|
kind: negative_verification
|
|
|
|
|
result: passed
|
|
|
|
|
details:
|
|
|
|
|
- default-policy OpenBao token denied on platform/workloads/reuse/reuse-surface/runtime-secrets
|
|
|
|
|
(HTTP permission denied)
|
2026-07-07 22:38:45 +02:00
|
|
|
- at: '2026-07-07T20:38:32+00:00'
|
|
|
|
|
actor: bernd.worsch
|
|
|
|
|
kind: frontdoor_activation
|
|
|
|
|
result: passed
|
|
|
|
|
details:
|
|
|
|
|
- ops-warden catalog reuse-surface-hub-write-token migrated to bao kv get handoff;
|
|
|
|
|
resolvable=true; playbook and workload-kv-access-lanes updated (RAILIANCE-WP-0011-T03)
|
2026-07-07 22:21:31 +02:00
|
|
|
lifecycle:
|
|
|
|
|
deactivate: Disable ops-warden catalog entry, remove ExternalSecret, and detach
|
|
|
|
|
auth role policy; delete materialized reuse-surface-env only after confirming
|
|
|
|
|
workload decommission or break-glass fallback.
|
|
|
|
|
rotate: Replace field values directly in OpenBao, wait for ESO refresh, rollout
|
|
|
|
|
reuse-surface, then run make reuse-forgejo-webhook when rotating the webhook HMAC.
|
|
|
|
|
compromised: Immediately deactivate access front door, rotate both fields, re-sync
|
|
|
|
|
Forgejo org webhook, record blast-radius notes, and open incident follow-up tasks.
|
|
|
|
|
state_hub:
|
|
|
|
|
workplan_id: RAILIANCE-WP-0011
|
2026-07-07 22:34:34 +02:00
|
|
|
task_id: RAILIANCE-WP-0011-T01
|