diff --git a/argocd/platform-addons/openbao-secretstore/kustomization.yaml b/argocd/platform-addons/openbao-secretstore/kustomization.yaml index 2d84e72..f20b76d 100644 --- a/argocd/platform-addons/openbao-secretstore/kustomization.yaml +++ b/argocd/platform-addons/openbao-secretstore/kustomization.yaml @@ -5,3 +5,4 @@ resources: - openbao.clustersecretstore.yaml - openbao-activity-core.clustersecretstore.yaml - openbao-forgejo.clustersecretstore.yaml + - openbao-reuse.clustersecretstore.yaml diff --git a/argocd/platform-addons/openbao-secretstore/openbao-reuse.clustersecretstore.yaml b/argocd/platform-addons/openbao-secretstore/openbao-reuse.clustersecretstore.yaml new file mode 100644 index 0000000..7b3d113 --- /dev/null +++ b/argocd/platform-addons/openbao-secretstore/openbao-reuse.clustersecretstore.yaml @@ -0,0 +1,28 @@ +# Interim: reuse-surface on railiance01 reads runtime secrets from coulombcore OpenBao +# (https://bao.coulomb.social) until railiance01 OpenBao is bootstrapped (Wave 7). +# +# Prereq: Secret external-secrets/openbao-reuse-eso-token (key: token) with a +# policy-limited OpenBao token that can read +# platform/workloads/reuse/reuse-surface/runtime-secrets. +# Bootstrap: railiance-apps make reuse-openbao-eso-token-apply +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: openbao-reuse + labels: + app.kubernetes.io/part-of: railiance-gitops + railiance-platform/component: external-secrets +spec: + provider: + vault: + server: https://bao.coulomb.social + path: platform + version: v2 + auth: + tokenSecretRef: + name: openbao-reuse-eso-token + namespace: external-secrets + key: token + conditions: + - namespaces: + - reuse \ No newline at end of file diff --git a/credential-change-requests/CCR-2026-0005-reuse-surface-runtime-secrets-lane.yaml b/credential-change-requests/CCR-2026-0005-reuse-surface-runtime-secrets-lane.yaml index ff422b9..22b54c9 100644 --- a/credential-change-requests/CCR-2026-0005-reuse-surface-runtime-secrets-lane.yaml +++ b/credential-change-requests/CCR-2026-0005-reuse-surface-runtime-secrets-lane.yaml @@ -3,7 +3,7 @@ kind: credential-change-request schema_version: 1 request_type: workload-kv-read title: reuse-surface runtime secrets lane -status: proposed +status: verified created: '2026-07-07' updated: '2026-07-07' requester: @@ -21,18 +21,23 @@ review: decision: metadata_review_binding_confirmed_pending_owner_approval comment: 'Live Railiance01 metadata on 2026-07-07 confirms namespace reuse exists; Deployment reuse-surface consumes envFrom secretRef reuse-surface-env (default - service account). Secret reuse-surface-env holds REUSE_SURFACE_TOKEN and - REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET. External Secrets operator service account - external-secrets/external-secrets exists. No ExternalSecret in reuse yet; - ClusterSecretStore openbao-forgejo is the interim reference pattern on this - cluster (token auth to https://bao.coulomb.social). Proposed Railiance01 - interim delivery mirrors forgejo-mailer: periodic OpenBao token with policy - workload-kv-read-reuse-surface-runtime stored in - external-secrets/openbao-reuse-eso-token, ClusterSecretStore openbao-reuse - namespace-limited to reuse, ExternalSecret reuse/reuse-surface-runtime targeting - Secret reuse-surface-env. Forgejo org webhook id=1 on coulomb is live and must - stay aligned with REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET on rotation. Keep CCR - status proposed until platform-operator and reuse-surface-owner approval.' + service account). Secret reuse-surface-env holds REUSE_SURFACE_TOKEN and REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET. + External Secrets operator service account external-secrets/external-secrets + exists. No ExternalSecret in reuse yet; ClusterSecretStore openbao-forgejo is + the interim reference pattern on this cluster (token auth to https://bao.coulomb.social). + Proposed Railiance01 interim delivery mirrors forgejo-mailer: periodic OpenBao + token with policy workload-kv-read-reuse-surface-runtime stored in external-secrets/openbao-reuse-eso-token, + ClusterSecretStore openbao-reuse namespace-limited to reuse, ExternalSecret + reuse/reuse-surface-runtime targeting Secret reuse-surface-env. Forgejo org + webhook id=1 on coulomb is live and must stay aligned with REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET + on rotation. Keep CCR status proposed until platform-operator and reuse-surface-owner + approval.' + - at: '2026-07-07T20:31:05+00:00' + reviewer: bernd.worsch + decision: approved + comment: 'Approved in chat acting as platform-operator and reuse-surface-owner: + promote reuse-surface runtime secrets to OpenBao workload KV with Railiance01 + interim ESO delivery per CCR-2026-0005.' target: domain: financials tenant: reuse @@ -71,21 +76,21 @@ access_frontdoor: delivery: surface: external-secrets target: ExternalSecret reuse/reuse-surface-runtime -> Secret reuse-surface-env in - the reuse namespace on Railiance01; interim ClusterSecretStore openbao-reuse - (token auth to coulombcore OpenBao, namespace-limited to reuse) until - railiance01-local OpenBao Wave 7 bootstrap + the reuse namespace on Railiance01; interim ClusterSecretStore openbao-reuse (token + auth to coulombcore OpenBao, namespace-limited to reuse) until railiance01-local + OpenBao Wave 7 bootstrap risk: