Add reuse-surface secrets rotation runbook (RAILIANCE-WP-0011-T04)
Document OpenBao patch, ESO force-sync, hub rollout, and Forgejo webhook reconcile; extend credential-lane lifecycle for CCR-2026-0005; finish workplan.
This commit is contained in:
parent
274b631019
commit
839a4418a9
4 changed files with 185 additions and 12 deletions
|
|
@ -1,13 +1,13 @@
|
|||
# Credential Lane Lifecycle Runbook
|
||||
|
||||
Status: active (RAILIANCE-WP-0009-T07 / RAILIANCE-WP-0010-T07)
|
||||
Date: 2026-07-02
|
||||
Status: active (RAILIANCE-WP-0009-T07 / RAILIANCE-WP-0010-T07 / RAILIANCE-WP-0011-T04)
|
||||
Date: 2026-07-07
|
||||
|
||||
Covers deactivation, rotation, and compromise response for the workload KV
|
||||
lanes established by `CCR-2026-0002` (issue-core) and `CCR-2026-0003`
|
||||
(llm-connect). The **canonical, always-current procedure** is generated from
|
||||
the CCR itself — this runbook adds only the lane-specific consumer facts the
|
||||
generator cannot know.
|
||||
lanes established by `CCR-2026-0002` (issue-core), `CCR-2026-0003`
|
||||
(llm-connect), and `CCR-2026-0005` (reuse-surface). The **canonical,
|
||||
always-current procedure** is generated from the CCR itself — this runbook adds
|
||||
only the lane-specific consumer facts the generator cannot know.
|
||||
|
||||
```bash
|
||||
scripts/credential-change.py lifecycle-plan <CCR-ID> --action {deactivate|rotate|compromise}
|
||||
|
|
@ -76,6 +76,33 @@ secret value ever appears in Git, State Hub, chat, prompts, or shell history.
|
|||
or immediately after disabling the front door; OpenBao custody actions
|
||||
alone do not stop a leaked provider key from working.
|
||||
|
||||
## Lane: reuse-surface hub runtime secrets (`CCR-2026-0005`)
|
||||
|
||||
| Item | Value |
|
||||
| --- | --- |
|
||||
| KV path | `platform/workloads/reuse/reuse-surface/runtime-secrets` |
|
||||
| Fields | `REUSE_SURFACE_TOKEN`, `REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET` |
|
||||
| Policy / auth role | `workload-kv-read-reuse-surface-runtime` / `auth/kubernetes/role/external-secrets-reuse-surface` |
|
||||
| Primary consumer | ExternalSecret `reuse/reuse-surface-runtime` → `reuse-surface-env` (Railiance01, 1h refresh) |
|
||||
| ops-warden catalog | `reuse-surface-hub-write-token` |
|
||||
| Rotation runbook | `docs/reuse-surface-runtime-secrets-rotation-runbook.md` |
|
||||
|
||||
**Consumer facts the generated plan does not cover:**
|
||||
|
||||
- The hub Deployment uses `envFrom.secretRef`; rotated values reach the pod only
|
||||
after ESO refresh **and** `kubectl rollout restart deployment/reuse-surface -n reuse`.
|
||||
- **`REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET` is dual-consumer**: the hub pod and the
|
||||
Forgejo org webhook on `coulomb` must share the same HMAC. After rotating that
|
||||
field, run `railiance-apps` `make reuse-forgejo-webhook` once ESO has synced —
|
||||
otherwise Forgejo deliveries fail with 401 while the hub still expects the new
|
||||
value (or vice versa if order is reversed).
|
||||
- Deactivating the policy/role stops ESO refresh, but `secret/reuse-surface-env`
|
||||
retains the last materialized value until explicitly deleted.
|
||||
- Steady-state operator fetch is `bao kv get` / `warden access`; kubectl read of
|
||||
`reuse-surface-env` is break-glass only.
|
||||
|
||||
**Smoke after rotate:** `make -C ~/railiance-apps reuse-webhook-smoke`
|
||||
|
||||
## Verification after rotate
|
||||
|
||||
Return the lane to `active` only with fresh positive + negative evidence,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue