Activate reuse-surface runtime secrets OpenBao lane (CCR-2026-0005)
Some checks are pending
CI Smoke / host-smoke (push) Waiting to run
CI Smoke / container-smoke (push) Waiting to run

Approve CCR-2026-0005, apply delegated OpenBao metadata, seed the KV path,
verify ExternalSecret delivery on Railiance01, and complete RAILIANCE-WP-0011-T02.
This commit is contained in:
tegwick 2026-07-07 22:34:34 +02:00
parent 8e8300e099
commit d64fa814b1
4 changed files with 101 additions and 31 deletions

View file

@ -5,3 +5,4 @@ resources:
- openbao.clustersecretstore.yaml - openbao.clustersecretstore.yaml
- openbao-activity-core.clustersecretstore.yaml - openbao-activity-core.clustersecretstore.yaml
- openbao-forgejo.clustersecretstore.yaml - openbao-forgejo.clustersecretstore.yaml
- openbao-reuse.clustersecretstore.yaml

View file

@ -0,0 +1,28 @@
# Interim: reuse-surface on railiance01 reads runtime secrets from coulombcore OpenBao
# (https://bao.coulomb.social) until railiance01 OpenBao is bootstrapped (Wave 7).
#
# Prereq: Secret external-secrets/openbao-reuse-eso-token (key: token) with a
# policy-limited OpenBao token that can read
# platform/workloads/reuse/reuse-surface/runtime-secrets.
# Bootstrap: railiance-apps make reuse-openbao-eso-token-apply
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: openbao-reuse
labels:
app.kubernetes.io/part-of: railiance-gitops
railiance-platform/component: external-secrets
spec:
provider:
vault:
server: https://bao.coulomb.social
path: platform
version: v2
auth:
tokenSecretRef:
name: openbao-reuse-eso-token
namespace: external-secrets
key: token
conditions:
- namespaces:
- reuse

