From 3719c4dec0457ba2bdab2bc7af95e2b4a843f6a2 Mon Sep 17 00:00:00 2001 From: tegwick Date: Tue, 7 Jul 2026 22:21:31 +0200 Subject: [PATCH] Draft CCR-2026-0005 for reuse-surface runtime secrets lane RAILIANCE-WP-0011-T01: propose OpenBao path platform/workloads/reuse/reuse-surface/runtime-secrets with REUSE_SURFACE_TOKEN and REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET, matching read policy, and metadata review for Railiance01 interim ESO delivery. --- ...05-reuse-surface-runtime-secrets-lane.yaml | 119 ++++++++++++++++++ ...workload-kv-read-reuse-surface-runtime.hcl | 7 ++ ...se-surface-runtime-secrets-openbao-lane.md | 20 ++- 3 files changed, 142 insertions(+), 4 deletions(-) create mode 100644 credential-change-requests/CCR-2026-0005-reuse-surface-runtime-secrets-lane.yaml create mode 100644 openbao/policies/workload-kv-read-reuse-surface-runtime.hcl diff --git a/credential-change-requests/CCR-2026-0005-reuse-surface-runtime-secrets-lane.yaml b/credential-change-requests/CCR-2026-0005-reuse-surface-runtime-secrets-lane.yaml new file mode 100644 index 0000000..ff422b9 --- /dev/null +++ b/credential-change-requests/CCR-2026-0005-reuse-surface-runtime-secrets-lane.yaml @@ -0,0 +1,119 @@ +id: CCR-2026-0005 +kind: credential-change-request +schema_version: 1 +request_type: workload-kv-read +title: reuse-surface runtime secrets lane +status: proposed +created: '2026-07-07' +updated: '2026-07-07' +requester: + agent: grok + reason: Promote reuse-surface hub runtime secrets from bootstrap Kubernetes Secret + custody to OpenBao workload KV per RAILIANCE-WP-0011-T01. +review: + required: true + required_approvers: + - platform-operator + - reuse-surface-owner + comments: + - at: '2026-07-07T20:15:00+00:00' + reviewer: codex + decision: metadata_review_binding_confirmed_pending_owner_approval + comment: 'Live Railiance01 metadata on 2026-07-07 confirms namespace reuse exists; + Deployment reuse-surface consumes envFrom secretRef reuse-surface-env (default + service account). Secret reuse-surface-env holds REUSE_SURFACE_TOKEN and + REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET. External Secrets operator service account + external-secrets/external-secrets exists. No ExternalSecret in reuse yet; + ClusterSecretStore openbao-forgejo is the interim reference pattern on this + cluster (token auth to https://bao.coulomb.social). Proposed Railiance01 + interim delivery mirrors forgejo-mailer: periodic OpenBao token with policy + workload-kv-read-reuse-surface-runtime stored in + external-secrets/openbao-reuse-eso-token, ClusterSecretStore openbao-reuse + namespace-limited to reuse, ExternalSecret reuse/reuse-surface-runtime targeting + Secret reuse-surface-env. Forgejo org webhook id=1 on coulomb is live and must + stay aligned with REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET on rotation. Keep CCR + status proposed until platform-operator and reuse-surface-owner approval.' +target: + domain: financials + tenant: reuse + workload: reuse-surface + environment: production + purpose: reuse-surface federation hub runtime secrets through OpenBao workload KV + and External Secrets +openbao: + mount: platform + kv_path: platform/workloads/reuse/reuse-surface/runtime-secrets + fields: + - REUSE_SURFACE_TOKEN + - REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET + policy_name: workload-kv-read-reuse-surface-runtime + policy_file: openbao/policies/workload-kv-read-reuse-surface-runtime.hcl + auth: + method: kubernetes + mount: kubernetes + role: external-secrets-reuse-surface + bound_claims: + service_account_names: + - external-secrets + service_account_namespaces: + - external-secrets + bound_claims_confirmed: true + policies: + - workload-kv-read-reuse-surface-runtime + ttl: 15m +access_frontdoor: + type: ops-warden + catalog_id: reuse-surface-hub-write-token + selector: reuse-surface federation hub write bearer token + command: warden access reuse-surface-hub-write-token --fetch REUSE_SURFACE_TOKEN + resolvable: false + readiness: pending-review +delivery: + surface: external-secrets + target: ExternalSecret reuse/reuse-surface-runtime -> Secret reuse-surface-env in + the reuse namespace on Railiance01; interim ClusterSecretStore openbao-reuse + (token auth to coulombcore OpenBao, namespace-limited to reuse) until + railiance01-local OpenBao Wave 7 bootstrap +risk: + classification: high + notes: + - REUSE_SURFACE_TOKEN grants authenticated writes to the production federation hub + at https://reuse.coulomb.social. + - REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET is a dual-consumer HMAC — the hub pod and + the Forgejo org webhook must share the same value; rotation requires + railiance-apps make reuse-forgejo-webhook after ESO sync. + - Railiance01 interim delivery uses a policy-limited periodic OpenBao token in + external-secrets/openbao-reuse-eso-token, mirroring the forgejo-mailer lane — + not the kubernetes auth role until coulombcore kubernetes auth covers this + cluster or railiance01 OpenBao is bootstrapped. + - ops-warden must proxy reads as the caller and must not retain token values. +verification: + positive: + - ExternalSecret reuse/reuse-surface-runtime is Ready=True and syncs both fields + to Secret reuse-surface-env without printing values. + - reuse-surface Deployment rolls cleanly and hub write plus signed webhook POST + succeed after migration. + negative: + - A namespace outside the approved ClusterSecretStore condition cannot use + openbao-reuse to read the path. + - A periodic token without workload-kv-read-reuse-surface-runtime cannot read + the KV path. + activation_conditions: + - Policy applied on coulombcore OpenBao with platform-admin/operator authority. + - Secret values seeded from the existing reuse-surface-env cluster Secret through + approved operator custody (values never logged). + - Railiance01 ClusterSecretStore openbao-reuse and ExternalSecret deployed. + - Positive and negative verification recorded with non-secret audit ids or + timestamps. + - ops-warden catalog handoff migrated from kubectl to bao kv get (RAILIANCE-WP-0011-T03). +lifecycle: + deactivate: Disable ops-warden catalog entry, remove ExternalSecret, and detach + auth role policy; delete materialized reuse-surface-env only after confirming + workload decommission or break-glass fallback. + rotate: Replace field values directly in OpenBao, wait for ESO refresh, rollout + reuse-surface, then run make reuse-forgejo-webhook when rotating the webhook HMAC. + compromised: Immediately deactivate access front door, rotate both fields, re-sync + Forgejo org webhook, record blast-radius notes, and open incident follow-up tasks. +state_hub: + workplan_id: RAILIANCE-WP-0011 + task_id: RAILIANCE-WP-0011-T01 \ No newline at end of file diff --git a/openbao/policies/workload-kv-read-reuse-surface-runtime.hcl b/openbao/policies/workload-kv-read-reuse-surface-runtime.hcl new file mode 100644 index 0000000..1427c76 --- /dev/null +++ b/openbao/policies/workload-kv-read-reuse-surface-runtime.hcl @@ -0,0 +1,7 @@ +path "platform/data/workloads/reuse/reuse-surface/runtime-secrets" { + capabilities = ["read"] +} + +path "platform/metadata/workloads/reuse/reuse-surface/runtime-secrets" { + capabilities = ["read"] +} \ No newline at end of file diff --git a/workplans/RAILIANCE-WP-0011-reuse-surface-runtime-secrets-openbao-lane.md b/workplans/RAILIANCE-WP-0011-reuse-surface-runtime-secrets-openbao-lane.md index 3758962..72f16b8 100644 --- a/workplans/RAILIANCE-WP-0011-reuse-surface-runtime-secrets-openbao-lane.md +++ b/workplans/RAILIANCE-WP-0011-reuse-surface-runtime-secrets-openbao-lane.md @@ -4,7 +4,7 @@ type: workplan title: "reuse-surface Runtime Secrets OpenBao Lane" domain: financials repo: railiance-platform -status: backlog +status: active owner: codex topic_slug: railiance created: "2026-07-07" @@ -16,6 +16,7 @@ related_repos: - railiance-apps - reuse-surface - ops-warden +state_hub_workstream_id: "3f9fd8de-7235-4486-aaa7-634dba2bb6fa" --- # RAILIANCE-WP-0011 — reuse-surface Runtime Secrets OpenBao Lane @@ -44,6 +45,7 @@ chat, prompts, shell history, or workplan text. | Item | Proposed value | | --- | --- | +| CCR | `CCR-2026-0005` | | Tenant/org | `reuse` | | Workload | `reuse-surface` | | KV mount | `platform` | @@ -62,8 +64,9 @@ and keep `make reuse-forgejo-webhook` idempotent. ```task id: RAILIANCE-WP-0011-T01 -status: todo +status: done priority: medium +state_hub_task_id: "8a89c5a0-6ed5-4240-9ce1-1d529ac13b11" ``` - Draft CCR for the lane (path, fields, policy, k8s role, ESO target) @@ -71,15 +74,22 @@ priority: medium `docs/credential-lane-lifecycle-runbook.md` - Negative review: no secret values in CCR or workplan text +**2026-07-07:** Drafted `CCR-2026-0005` and policy +`openbao/policies/workload-kv-read-reuse-surface-runtime.hcl`. Metadata review +confirms Railiance01 `reuse/reuse-surface-env` (two fields), ESO operator SA, +and forgejo-style interim ClusterSecretStore delivery. CCR remains `proposed`; +T02 blocked on platform-operator and reuse-surface-owner approval. + ## Platform Apply And Verification ```task id: RAILIANCE-WP-0011-T02 -status: wait +status: todo priority: medium +state_hub_task_id: "69cf1728-8034-4309-b8ad-eb14184af6b6" ``` -Blocked on T01 approval. +Blocked on CCR-2026-0005 approval. - Apply OpenBao policy + Kubernetes auth role (mirror forgejo-mailer / issue-core scripts) - Seed path from existing cluster Secret (one-time operator step; value never logged) @@ -93,6 +103,7 @@ Blocked on T01 approval. id: RAILIANCE-WP-0011-T03 status: wait priority: low +state_hub_task_id: "52fc7baf-5257-44cd-ae2c-298ef7edbe96" ``` Blocked on T02 verification. @@ -109,6 +120,7 @@ Blocked on T02 verification. id: RAILIANCE-WP-0011-T04 status: wait priority: low +state_hub_task_id: "eafc4011-69cf-473f-842c-c58d6a2bece7" ``` Blocked on T02.