Add credential-change delegated applier flow
This commit is contained in:
parent
c626bfcf15
commit
a95236d2e5
21 changed files with 2705 additions and 119 deletions
|
|
@ -2,79 +2,104 @@ id: CCR-2026-0002
|
|||
kind: credential-change-request
|
||||
schema_version: 1
|
||||
request_type: workload-kv-read
|
||||
title: "issue-core runtime ingestion key lane"
|
||||
title: issue-core runtime ingestion key lane
|
||||
status: proposed
|
||||
created: "2026-06-27"
|
||||
updated: "2026-06-27"
|
||||
created: '2026-06-27'
|
||||
updated: '2026-06-30'
|
||||
requester:
|
||||
agent: ops-warden
|
||||
message_id: "fe5b1696-8956-4bd5-9d6f-dbde1901a076"
|
||||
reason: "Confirm and provision the issue-core workload KV lane requested in the ops-warden batch."
|
||||
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
||||
reason: Confirm and provision the issue-core workload KV lane requested in the ops-warden
|
||||
batch.
|
||||
review:
|
||||
required: true
|
||||
required_approvers:
|
||||
- platform-operator
|
||||
- issue-core-owner
|
||||
comments: []
|
||||
- platform-operator
|
||||
- issue-core-owner
|
||||
comments:
|
||||
- at: '2026-06-29T22:53:03+00:00'
|
||||
reviewer: codex
|
||||
decision: metadata_review_binding_confirmed
|
||||
comment: Live cluster metadata on 2026-06-30 confirms ExternalSecret issue-core/issue-core-runtime
|
||||
is Ready=True (SecretSynced) and maps ISSUE_CORE_API_KEY plus GITEA_BACKEND_TOKEN
|
||||
from platform/workloads/issue-core/issue-core/issue-core-runtime. The workload
|
||||
Deployment uses the default service account; OpenBao auth for this delivery
|
||||
path is the platform ClusterSecretStore/openbao role external-secrets-issue-core
|
||||
bound to service account external-secrets/external-secrets. Keep CCR status
|
||||
proposed until platform/operator and issue-core-owner approval.
|
||||
target:
|
||||
domain: financials
|
||||
tenant: issue-core
|
||||
workload: issue-core
|
||||
environment: production
|
||||
purpose: "issue-core runtime ingestion through OpenBao workload KV and External Secrets"
|
||||
purpose: issue-core runtime ingestion through OpenBao workload KV and External Secrets
|
||||
openbao:
|
||||
mount: platform
|
||||
kv_path: platform/workloads/issue-core/issue-core/issue-core-runtime
|
||||
fields:
|
||||
- ISSUE_CORE_API_KEY
|
||||
- GITEA_BACKEND_TOKEN
|
||||
- ISSUE_CORE_API_KEY
|
||||
- GITEA_BACKEND_TOKEN
|
||||
policy_name: workload-kv-read-issue-core-runtime
|
||||
policy_file: openbao/policies/workload-kv-read-issue-core-runtime.hcl
|
||||
auth:
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
||||
role: issue-core-runtime-workload-kv-read
|
||||
role: external-secrets-issue-core
|
||||
bound_claims:
|
||||
service_account_names:
|
||||
- issue-core
|
||||
- external-secrets
|
||||
service_account_namespaces:
|
||||
- issue-core
|
||||
bound_claims_confirmed: false
|
||||
- external-secrets
|
||||
bound_claims_confirmed: true
|
||||
policies:
|
||||
- workload-kv-read-issue-core-runtime
|
||||
- workload-kv-read-issue-core-runtime
|
||||
ttl: 15m
|
||||
access_frontdoor:
|
||||
type: ops-warden
|
||||
catalog_id: issue-core-ingestion-api-key
|
||||
selector: "issue-core ingestion API key"
|
||||
command: "warden access issue-core-ingestion-api-key --fetch ISSUE_CORE_API_KEY"
|
||||
selector: issue-core ingestion API key
|
||||
command: warden access issue-core-ingestion-api-key --fetch ISSUE_CORE_API_KEY
|
||||
resolvable: false
|
||||
readiness: template
|
||||
activation: "draft-until-ccr-verified"
|
||||
activation: draft-until-ccr-verified
|
||||
delivery:
|
||||
surface: external-secrets
|
||||
target: "issue-core namespace"
|
||||
target: ExternalSecret issue-core/issue-core-runtime -> Secret issue-core-runtime
|
||||
in the issue-core namespace
|
||||
risk:
|
||||
classification: high
|
||||
notes:
|
||||
- "Grants read access to issue-core runtime ingestion credentials."
|
||||
- "GITEA_BACKEND_TOKEN is included because ops-warden asked to confirm whether it is used; remove it before approval if issue-core does not require it."
|
||||
- "The Kubernetes service account and namespace binding must be confirmed before apply."
|
||||
- "ops-warden must proxy reads as the caller and must not retain token values."
|
||||
- Grants read access to issue-core runtime ingestion credentials through the platform
|
||||
External Secrets path.