View file

@ -3,7 +3,7 @@ kind: credential-change-request
schema_version: 1 schema_version: 1
request_type: workload-kv-read request_type: workload-kv-read
title: reuse-surface runtime secrets lane title: reuse-surface runtime secrets lane
status: proposed status: verified
created: '2026-07-07' created: '2026-07-07'
updated: '2026-07-07' updated: '2026-07-07'
requester: requester:
@ -21,18 +21,23 @@ review:
decision: metadata_review_binding_confirmed_pending_owner_approval decision: metadata_review_binding_confirmed_pending_owner_approval
comment: 'Live Railiance01 metadata on 2026-07-07 confirms namespace reuse exists; comment: 'Live Railiance01 metadata on 2026-07-07 confirms namespace reuse exists;
Deployment reuse-surface consumes envFrom secretRef reuse-surface-env (default Deployment reuse-surface consumes envFrom secretRef reuse-surface-env (default
service account). Secret reuse-surface-env holds REUSE_SURFACE_TOKEN and service account). Secret reuse-surface-env holds REUSE_SURFACE_TOKEN and REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET.
REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET. External Secrets operator service account External Secrets operator service account external-secrets/external-secrets
external-secrets/external-secrets exists. No ExternalSecret in reuse yet; exists. No ExternalSecret in reuse yet; ClusterSecretStore openbao-forgejo is
ClusterSecretStore openbao-forgejo is the interim reference pattern on this the interim reference pattern on this cluster (token auth to https://bao.coulomb.social).
cluster (token auth to https://bao.coulomb.social). Proposed Railiance01 Proposed Railiance01 interim delivery mirrors forgejo-mailer: periodic OpenBao
interim delivery mirrors forgejo-mailer: periodic OpenBao token with policy token with policy workload-kv-read-reuse-surface-runtime stored in external-secrets/openbao-reuse-eso-token,
workload-kv-read-reuse-surface-runtime stored in ClusterSecretStore openbao-reuse namespace-limited to reuse, ExternalSecret
external-secrets/openbao-reuse-eso-token, ClusterSecretStore openbao-reuse reuse/reuse-surface-runtime targeting Secret reuse-surface-env. Forgejo org
namespace-limited to reuse, ExternalSecret reuse/reuse-surface-runtime targeting webhook id=1 on coulomb is live and must stay aligned with REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET
Secret reuse-surface-env. Forgejo org webhook id=1 on coulomb is live and must on rotation. Keep CCR status proposed until platform-operator and reuse-surface-owner
stay aligned with REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET on rotation. Keep CCR approval.'
status proposed until platform-operator and reuse-surface-owner approval.' - at: '2026-07-07T20:31:05+00:00'
reviewer: bernd.worsch
decision: approved
comment: 'Approved in chat acting as platform-operator and reuse-surface-owner:
promote reuse-surface runtime secrets to OpenBao workload KV with Railiance01
interim ESO delivery per CCR-2026-0005.'
target: target:
domain: financials domain: financials
tenant: reuse tenant: reuse
@ -71,21 +76,21 @@ access_frontdoor:
delivery: delivery:
surface: external-secrets surface: external-secrets
target: ExternalSecret reuse/reuse-surface-runtime -> Secret reuse-surface-env in target: ExternalSecret reuse/reuse-surface-runtime -> Secret reuse-surface-env in
the reuse namespace on Railiance01; interim ClusterSecretStore openbao-reuse the reuse namespace on Railiance01; interim ClusterSecretStore openbao-reuse (token
(token auth to coulombcore OpenBao, namespace-limited to reuse) until auth to coulombcore OpenBao, namespace-limited to reuse) until railiance01-local
railiance01-local OpenBao Wave 7 bootstrap OpenBao Wave 7 bootstrap
risk: risk:
classification: high classification: high
notes: notes:
- REUSE_SURFACE_TOKEN grants authenticated writes to the production federation hub - REUSE_SURFACE_TOKEN grants authenticated writes to the production federation hub
at https://reuse.coulomb.social. at https://reuse.coulomb.social.
- REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET is a dual-consumer HMAC — the hub pod and - "REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET is a dual-consumer HMAC \u2014 the hub pod\
the Forgejo org webhook must share the same value; rotation requires \ and the Forgejo org webhook must share the same value; rotation requires railiance-apps\
railiance-apps make reuse-forgejo-webhook after ESO sync. \ make reuse-forgejo-webhook after ESO sync."
- Railiance01 interim delivery uses a policy-limited periodic OpenBao token in - "Railiance01 interim delivery uses a policy-limited periodic OpenBao token in\
external-secrets/openbao-reuse-eso-token, mirroring the forgejo-mailer lane \ external-secrets/openbao-reuse-eso-token, mirroring the forgejo-mailer lane\
not the kubernetes auth role until coulombcore kubernetes auth covers this \ \u2014 not the kubernetes auth role until coulombcore kubernetes auth covers\
cluster or railiance01 OpenBao is bootstrapped. \ this cluster or railiance01 OpenBao is bootstrapped."
- ops-warden must proxy reads as the caller and must not retain token values. - ops-warden must proxy reads as the caller and must not retain token values.
verification: verification:
positive: positive:
@ -94,18 +99,48 @@ verification:
- reuse-surface Deployment rolls cleanly and hub write plus signed webhook POST - reuse-surface Deployment rolls cleanly and hub write plus signed webhook POST
succeed after migration. succeed after migration.
negative: negative:
- A namespace outside the approved ClusterSecretStore condition cannot use - A namespace outside the approved ClusterSecretStore condition cannot use openbao-reuse
openbao-reuse to read the path. to read the path.
- A periodic token without workload-kv-read-reuse-surface-runtime cannot read - A periodic token without workload-kv-read-reuse-surface-runtime cannot read the
the KV path. KV path.
activation_conditions: activation_conditions:
- Policy applied on coulombcore OpenBao with platform-admin/operator authority. - Policy applied on coulombcore OpenBao with platform-admin/operator authority.
- Secret values seeded from the existing reuse-surface-env cluster Secret through - Secret values seeded from the existing reuse-surface-env cluster Secret through
approved operator custody (values never logged). approved operator custody (values never logged).
- Railiance01 ClusterSecretStore openbao-reuse and ExternalSecret deployed. - Railiance01 ClusterSecretStore openbao-reuse and ExternalSecret deployed.
- Positive and negative verification recorded with non-secret audit ids or - Positive and negative verification recorded with non-secret audit ids or timestamps.
timestamps.
- ops-warden catalog handoff migrated from kubectl to bao kv get (RAILIANCE-WP-0011-T03). - ops-warden catalog handoff migrated from kubectl to bao kv get (RAILIANCE-WP-0011-T03).
evidence:
- at: '2026-07-07T20:31:17+00:00'
actor: bernd.worsch
kind: delegated_metadata_apply
result: passed
details:
- Delegated metadata applier ran as bernd.worsch using local bao CLI ambient authority.
- 'Policy metadata write: sys/policies/acl/workload-kv-read-reuse-surface-runtime'
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-reuse-surface'
- No secret values were read, written, printed, or accepted in argv.
- at: '2026-07-07T20:33:52+00:00'
actor: bernd.worsch
kind: secret_provisioned
result: passed
details:
- Seeded platform/workloads/reuse/reuse-surface/runtime-secrets from live reuse/reuse-surface-env;
field presence confirmed without printing values (KV version 1)
- at: '2026-07-07T20:33:54+00:00'
actor: bernd.worsch
kind: positive_verification
result: passed
details:
- ExternalSecret reuse/reuse-surface-runtime Ready=True SecretSynced 2026-07-07T20:33:17Z;
hub /v1/federated 200 (61 capabilities); signed webhook POST 200
- at: '2026-07-07T20:33:55+00:00'
actor: bernd.worsch
kind: negative_verification
result: passed
details:
- default-policy OpenBao token denied on platform/workloads/reuse/reuse-surface/runtime-secrets
(HTTP permission denied)
lifecycle: lifecycle:
deactivate: Disable ops-warden catalog entry, remove ExternalSecret, and detach deactivate: Disable ops-warden catalog entry, remove ExternalSecret, and detach
auth role policy; delete materialized reuse-surface-env only after confirming auth role policy; delete materialized reuse-surface-env only after confirming
@ -116,4 +151,4 @@ lifecycle:
Forgejo org webhook, record blast-radius notes, and open incident follow-up tasks. Forgejo org webhook, record blast-radius notes, and open incident follow-up tasks.
state_hub: state_hub:
workplan_id: RAILIANCE-WP-0011 workplan_id: RAILIANCE-WP-0011
task_id: RAILIANCE-WP-0011-T01 task_id: RAILIANCE-WP-0011-T01

View file

@ -84,7 +84,7 @@ T02 blocked on platform-operator and reuse-surface-owner approval.
```task ```task
id: RAILIANCE-WP-0011-T02 id: RAILIANCE-WP-0011-T02
status: todo status: done
priority: medium priority: medium
state_hub_task_id: "69cf1728-8034-4309-b8ad-eb14184af6b6" state_hub_task_id: "69cf1728-8034-4309-b8ad-eb14184af6b6"
``` ```
@ -97,6 +97,12 @@ Blocked on CCR-2026-0005 approval.
- Verify ExternalSecret `SecretSynced` and pod env injection after rollout - Verify ExternalSecret `SecretSynced` and pod env injection after rollout
- Record non-secret audit evidence (positive + negative reads) - Record non-secret audit evidence (positive + negative reads)
**2026-07-07:** CCR-2026-0005 approved; delegated metadata apply recorded; KV path
seeded (version 1); `openbao-reuse` ClusterSecretStore + `reuse-surface-runtime`
ExternalSecret live on Railiance01 (`SecretSynced` 2026-07-07T20:33:17Z). Positive:
`/v1/federated` 200, signed webhook 200. Negative: default-policy token denied on
path. CCR status `verified`. T03 catalog migration remains open.
## Consumer Handoff And Catalog Migration ## Consumer Handoff And Catalog Migration
```task ```task