Establish railiance backup credentials in OpenBao (CCR-2026-0004).
Some checks are pending
CI Smoke / host-smoke (push) Waiting to run
CI Smoke / container-smoke (push) Waiting to run

Add workload KV lane for Nextcloud WebDAV token, URL, and age recovery
escrow at platform/workloads/railiance/backup/offsite-lane. Apply read
policy and OIDC role railiance-backup-workload-kv-read; wire forgejo-backup
to load credentials from OpenBao when env is unset.
This commit is contained in:
tegwick 2026-07-07 17:16:30 +02:00
parent f428940da8
commit 0055e8f3f7
8 changed files with 430 additions and 1 deletions

View file

@ -0,0 +1,116 @@
id: CCR-2026-0004
kind: credential-change-request
schema_version: 1
request_type: workload-kv-read
title: Railiance offsite backup lane (Nextcloud WebDAV + age recovery)
status: active
created: '2026-07-07'
updated: '2026-07-07'
requester:
agent: grok
reason: Move railiance-backup / forgejo-backup credentials from hardcoded script
values into OpenBao custody per DISCTL-WP-0003 credential-separation policy.
review:
required: true
required_approvers:
- platform-operator
comments:
- at: '2026-07-07T15:00:00+00:00'
reviewer: bernd.worsch
decision: approved
comment: "Approved in chat \u2014 establish backup lane credentials in OpenBao\
\ for workstation forgejo-backup and railiance-backup tooling (Option A Nextcloud)."
target:
domain: financials
tenant: railiance
workload: backup
environment: production
purpose: age-encrypted offsite backup upload through Nextcloud WebDAV file drop
openbao:
mount: platform
kv_path: platform/workloads/railiance/backup/offsite-lane
fields:
- NC_WEBDAV_TOKEN
- NC_WEBDAV_URL
- AGE_PRIVATE_KEY
policy_name: workload-kv-read-railiance-backup-offsite-lane
policy_file: openbao/policies/workload-kv-read-railiance-backup-offsite-lane.hcl
auth:
method: oidc
mount: netkingdom
role: railiance-backup-workload-kv-read
allowed_redirect_uris:
- https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
- http://localhost:8250/oidc/callback
- http://127.0.0.1:8250/oidc/callback
oidc_scopes:
- openid
- profile
- email
- groups
user_claim: sub
groups_claim: groups
bound_claims:
groups:
- net-kingdom-admins
bound_claims_confirmed: true
policies:
- workload-kv-read-railiance-backup-offsite-lane
ttl: 15m
access_frontdoor:
type: ops-warden
catalog_id: railiance-backup-offsite-lane
selector: railiance backup nextcloud webdav token
command: warden access railiance-backup-offsite-lane --fetch NC_WEBDAV_TOKEN
resolvable: false
readiness: applied-pending-verify
delivery:
surface: operator-workstation
target: railiance-platform lib/railiance-backup-common.sh and forgejo-backup via
RAILIANCE_BACKUP_NC_TOKEN env (fetched through OpenBao or warden access)
risk:
classification: high
notes:
- NC_WEBDAV_TOKEN grants upload to the offsite backup file drop.
- "AGE_PRIVATE_KEY decrypts all age-encrypted backup artifacts \u2014 recovery escrow\
\ only."
- Credentials must not be stored on production hosts with delete permission.
- ops-warden must proxy reads as the caller and must not retain values.
verification:
positive:
- Approved net-kingdom-admins identity can read NC_WEBDAV_TOKEN and AGE_PRIVATE_KEY
through OpenBao or ops-warden without printing values.
negative:
- default-policy token denied on the KV data path.
activation_conditions:
- Policy and OIDC role applied with platform-admin/operator authority.
- Secret values provisioned through approved operator custody from existing sources.
- Positive and negative verification recorded with non-secret audit references.
evidence:
- at: '2026-07-07T15:14:59+00:00'
actor: grok
kind: delegated_metadata_apply
result: passed
details:
- Delegated metadata applier ran as grok using local bao CLI ambient authority.
- 'Policy metadata write: sys/policies/acl/workload-kv-read-railiance-backup-offsite-lane'
- 'Auth role metadata write: auth/netkingdom/role/railiance-backup-workload-kv-read'
- No secret values were read, written, printed, or accepted in argv.
- at: '2026-07-07T15:15:28+00:00'
actor: grok
kind: secret_provisioned
result: passed
details:
- KV path platform/workloads/railiance/backup/offsite-lane provisioned with NC_WEBDAV_TOKEN,
NC_WEBDAV_URL, AGE_PRIVATE_KEY; field presence verified without printing values
- 'Delegated metadata apply: policy workload-kv-read-railiance-backup-offsite-lane
and OIDC role railiance-backup-workload-kv-read'
lifecycle:
deactivate: Disable ops-warden catalog entry and detach OIDC role policy; rotate
Nextcloud file-drop token at provider.
rotate: Mint a new Nextcloud upload token, update NC_WEBDAV_TOKEN in OpenBao, and
record non-secret rotation evidence.
compromised: Deactivate front door, rotate Nextcloud token and age key, re-encrypt
and re-upload backup artifacts where feasible, record blast-radius notes.
state_hub:
workplan_id: DISCTL-WP-0003