|
||||
- GITEA_BACKEND_TOKEN remains included because the live issue-core ExternalSecret
|
||||
maps it alongside ISSUE_CORE_API_KEY; remove it before approval only if the issue-core
|
||||
owner confirms it is no longer required.
|
||||
- The Kubernetes auth subject is the External Secrets operator service account external-secrets/external-secrets,
|
||||
with ClusterSecretStore usage limited to the issue-core namespace.
|
||||
- ops-warden must proxy reads as the caller and must not retain token values.
|
||||
verification:
|
||||
positive:
|
||||
- "Approved issue-core service account can read the configured fields through OpenBao or External Secrets without printing values."
|
||||
- ExternalSecret issue-core/issue-core-runtime is Ready=True and syncs the configured
|
||||
fields without printing values.
|
||||
- Approved issue-core runtime can consume the resulting Kubernetes Secret without
|
||||
exposing values.
|
||||
negative:
|
||||
- "A service account outside the approved issue-core binding cannot read the path."
|
||||
- A namespace outside the approved ClusterSecretStore condition cannot use this
|
||||
store to read the path.
|
||||
- A service account outside external-secrets/external-secrets cannot authenticate
|
||||
through the External Secrets OpenBao role.
|
||||
activation_conditions:
|
||||
- "Policy applied with platform-admin/operator authority."
|
||||
- "Kubernetes auth role bound to the confirmed issue-core service account and namespace."
|
||||
- "Secret values provisioned directly in OpenBao through approved operator custody."
|
||||
- "Positive and negative verification recorded with non-secret audit ids or timestamps."
|
||||
- Policy applied with platform-admin/operator authority.
|
||||
- Kubernetes auth role bound to external-secrets/external-secrets for the issue-core
|
||||
External Secrets delivery path.
|
||||
- Secret values provisioned directly in OpenBao through approved operator custody.
|
||||
- Positive and negative verification recorded with non-secret audit ids or timestamps.
|
||||
lifecycle:
|
||||
deactivate: "Disable ops-warden catalog entry and remove or detach auth role policy."
|
||||
rotate: "Replace issue-core runtime secret values directly in OpenBao and record non-secret rotation evidence."
|
||||
compromised: "Immediately deactivate access front door, rotate affected values, record blast-radius notes, and open incident follow-up tasks."
|
||||
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
||||
rotate: Replace issue-core runtime secret values directly in OpenBao and record
|
||||
non-secret rotation evidence.
|
||||
compromised: Immediately deactivate access front door, rotate affected values, record
|
||||
blast-radius notes, and open incident follow-up tasks.
|
||||
state_hub:
|
||||
workplan_id: RAILIANCE-WP-0007
|
||||
ops_warden_batch_message_id: "fe5b1696-8956-4bd5-9d6f-dbde1901a076"
|
||||
ops_warden_batch_message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
||||
|
|
|
|||
|
|
@ -2,77 +2,101 @@ id: CCR-2026-0003
|
|||
kind: credential-change-request
|
||||
schema_version: 1
|
||||
request_type: workload-kv-read
|
||||
title: "llm-connect OpenRouter provider key lane"
|
||||
title: llm-connect OpenRouter provider key lane
|
||||
status: proposed
|
||||
created: "2026-06-27"
|
||||
updated: "2026-06-27"
|
||||
created: '2026-06-27'
|
||||
updated: '2026-06-30'
|
||||
requester:
|
||||
agent: ops-warden
|
||||
message_id: "fe5b1696-8956-4bd5-9d6f-dbde1901a076"
|
||||
reason: "Confirm and provision the llm-connect OpenRouter workload KV lane requested in the ops-warden batch."
|
||||
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
||||
reason: Confirm and provision the llm-connect OpenRouter workload KV lane requested
|
||||
in the ops-warden batch.
|
||||
review:
|
||||
required: true
|
||||
required_approvers:
|
||||
- platform-operator
|
||||
- activity-core-owner
|
||||
comments: []
|
||||
- platform-operator
|
||||
- activity-core-owner
|
||||
comments:
|
||||
- at: '2026-06-29T22:53:03+00:00'
|
||||
reviewer: codex
|
||||
decision: metadata_review_binding_confirmed_pending_owner_approval
|
||||
comment: Live cluster metadata on 2026-06-30 confirms namespace activity-core
|
||||
exists and the External Secrets operator service account external-secrets/external-secrets
|
||||
exists. The proposed llm-connect service account does not exist; the llm-connect
|
||||
Deployment currently uses the default service account. Updated the proposed
|
||||
OpenBao auth binding to the platform ESO pattern with role external-secrets-activity-core.
|
||||
No activity-core ExternalSecret exists yet; a namespace-limited ClusterSecretStore
|
||||
source manifest was added for future rollout. Keep CCR status proposed until
|
||||
platform/operator and activity-core-owner approval.
