Activate reuse-surface runtime secrets OpenBao lane (CCR-2026-0005)
Approve CCR-2026-0005, apply delegated OpenBao metadata, seed the KV path, verify ExternalSecret delivery on Railiance01, and complete RAILIANCE-WP-0011-T02.
This commit is contained in:
parent
8e8300e099
commit
d64fa814b1
4 changed files with 101 additions and 31 deletions
|
|
@ -5,3 +5,4 @@ resources:
|
||||||
- openbao.clustersecretstore.yaml
|
- openbao.clustersecretstore.yaml
|
||||||
- openbao-activity-core.clustersecretstore.yaml
|
- openbao-activity-core.clustersecretstore.yaml
|
||||||
- openbao-forgejo.clustersecretstore.yaml
|
- openbao-forgejo.clustersecretstore.yaml
|
||||||
|
- openbao-reuse.clustersecretstore.yaml
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,28 @@
|
||||||
|
# Interim: reuse-surface on railiance01 reads runtime secrets from coulombcore OpenBao
|
||||||
|
# (https://bao.coulomb.social) until railiance01 OpenBao is bootstrapped (Wave 7).
|
||||||
|
#
|
||||||
|
# Prereq: Secret external-secrets/openbao-reuse-eso-token (key: token) with a
|
||||||
|
# policy-limited OpenBao token that can read
|
||||||
|
# platform/workloads/reuse/reuse-surface/runtime-secrets.
|
||||||
|
# Bootstrap: railiance-apps make reuse-openbao-eso-token-apply
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
metadata:
|
||||||
|
name: openbao-reuse
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: railiance-gitops
|
||||||
|
railiance-platform/component: external-secrets
|
||||||
|
spec:
|
||||||
|
provider:
|
||||||
|
vault:
|
||||||
|
server: https://bao.coulomb.social
|
||||||
|
path: platform
|
||||||
|
version: v2
|
||||||
|
auth:
|
||||||
|
tokenSecretRef:
|
||||||
|
name: openbao-reuse-eso-token
|
||||||
|
namespace: external-secrets
|
||||||
|
key: token
|
||||||
|
conditions:
|
||||||
|
- namespaces:
|
||||||
|
- reuse
|
||||||
|
|
@ -3,7 +3,7 @@ kind: credential-change-request
|
||||||
schema_version: 1
|
schema_version: 1
|
||||||
request_type: workload-kv-read
|
request_type: workload-kv-read
|
||||||
title: reuse-surface runtime secrets lane
|
title: reuse-surface runtime secrets lane
|
||||||
status: proposed
|
status: verified
|
||||||
created: '2026-07-07'
|
created: '2026-07-07'
|
||||||
updated: '2026-07-07'
|
updated: '2026-07-07'
|
||||||
requester:
|
requester:
|
||||||
|
|
@ -21,18 +21,23 @@ review:
|
||||||
decision: metadata_review_binding_confirmed_pending_owner_approval
|
decision: metadata_review_binding_confirmed_pending_owner_approval
|
||||||
comment: 'Live Railiance01 metadata on 2026-07-07 confirms namespace reuse exists;
|
comment: 'Live Railiance01 metadata on 2026-07-07 confirms namespace reuse exists;
|
||||||
Deployment reuse-surface consumes envFrom secretRef reuse-surface-env (default
|
Deployment reuse-surface consumes envFrom secretRef reuse-surface-env (default
|
||||||
service account). Secret reuse-surface-env holds REUSE_SURFACE_TOKEN and
|
service account). Secret reuse-surface-env holds REUSE_SURFACE_TOKEN and REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET.
|
||||||
REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET. External Secrets operator service account
|
External Secrets operator service account external-secrets/external-secrets
|
||||||
external-secrets/external-secrets exists. No ExternalSecret in reuse yet;
|
exists. No ExternalSecret in reuse yet; ClusterSecretStore openbao-forgejo is
|
||||||
ClusterSecretStore openbao-forgejo is the interim reference pattern on this
|
the interim reference pattern on this cluster (token auth to https://bao.coulomb.social).
|
||||||
cluster (token auth to https://bao.coulomb.social). Proposed Railiance01
|
Proposed Railiance01 interim delivery mirrors forgejo-mailer: periodic OpenBao
|
||||||
interim delivery mirrors forgejo-mailer: periodic OpenBao token with policy
|
token with policy workload-kv-read-reuse-surface-runtime stored in external-secrets/openbao-reuse-eso-token,
|
||||||
workload-kv-read-reuse-surface-runtime stored in
|
ClusterSecretStore openbao-reuse namespace-limited to reuse, ExternalSecret
|
||||||
external-secrets/openbao-reuse-eso-token, ClusterSecretStore openbao-reuse
|
reuse/reuse-surface-runtime targeting Secret reuse-surface-env. Forgejo org
|
||||||
namespace-limited to reuse, ExternalSecret reuse/reuse-surface-runtime targeting
|
webhook id=1 on coulomb is live and must stay aligned with REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET
|
||||||
Secret reuse-surface-env. Forgejo org webhook id=1 on coulomb is live and must
|
on rotation. Keep CCR status proposed until platform-operator and reuse-surface-owner
|
||||||
stay aligned with REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET on rotation. Keep CCR
|
approval.'
|
||||||
status proposed until platform-operator and reuse-surface-owner approval.'
|
- at: '2026-07-07T20:31:05+00:00'
|
||||||
|
reviewer: bernd.worsch
|
||||||
|
decision: approved
|
||||||
|
comment: 'Approved in chat acting as platform-operator and reuse-surface-owner:
|
||||||
|
promote reuse-surface runtime secrets to OpenBao workload KV with Railiance01
|
||||||
|
interim ESO delivery per CCR-2026-0005.'
|
||||||
target:
|
target:
|
||||||
domain: financials
|
domain: financials
|
||||||
tenant: reuse
|
tenant: reuse
|
||||||
|
|
@ -71,21 +76,21 @@ access_frontdoor:
|
||||||
delivery:
|
delivery:
|
||||||
surface: external-secrets
|
surface: external-secrets
|
||||||
target: ExternalSecret reuse/reuse-surface-runtime -> Secret reuse-surface-env in
|
target: ExternalSecret reuse/reuse-surface-runtime -> Secret reuse-surface-env in
|
||||||
the reuse namespace on Railiance01; interim ClusterSecretStore openbao-reuse
|
the reuse namespace on Railiance01; interim ClusterSecretStore openbao-reuse (token
|
||||||
(token auth to coulombcore OpenBao, namespace-limited to reuse) until
|
auth to coulombcore OpenBao, namespace-limited to reuse) until railiance01-local
|
||||||
railiance01-local OpenBao Wave 7 bootstrap
|
OpenBao Wave 7 bootstrap
|
||||||
risk:
|
risk:
|
||||||
classification: high
|
classification: high
|
||||||
notes:
|
notes:
|
||||||
- REUSE_SURFACE_TOKEN grants authenticated writes to the production federation hub
|
- REUSE_SURFACE_TOKEN grants authenticated writes to the production federation hub
|
||||||
at https://reuse.coulomb.social.
|
at https://reuse.coulomb.social.
|
||||||
- REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET is a dual-consumer HMAC — the hub pod and
|
- "REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET is a dual-consumer HMAC \u2014 the hub pod\
|
||||||
the Forgejo org webhook must share the same value; rotation requires
|
\ and the Forgejo org webhook must share the same value; rotation requires railiance-apps\
|
||||||
railiance-apps make reuse-forgejo-webhook after ESO sync.
|
\ make reuse-forgejo-webhook after ESO sync."
|
||||||
- Railiance01 interim delivery uses a policy-limited periodic OpenBao token in
|
- "Railiance01 interim delivery uses a policy-limited periodic OpenBao token in\
|
||||||
external-secrets/openbao-reuse-eso-token, mirroring the forgejo-mailer lane —
|
\ external-secrets/openbao-reuse-eso-token, mirroring the forgejo-mailer lane\
|
||||||
not the kubernetes auth role until coulombcore kubernetes auth covers this
|
\ \u2014 not the kubernetes auth role until coulombcore kubernetes auth covers\
|
||||||
cluster or railiance01 OpenBao is bootstrapped.
|
\ this cluster or railiance01 OpenBao is bootstrapped."
|
||||||
- ops-warden must proxy reads as the caller and must not retain token values.
|
- ops-warden must proxy reads as the caller and must not retain token values.
|
||||||
verification:
|
verification:
|
||||||
positive:
|
positive:
|
||||||
|
|
@ -94,18 +99,48 @@ verification:
|
||||||
- reuse-surface Deployment rolls cleanly and hub write plus signed webhook POST
|
- reuse-surface Deployment rolls cleanly and hub write plus signed webhook POST
|
||||||
succeed after migration.
|
succeed after migration.
|
||||||
negative:
|
negative:
|
||||||
- A namespace outside the approved ClusterSecretStore condition cannot use
|
- A namespace outside the approved ClusterSecretStore condition cannot use openbao-reuse
|
||||||
openbao-reuse to read the path.
|
to read the path.
|
||||||
- A periodic token without workload-kv-read-reuse-surface-runtime cannot read
|
- A periodic token without workload-kv-read-reuse-surface-runtime cannot read the
|
||||||
the KV path.
|
KV path.
|
||||||
activation_conditions:
|
activation_conditions:
|
||||||
- Policy applied on coulombcore OpenBao with platform-admin/operator authority.
|
- Policy applied on coulombcore OpenBao with platform-admin/operator authority.
|
||||||
- Secret values seeded from the existing reuse-surface-env cluster Secret through
|
- Secret values seeded from the existing reuse-surface-env cluster Secret through
|
||||||
approved operator custody (values never logged).
|
approved operator custody (values never logged).
|
||||||
- Railiance01 ClusterSecretStore openbao-reuse and ExternalSecret deployed.
|
- Railiance01 ClusterSecretStore openbao-reuse and ExternalSecret deployed.
