Support activity-core ISSUE_CORE_API_KEY ExternalSecret on railiance01
Switch openbao-activity-core ClusterSecretStore to interim coulombcore token auth like forgejo/reuse, broaden the activity-core ESO policy to include the shared issue-core runtime path, and document ESO-managed rotation.
This commit is contained in:
parent
a323b7e04d
commit
e36694648a
4 changed files with 43 additions and 14 deletions
2
Makefile
2
Makefile
|
|
@ -191,7 +191,7 @@ openbao-configure-external-secrets-issue-core: ## Configure OpenBao policy/role
|
|||
scripts/openbao-apply-external-secrets-issue-core.sh
|
||||
|
||||
openbao-configure-external-secrets-activity-core: ## Configure OpenBao policy/role for activity-core ESO lane
|
||||
KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) OPENBAO_RELEASE=$(OPENBAO_RELEASE) ESO_NAMESPACE=$(EXTERNAL_SECRETS_NAMESPACE) OPENBAO_ESO_ROLE=external-secrets-activity-core OPENBAO_ESO_POLICY=workload-kv-read-llm-connect-provider-secrets POLICY_FILE='$(CURDIR)/openbao/policies/workload-kv-read-llm-connect-provider-secrets.hcl' scripts/openbao-apply-external-secrets-issue-core.sh
|
||||
KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) OPENBAO_RELEASE=$(OPENBAO_RELEASE) ESO_NAMESPACE=$(EXTERNAL_SECRETS_NAMESPACE) OPENBAO_ESO_ROLE=external-secrets-activity-core OPENBAO_ESO_POLICY=external-secrets-activity-core POLICY_FILE='$(CURDIR)/openbao/policies/external-secrets-activity-core.hcl' OPENBAO_ESO_NEXT_PATH=platform/workloads/issue-core/issue-core/issue-core-runtime OPENBAO_ESO_NEXT_FIELDS=ISSUE_CORE_API_KEY OPENBAO_ESO_NEXT_TARGET=ExternalSecret/activity-core/actcore-issue-core-runtime scripts/openbao-apply-external-secrets-issue-core.sh
|
||||
|
||||
openbao-configure-external-secrets-forgejo: ## Configure OpenBao policy/role for Forgejo mailer ESO lane
|
||||
KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
|
||||
|
|
|
|||
|
|
@ -1,3 +1,12 @@
|
|||
# Interim: activity-core on railiance01 reads runtime secrets from coulombcore
|
||||
# OpenBao (https://bao.coulomb.social) until railiance01 OpenBao is bootstrapped
|
||||
# (Wave 7). Target state uses in-cluster OpenBao + Kubernetes auth role
|
||||
# external-secrets-activity-core.
|
||||
#
|
||||
# Prereq: Secret external-secrets/openbao-activity-core-eso-token (key: token)
|
||||
# with a policy-limited OpenBao token that can read
|
||||
# platform/workloads/issue-core/issue-core/issue-core-runtime (ISSUE_CORE_API_KEY).
|
||||
# Bootstrap: activity-core scripts/openbao-eso-token-apply.sh
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ClusterSecretStore
|
||||
metadata:
|
||||
|
|
@ -8,16 +17,14 @@ metadata:
|
|||
spec:
|
||||
provider:
|
||||
vault:
|
||||
server: http://openbao.openbao.svc.cluster.local:8200
|
||||
server: https://bao.coulomb.social
|
||||
path: platform
|
||||
version: v2
|
||||
auth:
|
||||
kubernetes:
|
||||
mountPath: kubernetes
|
||||
role: external-secrets-activity-core
|
||||
serviceAccountRef:
|
||||
name: external-secrets
|
||||
namespace: external-secrets
|
||||
tokenSecretRef:
|
||||
name: openbao-activity-core-eso-token
|
||||
namespace: external-secrets
|
||||
key: token
|
||||
conditions:
|
||||
- namespaces:
|
||||
- activity-core
|
||||
- activity-core
|
||||
|
|
@ -40,11 +40,12 @@ secret value ever appears in Git, State Hub, chat, prompts, or shell history.
|
|||
`secret/issue-core-runtime` in the `issue-core` namespace (ESO will not
|
||||
recreate it while the lane is down) and restart the issue-core Deployment.
|
||||
- **`ISSUE_CORE_API_KEY` has a second consumer**: railiance01's
|
||||
`activity-core/actcore-runtime-secret` holds an operator-injected copy
|
||||
(2026-07-02, ISSUE-WP-0003-T06). Rotation and compromise response MUST
|
||||
re-inject the new value there (stdin-only pipe from OpenBao) and restart
|
||||
`deploy/actcore-worker`, or activity-core emission silently starts failing
|
||||
with 401s on the next run.
|
||||
`activity-core/ExternalSecret actcore-issue-core-runtime` merges the key into
|
||||
`actcore-runtime-secret` (1h refresh). Rotation and compromise response MUST
|
||||
update OpenBao first, wait for ExternalSecret refresh (or annotate
|
||||
`force-sync`), then restart `deploy/actcore-worker` and
|
||||
`deploy/actcore-event-router`, or activity-core emission silently starts
|
||||
failing with 401s on the next run.
|
||||
- `GITEA_BACKEND_TOKEN` is a scoped Gitea token for service user
|
||||
`issue-core-svc`; rotating it means minting a new token in Gitea first,
|
||||
then updating OpenBao — order matters, or ingestion breaks between steps.
|
||||
|
|
|
|||
21
openbao/policies/external-secrets-activity-core.hcl
Normal file
21
openbao/policies/external-secrets-activity-core.hcl
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
# External Secrets Operator policy for the activity-core namespace.
|
||||
#
|
||||
# Covers:
|
||||
# - llm-connect provider secrets (OPENROUTER_API_KEY)
|
||||
# - shared issue-core ingestion key for activity-core IssueSink emission
|
||||
|
||||
path "platform/data/workloads/activity-core/llm-connect/llm-connect-provider-secrets" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "platform/metadata/workloads/activity-core/llm-connect/llm-connect-provider-secrets" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "platform/data/workloads/issue-core/issue-core/issue-core-runtime" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "platform/metadata/workloads/issue-core/issue-core/issue-core-runtime" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue