Draft CCR-2026-0005 for reuse-surface runtime secrets lane
RAILIANCE-WP-0011-T01: propose OpenBao path platform/workloads/reuse/reuse-surface/runtime-secrets with REUSE_SURFACE_TOKEN and REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET, matching read policy, and metadata review for Railiance01 interim ESO delivery.
This commit is contained in:
parent
a9a6aed233
commit
3719c4dec0
3 changed files with 142 additions and 4 deletions
|
|
@ -0,0 +1,119 @@
|
|||
id: CCR-2026-0005
|
||||
kind: credential-change-request
|
||||
schema_version: 1
|
||||
request_type: workload-kv-read
|
||||
title: reuse-surface runtime secrets lane
|
||||
status: proposed
|
||||
created: '2026-07-07'
|
||||
updated: '2026-07-07'
|
||||
requester:
|
||||
agent: grok
|
||||
reason: Promote reuse-surface hub runtime secrets from bootstrap Kubernetes Secret
|
||||
custody to OpenBao workload KV per RAILIANCE-WP-0011-T01.
|
||||
review:
|
||||
required: true
|
||||
required_approvers:
|
||||
- platform-operator
|
||||
- reuse-surface-owner
|
||||
comments:
|
||||
- at: '2026-07-07T20:15:00+00:00'
|
||||
reviewer: codex
|
||||
decision: metadata_review_binding_confirmed_pending_owner_approval
|
||||
comment: 'Live Railiance01 metadata on 2026-07-07 confirms namespace reuse exists;
|
||||
Deployment reuse-surface consumes envFrom secretRef reuse-surface-env (default
|
||||
service account). Secret reuse-surface-env holds REUSE_SURFACE_TOKEN and
|
||||
REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET. External Secrets operator service account
|
||||
external-secrets/external-secrets exists. No ExternalSecret in reuse yet;
|
||||
ClusterSecretStore openbao-forgejo is the interim reference pattern on this
|
||||
cluster (token auth to https://bao.coulomb.social). Proposed Railiance01
|
||||
interim delivery mirrors forgejo-mailer: periodic OpenBao token with policy
|
||||
workload-kv-read-reuse-surface-runtime stored in
|
||||
external-secrets/openbao-reuse-eso-token, ClusterSecretStore openbao-reuse
|
||||
namespace-limited to reuse, ExternalSecret reuse/reuse-surface-runtime targeting
|
||||
Secret reuse-surface-env. Forgejo org webhook id=1 on coulomb is live and must
|
||||
stay aligned with REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET on rotation. Keep CCR
|
||||
status proposed until platform-operator and reuse-surface-owner approval.'
|
||||
target:
|
||||
domain: financials
|
||||
tenant: reuse
|
||||
workload: reuse-surface
|
||||
environment: production
|
||||
purpose: reuse-surface federation hub runtime secrets through OpenBao workload KV
|
||||
and External Secrets
|
||||
openbao:
|
||||
mount: platform
|
||||
kv_path: platform/workloads/reuse/reuse-surface/runtime-secrets
|
||||
fields:
|
||||
- REUSE_SURFACE_TOKEN
|
||||
- REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET
|
||||
policy_name: workload-kv-read-reuse-surface-runtime
|
||||
policy_file: openbao/policies/workload-kv-read-reuse-surface-runtime.hcl
|
||||
auth:
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
||||
role: external-secrets-reuse-surface
|
||||
bound_claims:
|
||||
service_account_names:
|
||||
- external-secrets
|
||||
service_account_namespaces:
|
||||
- external-secrets
|
||||
bound_claims_confirmed: true
|
||||
policies:
|
||||
- workload-kv-read-reuse-surface-runtime
|
||||
ttl: 15m
|
||||
access_frontdoor:
|
||||
type: ops-warden
|
||||
catalog_id: reuse-surface-hub-write-token
|
||||
selector: reuse-surface federation hub write bearer token
|
||||
command: warden access reuse-surface-hub-write-token --fetch REUSE_SURFACE_TOKEN
|
||||
resolvable: false
|
||||
readiness: pending-review
|
||||
delivery:
|
||||
surface: external-secrets
|
||||
target: ExternalSecret reuse/reuse-surface-runtime -> Secret reuse-surface-env in
|
||||
the reuse namespace on Railiance01; interim ClusterSecretStore openbao-reuse
|
||||
(token auth to coulombcore OpenBao, namespace-limited to reuse) until
|
||||
railiance01-local OpenBao Wave 7 bootstrap
|
||||
risk:
|
||||
classification: high
|
||||
notes:
|
||||
- REUSE_SURFACE_TOKEN grants authenticated writes to the production federation hub
|
||||
at https://reuse.coulomb.social.
|
||||
- REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET is a dual-consumer HMAC — the hub pod and
|
||||
the Forgejo org webhook must share the same value; rotation requires
|
||||
railiance-apps make reuse-forgejo-webhook after ESO sync.
|
||||
- Railiance01 interim delivery uses a policy-limited periodic OpenBao token in
|
||||
external-secrets/openbao-reuse-eso-token, mirroring the forgejo-mailer lane —
|
||||
not the kubernetes auth role until coulombcore kubernetes auth covers this
|
||||
cluster or railiance01 OpenBao is bootstrapped.
|
||||
- ops-warden must proxy reads as the caller and must not retain token values.
|
||||
verification:
|
||||
positive:
|
||||
- ExternalSecret reuse/reuse-surface-runtime is Ready=True and syncs both fields
|
||||
to Secret reuse-surface-env without printing values.
|
||||
- reuse-surface Deployment rolls cleanly and hub write plus signed webhook POST
|
||||
succeed after migration.
|
||||
negative:
|
||||
- A namespace outside the approved ClusterSecretStore condition cannot use
|
||||
openbao-reuse to read the path.
|
||||
- A periodic token without workload-kv-read-reuse-surface-runtime cannot read
|
||||
the KV path.
|
||||
activation_conditions:
|
||||
- Policy applied on coulombcore OpenBao with platform-admin/operator authority.
|
||||
- Secret values seeded from the existing reuse-surface-env cluster Secret through
|
||||
approved operator custody (values never logged).
|
||||
- Railiance01 ClusterSecretStore openbao-reuse and ExternalSecret deployed.
|
||||
- Positive and negative verification recorded with non-secret audit ids or
|
||||
timestamps.
|
||||
- ops-warden catalog handoff migrated from kubectl to bao kv get (RAILIANCE-WP-0011-T03).
|
||||
lifecycle:
|
||||
deactivate: Disable ops-warden catalog entry, remove ExternalSecret, and detach
|
||||
auth role policy; delete materialized reuse-surface-env only after confirming
|
||||
workload decommission or break-glass fallback.
|
||||
rotate: Replace field values directly in OpenBao, wait for ESO refresh, rollout
|
||||
reuse-surface, then run make reuse-forgejo-webhook when rotating the webhook HMAC.
|
||||
compromised: Immediately deactivate access front door, rotate both fields, re-sync
|
||||
Forgejo org webhook, record blast-radius notes, and open incident follow-up tasks.
|
||||
state_hub:
|
||||
workplan_id: RAILIANCE-WP-0011
|
||||
task_id: RAILIANCE-WP-0011-T01
|
||||
Loading…
Add table
Add a link
Reference in a new issue