|
||||
target:
|
||||
domain: financials
|
||||
tenant: activity-core
|
||||
workload: llm-connect
|
||||
environment: production
|
||||
purpose: "llm-connect provider access through OpenBao workload KV and External Secrets"
|
||||
purpose: llm-connect provider access through OpenBao workload KV and External Secrets
|
||||
openbao:
|
||||
mount: platform
|
||||
kv_path: platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets
|
||||
fields:
|
||||
- OPENROUTER_API_KEY
|
||||
- OPENROUTER_API_KEY
|
||||
policy_name: workload-kv-read-llm-connect-provider-secrets
|
||||
policy_file: openbao/policies/workload-kv-read-llm-connect-provider-secrets.hcl
|
||||
auth:
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
||||
role: llm-connect-provider-secrets-read
|
||||
role: external-secrets-activity-core
|
||||
bound_claims:
|
||||
service_account_names:
|
||||
- llm-connect
|
||||
- external-secrets
|
||||
service_account_namespaces:
|
||||
- activity-core
|
||||
bound_claims_confirmed: false
|
||||
- external-secrets
|
||||
bound_claims_confirmed: true
|
||||
policies:
|
||||
- workload-kv-read-llm-connect-provider-secrets
|
||||
- workload-kv-read-llm-connect-provider-secrets
|
||||
ttl: 15m
|
||||
access_frontdoor:
|
||||
type: ops-warden
|
||||
catalog_id: llm-connect-openrouter-api-key
|
||||
selector: "llm-connect OpenRouter API key"
|
||||
command: "warden access llm-connect-openrouter-api-key --fetch OPENROUTER_API_KEY"
|
||||
selector: llm-connect OpenRouter API key
|
||||
command: warden access llm-connect-openrouter-api-key --fetch OPENROUTER_API_KEY
|
||||
resolvable: false
|
||||
readiness: template
|
||||
activation: "draft-until-ccr-verified"
|
||||
activation: draft-until-ccr-verified
|
||||
delivery:
|
||||
surface: external-secrets
|
||||
target: "Secret llm-connect-provider-secrets in the activity-core namespace"
|
||||
target: ExternalSecret to Secret llm-connect-provider-secrets in the activity-core
|
||||
namespace
|
||||
risk:
|
||||
classification: high
|
||||
notes:
|
||||
- "Grants read access to the provider key used by llm-connect for OpenRouter requests."
|
||||
- "The Kubernetes service account and namespace binding must be confirmed before apply."
|
||||
- "ops-warden must proxy reads as the caller and must not retain token values."
|
||||
- Grants read access to the provider key used by llm-connect for OpenRouter requests
|
||||
through the platform External Secrets path.
|
||||
- The Kubernetes auth subject is the External Secrets operator service account external-secrets/external-secrets,
|
||||
with ClusterSecretStore usage limited to the activity-core namespace.
|
||||
- ops-warden must proxy reads as the caller and must not retain token values.
|
||||
verification:
|
||||
positive:
|
||||
- "Approved llm-connect service account can read field OPENROUTER_API_KEY through OpenBao or External Secrets without printing the value."
|
||||
- An approved activity-core ExternalSecret can sync field OPENROUTER_API_KEY to
|
||||
Secret llm-connect-provider-secrets without printing the value.
|
||||
- The llm-connect runtime can consume the resulting Kubernetes Secret without exposing
|
||||
values.
|
||||
negative:
|
||||
- "A service account outside the approved activity-core/llm-connect binding cannot read the path."
|
||||
- A namespace outside the approved ClusterSecretStore condition cannot use this
|
||||
store to read the path.
|
||||
- A service account outside external-secrets/external-secrets cannot authenticate
|
||||
through the External Secrets OpenBao role.
|
||||
activation_conditions:
|
||||
- "Policy applied with platform-admin/operator authority."
|
||||
- "Kubernetes auth role bound to the confirmed llm-connect service account and namespace."
|
||||
- "Secret value provisioned directly in OpenBao through approved operator custody."
|
||||
- "Positive and negative verification recorded with non-secret audit ids or timestamps."
|
||||
- Policy applied with platform-admin/operator authority.
|
||||
- Kubernetes auth role bound to external-secrets/external-secrets for the activity-core
|
||||
External Secrets delivery path.
|
||||
- Secret value provisioned directly in OpenBao through approved operator custody.
|
||||
- Positive and negative verification recorded with non-secret audit ids or timestamps.
|
||||
lifecycle:
|
||||
deactivate: "Disable ops-warden catalog entry and remove or detach auth role policy."
|
||||
rotate: "Replace OPENROUTER_API_KEY directly in OpenBao and record non-secret rotation evidence."
|
||||
compromised: "Immediately deactivate access front door, rotate the provider key, record blast-radius notes, and open incident follow-up tasks."
|
||||
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
||||
rotate: Replace OPENROUTER_API_KEY directly in OpenBao and record non-secret rotation
|
||||
evidence.
|
||||
compromised: Immediately deactivate access front door, rotate the provider key,
|
||||
record blast-radius notes, and open incident follow-up tasks.
|
||||
state_hub:
|
||||
workplan_id: RAILIANCE-WP-0007
|
||||
ops_warden_batch_message_id: "fe5b1696-8956-4bd5-9d6f-dbde1901a076"
|
||||
ops_warden_batch_message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue