diff --git a/Makefile b/Makefile index 72087ee..40b971d 100644 --- a/Makefile +++ b/Makefile @@ -191,7 +191,7 @@ openbao-configure-external-secrets-issue-core: ## Configure OpenBao policy/role scripts/openbao-apply-external-secrets-issue-core.sh openbao-configure-external-secrets-activity-core: ## Configure OpenBao policy/role for activity-core ESO lane - KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) OPENBAO_RELEASE=$(OPENBAO_RELEASE) ESO_NAMESPACE=$(EXTERNAL_SECRETS_NAMESPACE) OPENBAO_ESO_ROLE=external-secrets-activity-core OPENBAO_ESO_POLICY=workload-kv-read-llm-connect-provider-secrets POLICY_FILE='$(CURDIR)/openbao/policies/workload-kv-read-llm-connect-provider-secrets.hcl' scripts/openbao-apply-external-secrets-issue-core.sh + KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) OPENBAO_RELEASE=$(OPENBAO_RELEASE) ESO_NAMESPACE=$(EXTERNAL_SECRETS_NAMESPACE) OPENBAO_ESO_ROLE=external-secrets-activity-core OPENBAO_ESO_POLICY=external-secrets-activity-core POLICY_FILE='$(CURDIR)/openbao/policies/external-secrets-activity-core.hcl' OPENBAO_ESO_NEXT_PATH=platform/workloads/issue-core/issue-core/issue-core-runtime OPENBAO_ESO_NEXT_FIELDS=ISSUE_CORE_API_KEY OPENBAO_ESO_NEXT_TARGET=ExternalSecret/activity-core/actcore-issue-core-runtime scripts/openbao-apply-external-secrets-issue-core.sh openbao-configure-external-secrets-forgejo: ## Configure OpenBao policy/role for Forgejo mailer ESO lane KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \ diff --git a/argocd/platform-addons/openbao-secretstore/openbao-activity-core.clustersecretstore.yaml b/argocd/platform-addons/openbao-secretstore/openbao-activity-core.clustersecretstore.yaml index a9def5e..144c818 100644 --- a/argocd/platform-addons/openbao-secretstore/openbao-activity-core.clustersecretstore.yaml +++ b/argocd/platform-addons/openbao-secretstore/openbao-activity-core.clustersecretstore.yaml @@ -1,3 +1,12 @@ +# Interim: activity-core on railiance01 reads runtime secrets from coulombcore +# OpenBao (https://bao.coulomb.social) until railiance01 OpenBao is bootstrapped +# (Wave 7). Target state uses in-cluster OpenBao + Kubernetes auth role +# external-secrets-activity-core. +# +# Prereq: Secret external-secrets/openbao-activity-core-eso-token (key: token) +# with a policy-limited OpenBao token that can read +# platform/workloads/issue-core/issue-core/issue-core-runtime (ISSUE_CORE_API_KEY). +# Bootstrap: activity-core scripts/openbao-eso-token-apply.sh apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: @@ -8,16 +17,14 @@ metadata: spec: provider: vault: - server: http://openbao.openbao.svc.cluster.local:8200 + server: https://bao.coulomb.social path: platform version: v2 auth: - kubernetes: - mountPath: kubernetes - role: external-secrets-activity-core - serviceAccountRef: - name: external-secrets - namespace: external-secrets + tokenSecretRef: + name: openbao-activity-core-eso-token + namespace: external-secrets + key: token conditions: - namespaces: - - activity-core + - activity-core \ No newline at end of file diff --git a/docs/credential-lane-lifecycle-runbook.md b/docs/credential-lane-lifecycle-runbook.md index a661b6e..38647f2 100644 --- a/docs/credential-lane-lifecycle-runbook.md +++ b/docs/credential-lane-lifecycle-runbook.md @@ -40,11 +40,12 @@ secret value ever appears in Git, State Hub, chat, prompts, or shell history. `secret/issue-core-runtime` in the `issue-core` namespace (ESO will not recreate it while the lane is down) and restart the issue-core Deployment. - **`ISSUE_CORE_API_KEY` has a second consumer**: railiance01's - `activity-core/actcore-runtime-secret` holds an operator-injected copy - (2026-07-02, ISSUE-WP-0003-T06). Rotation and compromise response MUST - re-inject the new value there (stdin-only pipe from OpenBao) and restart - `deploy/actcore-worker`, or activity-core emission silently starts failing - with 401s on the next run. + `activity-core/ExternalSecret actcore-issue-core-runtime` merges the key into + `actcore-runtime-secret` (1h refresh). Rotation and compromise response MUST + update OpenBao first, wait for ExternalSecret refresh (or annotate + `force-sync`), then restart `deploy/actcore-worker` and + `deploy/actcore-event-router`, or activity-core emission silently starts + failing with 401s on the next run. - `GITEA_BACKEND_TOKEN` is a scoped Gitea token for service user `issue-core-svc`; rotating it means minting a new token in Gitea first, then updating OpenBao — order matters, or ingestion breaks between steps. diff --git a/openbao/policies/external-secrets-activity-core.hcl b/openbao/policies/external-secrets-activity-core.hcl new file mode 100644 index 0000000..8e29ec9 --- /dev/null +++ b/openbao/policies/external-secrets-activity-core.hcl @@ -0,0 +1,21 @@ +# External Secrets Operator policy for the activity-core namespace. +# +# Covers: +# - llm-connect provider secrets (OPENROUTER_API_KEY) +# - shared issue-core ingestion key for activity-core IssueSink emission + +path "platform/data/workloads/activity-core/llm-connect/llm-connect-provider-secrets" { + capabilities = ["read"] +} + +path "platform/metadata/workloads/activity-core/llm-connect/llm-connect-provider-secrets" { + capabilities = ["read"] +} + +path "platform/data/workloads/issue-core/issue-core/issue-core-runtime" { + capabilities = ["read"] +} + +path "platform/metadata/workloads/issue-core/issue-core/issue-core-runtime" { + capabilities = ["read"] +} \ No newline at end of file