classification: high notes: - REUSE_SURFACE_TOKEN grants authenticated writes to the production federation hub at https://reuse.coulomb.social. - - REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET is a dual-consumer HMAC — the hub pod and - the Forgejo org webhook must share the same value; rotation requires - railiance-apps make reuse-forgejo-webhook after ESO sync. - - Railiance01 interim delivery uses a policy-limited periodic OpenBao token in - external-secrets/openbao-reuse-eso-token, mirroring the forgejo-mailer lane — - not the kubernetes auth role until coulombcore kubernetes auth covers this - cluster or railiance01 OpenBao is bootstrapped. + - "REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET is a dual-consumer HMAC \u2014 the hub pod\ + \ and the Forgejo org webhook must share the same value; rotation requires railiance-apps\ + \ make reuse-forgejo-webhook after ESO sync." + - "Railiance01 interim delivery uses a policy-limited periodic OpenBao token in\ + \ external-secrets/openbao-reuse-eso-token, mirroring the forgejo-mailer lane\ + \ \u2014 not the kubernetes auth role until coulombcore kubernetes auth covers\ + \ this cluster or railiance01 OpenBao is bootstrapped." - ops-warden must proxy reads as the caller and must not retain token values. verification: positive: @@ -94,18 +99,48 @@ verification: - reuse-surface Deployment rolls cleanly and hub write plus signed webhook POST succeed after migration. negative: - - A namespace outside the approved ClusterSecretStore condition cannot use - openbao-reuse to read the path. - - A periodic token without workload-kv-read-reuse-surface-runtime cannot read - the KV path. + - A namespace outside the approved ClusterSecretStore condition cannot use openbao-reuse + to read the path. + - A periodic token without workload-kv-read-reuse-surface-runtime cannot read the + KV path. activation_conditions: - Policy applied on coulombcore OpenBao with platform-admin/operator authority. - Secret values seeded from the existing reuse-surface-env cluster Secret through approved operator custody (values never logged). - Railiance01 ClusterSecretStore openbao-reuse and ExternalSecret deployed. - - Positive and negative verification recorded with non-secret audit ids or - timestamps. + - Positive and negative verification recorded with non-secret audit ids or timestamps. - ops-warden catalog handoff migrated from kubectl to bao kv get (RAILIANCE-WP-0011-T03). + evidence: + - at: '2026-07-07T20:31:17+00:00' + actor: bernd.worsch + kind: delegated_metadata_apply + result: passed + details: + - Delegated metadata applier ran as bernd.worsch using local bao CLI ambient authority. + - 'Policy metadata write: sys/policies/acl/workload-kv-read-reuse-surface-runtime' + - 'Auth role metadata write: auth/kubernetes/role/external-secrets-reuse-surface' + - No secret values were read, written, printed, or accepted in argv. + - at: '2026-07-07T20:33:52+00:00' + actor: bernd.worsch + kind: secret_provisioned + result: passed + details: + - Seeded platform/workloads/reuse/reuse-surface/runtime-secrets from live reuse/reuse-surface-env; + field presence confirmed without printing values (KV version 1) + - at: '2026-07-07T20:33:54+00:00' + actor: bernd.worsch + kind: positive_verification + result: passed + details: + - ExternalSecret reuse/reuse-surface-runtime Ready=True SecretSynced 2026-07-07T20:33:17Z; + hub /v1/federated 200 (61 capabilities); signed webhook POST 200 + - at: '2026-07-07T20:33:55+00:00' + actor: bernd.worsch + kind: negative_verification + result: passed + details: + - default-policy OpenBao token denied on platform/workloads/reuse/reuse-surface/runtime-secrets + (HTTP permission denied) lifecycle: deactivate: Disable ops-warden catalog entry, remove ExternalSecret, and detach auth role policy; delete materialized reuse-surface-env only after confirming @@ -116,4 +151,4 @@ lifecycle: Forgejo org webhook, record blast-radius notes, and open incident follow-up tasks. state_hub: workplan_id: RAILIANCE-WP-0011 - task_id: RAILIANCE-WP-0011-T01 \ No newline at end of file + task_id: RAILIANCE-WP-0011-T01 diff --git a/workplans/RAILIANCE-WP-0011-reuse-surface-runtime-secrets-openbao-lane.md b/workplans/RAILIANCE-WP-0011-reuse-surface-runtime-secrets-openbao-lane.md index 72f16b8..f154be4 100644 --- a/workplans/RAILIANCE-WP-0011-reuse-surface-runtime-secrets-openbao-lane.md +++ b/workplans/RAILIANCE-WP-0011-reuse-surface-runtime-secrets-openbao-lane.md @@ -84,7 +84,7 @@ T02 blocked on platform-operator and reuse-surface-owner approval. ```task id: RAILIANCE-WP-0011-T02 -status: todo +status: done priority: medium state_hub_task_id: "69cf1728-8034-4309-b8ad-eb14184af6b6" ``` @@ -97,6 +97,12 @@ Blocked on CCR-2026-0005 approval. - Verify ExternalSecret `SecretSynced` and pod env injection after rollout - Record non-secret audit evidence (positive + negative reads) +**2026-07-07:** CCR-2026-0005 approved; delegated metadata apply recorded; KV path +seeded (version 1); `openbao-reuse` ClusterSecretStore + `reuse-surface-runtime` +ExternalSecret live on Railiance01 (`SecretSynced` 2026-07-07T20:33:17Z). Positive: +`/v1/federated` 200, signed webhook 200. Negative: default-policy token denied on +path. CCR status `verified`. T03 catalog migration remains open. + ## Consumer Handoff And Catalog Migration ```task