|
||||||
- Positive and negative verification recorded with non-secret audit ids or
|
- Positive and negative verification recorded with non-secret audit ids or timestamps.
|
||||||
timestamps.
|
|
||||||
- ops-warden catalog handoff migrated from kubectl to bao kv get (RAILIANCE-WP-0011-T03).
|
- ops-warden catalog handoff migrated from kubectl to bao kv get (RAILIANCE-WP-0011-T03).
|
||||||
|
evidence:
|
||||||
|
- at: '2026-07-07T20:31:17+00:00'
|
||||||
|
actor: bernd.worsch
|
||||||
|
kind: delegated_metadata_apply
|
||||||
|
result: passed
|
||||||
|
details:
|
||||||
|
- Delegated metadata applier ran as bernd.worsch using local bao CLI ambient authority.
|
||||||
|
- 'Policy metadata write: sys/policies/acl/workload-kv-read-reuse-surface-runtime'
|
||||||
|
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-reuse-surface'
|
||||||
|
- No secret values were read, written, printed, or accepted in argv.
|
||||||
|
- at: '2026-07-07T20:33:52+00:00'
|
||||||
|
actor: bernd.worsch
|
||||||
|
kind: secret_provisioned
|
||||||
|
result: passed
|
||||||
|
details:
|
||||||
|
- Seeded platform/workloads/reuse/reuse-surface/runtime-secrets from live reuse/reuse-surface-env;
|
||||||
|
field presence confirmed without printing values (KV version 1)
|
||||||
|
- at: '2026-07-07T20:33:54+00:00'
|
||||||
|
actor: bernd.worsch
|
||||||
|
kind: positive_verification
|
||||||
|
result: passed
|
||||||
|
details:
|
||||||
|
- ExternalSecret reuse/reuse-surface-runtime Ready=True SecretSynced 2026-07-07T20:33:17Z;
|
||||||
|
hub /v1/federated 200 (61 capabilities); signed webhook POST 200
|
||||||
|
- at: '2026-07-07T20:33:55+00:00'
|
||||||
|
actor: bernd.worsch
|
||||||
|
kind: negative_verification
|
||||||
|
result: passed
|
||||||
|
details:
|
||||||
|
- default-policy OpenBao token denied on platform/workloads/reuse/reuse-surface/runtime-secrets
|
||||||
|
(HTTP permission denied)
|
||||||
lifecycle:
|
lifecycle:
|
||||||
deactivate: Disable ops-warden catalog entry, remove ExternalSecret, and detach
|
deactivate: Disable ops-warden catalog entry, remove ExternalSecret, and detach
|
||||||
auth role policy; delete materialized reuse-surface-env only after confirming
|
auth role policy; delete materialized reuse-surface-env only after confirming
|
||||||
|
|
@ -116,4 +151,4 @@ lifecycle:
|
||||||
Forgejo org webhook, record blast-radius notes, and open incident follow-up tasks.
|
Forgejo org webhook, record blast-radius notes, and open incident follow-up tasks.
|
||||||
state_hub:
|
state_hub:
|
||||||
workplan_id: RAILIANCE-WP-0011
|
workplan_id: RAILIANCE-WP-0011
|
||||||
task_id: RAILIANCE-WP-0011-T01
|
task_id: RAILIANCE-WP-0011-T01
|
||||||
|
|
|
||||||
|
|
@ -84,7 +84,7 @@ T02 blocked on platform-operator and reuse-surface-owner approval.
|
||||||
|
|
||||||
```task
|
```task
|
||||||
id: RAILIANCE-WP-0011-T02
|
id: RAILIANCE-WP-0011-T02
|
||||||
status: todo
|
status: done
|
||||||
priority: medium
|
priority: medium
|
||||||
state_hub_task_id: "69cf1728-8034-4309-b8ad-eb14184af6b6"
|
state_hub_task_id: "69cf1728-8034-4309-b8ad-eb14184af6b6"
|
||||||
```
|
```
|
||||||
|
|
@ -97,6 +97,12 @@ Blocked on CCR-2026-0005 approval.
|
||||||
- Verify ExternalSecret `SecretSynced` and pod env injection after rollout
|
- Verify ExternalSecret `SecretSynced` and pod env injection after rollout
|
||||||
- Record non-secret audit evidence (positive + negative reads)
|
- Record non-secret audit evidence (positive + negative reads)
|
||||||
|
|
||||||
|
**2026-07-07:** CCR-2026-0005 approved; delegated metadata apply recorded; KV path
|
||||||
|
seeded (version 1); `openbao-reuse` ClusterSecretStore + `reuse-surface-runtime`
|
||||||
|
ExternalSecret live on Railiance01 (`SecretSynced` 2026-07-07T20:33:17Z). Positive:
|
||||||
|
`/v1/federated` 200, signed webhook 200. Negative: default-policy token denied on
|
||||||
|
path. CCR status `verified`. T03 catalog migration remains open.
|
||||||
|
|
||||||
## Consumer Handoff And Catalog Migration
|
## Consumer Handoff And Catalog Migration
|
||||||
|
|
||||||
```task
|
```task
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue