Support activity-core ISSUE_CORE_API_KEY ExternalSecret on railiance01
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 3s

Switch openbao-activity-core ClusterSecretStore to interim coulombcore
token auth like forgejo/reuse, broaden the activity-core ESO policy to
include the shared issue-core runtime path, and document ESO-managed rotation.
This commit is contained in:
tegwick 2026-07-08 00:04:59 +02:00
parent a323b7e04d
commit e36694648a
4 changed files with 43 additions and 14 deletions

View file

@ -191,7 +191,7 @@ openbao-configure-external-secrets-issue-core: ## Configure OpenBao policy/role
scripts/openbao-apply-external-secrets-issue-core.sh
openbao-configure-external-secrets-activity-core: ## Configure OpenBao policy/role for activity-core ESO lane
KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) OPENBAO_RELEASE=$(OPENBAO_RELEASE) ESO_NAMESPACE=$(EXTERNAL_SECRETS_NAMESPACE) OPENBAO_ESO_ROLE=external-secrets-activity-core OPENBAO_ESO_POLICY=workload-kv-read-llm-connect-provider-secrets POLICY_FILE='$(CURDIR)/openbao/policies/workload-kv-read-llm-connect-provider-secrets.hcl' scripts/openbao-apply-external-secrets-issue-core.sh
KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) OPENBAO_RELEASE=$(OPENBAO_RELEASE) ESO_NAMESPACE=$(EXTERNAL_SECRETS_NAMESPACE) OPENBAO_ESO_ROLE=external-secrets-activity-core OPENBAO_ESO_POLICY=external-secrets-activity-core POLICY_FILE='$(CURDIR)/openbao/policies/external-secrets-activity-core.hcl' OPENBAO_ESO_NEXT_PATH=platform/workloads/issue-core/issue-core/issue-core-runtime OPENBAO_ESO_NEXT_FIELDS=ISSUE_CORE_API_KEY OPENBAO_ESO_NEXT_TARGET=ExternalSecret/activity-core/actcore-issue-core-runtime scripts/openbao-apply-external-secrets-issue-core.sh
openbao-configure-external-secrets-forgejo: ## Configure OpenBao policy/role for Forgejo mailer ESO lane
KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \

View file

@ -1,3 +1,12 @@
# Interim: activity-core on railiance01 reads runtime secrets from coulombcore
# OpenBao (https://bao.coulomb.social) until railiance01 OpenBao is bootstrapped
# (Wave 7). Target state uses in-cluster OpenBao + Kubernetes auth role
# external-secrets-activity-core.
#
# Prereq: Secret external-secrets/openbao-activity-core-eso-token (key: token)
# with a policy-limited OpenBao token that can read
# platform/workloads/issue-core/issue-core/issue-core-runtime (ISSUE_CORE_API_KEY).
# Bootstrap: activity-core scripts/openbao-eso-token-apply.sh
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
@ -8,16 +17,14 @@ metadata:
spec:
provider:
vault:
server: http://openbao.openbao.svc.cluster.local:8200
server: https://bao.coulomb.social
path: platform
version: v2
auth:
kubernetes:
mountPath: kubernetes
role: external-secrets-activity-core
serviceAccountRef:
name: external-secrets
namespace: external-secrets
tokenSecretRef:
name: openbao-activity-core-eso-token
namespace: external-secrets
key: token
conditions:
- namespaces:
- activity-core
- activity-core

View file

@ -40,11 +40,12 @@ secret value ever appears in Git, State Hub, chat, prompts, or shell history.
`secret/issue-core-runtime` in the `issue-core` namespace (ESO will not
recreate it while the lane is down) and restart the issue-core Deployment.
- **`ISSUE_CORE_API_KEY` has a second consumer**: railiance01's
`activity-core/actcore-runtime-secret` holds an operator-injected copy
(2026-07-02, ISSUE-WP-0003-T06). Rotation and compromise response MUST
re-inject the new value there (stdin-only pipe from OpenBao) and restart
`deploy/actcore-worker`, or activity-core emission silently starts failing
with 401s on the next run.
`activity-core/ExternalSecret actcore-issue-core-runtime` merges the key into
`actcore-runtime-secret` (1h refresh). Rotation and compromise response MUST
update OpenBao first, wait for ExternalSecret refresh (or annotate
`force-sync`), then restart `deploy/actcore-worker` and
`deploy/actcore-event-router`, or activity-core emission silently starts
failing with 401s on the next run.
- `GITEA_BACKEND_TOKEN` is a scoped Gitea token for service user
`issue-core-svc`; rotating it means minting a new token in Gitea first,
then updating OpenBao — order matters, or ingestion breaks between steps.

View file

@ -0,0 +1,21 @@
# External Secrets Operator policy for the activity-core namespace.
#
# Covers:
# - llm-connect provider secrets (OPENROUTER_API_KEY)
# - shared issue-core ingestion key for activity-core IssueSink emission
path "platform/data/workloads/activity-core/llm-connect/llm-connect-provider-secrets" {
capabilities = ["read"]
}
path "platform/metadata/workloads/activity-core/llm-connect/llm-connect-provider-secrets" {
capabilities = ["read"]
}
path "platform/data/workloads/issue-core/issue-core/issue-core-runtime" {
capabilities = ["read"]
}
path "platform/metadata/workloads/issue-core/issue-core/issue-core-runtime" {
capabilities = ["read"]
}