Support activity-core ISSUE_CORE_API_KEY ExternalSecret on railiance01
Switch openbao-activity-core ClusterSecretStore to interim coulombcore token auth like forgejo/reuse, broaden the activity-core ESO policy to include the shared issue-core runtime path, and document ESO-managed rotation.
This commit is contained in:
parent
a323b7e04d
commit
e36694648a
4 changed files with 43 additions and 14 deletions
|
|
@ -1,3 +1,12 @@
|
|||
# Interim: activity-core on railiance01 reads runtime secrets from coulombcore
|
||||
# OpenBao (https://bao.coulomb.social) until railiance01 OpenBao is bootstrapped
|
||||
# (Wave 7). Target state uses in-cluster OpenBao + Kubernetes auth role
|
||||
# external-secrets-activity-core.
|
||||
#
|
||||
# Prereq: Secret external-secrets/openbao-activity-core-eso-token (key: token)
|
||||
# with a policy-limited OpenBao token that can read
|
||||
# platform/workloads/issue-core/issue-core/issue-core-runtime (ISSUE_CORE_API_KEY).
|
||||
# Bootstrap: activity-core scripts/openbao-eso-token-apply.sh
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ClusterSecretStore
|
||||
metadata:
|
||||
|
|
@ -8,16 +17,14 @@ metadata:
|
|||
spec:
|
||||
provider:
|
||||
vault:
|
||||
server: http://openbao.openbao.svc.cluster.local:8200
|
||||
server: https://bao.coulomb.social
|
||||
path: platform
|
||||
version: v2
|
||||
auth:
|
||||
kubernetes:
|
||||
mountPath: kubernetes
|
||||
role: external-secrets-activity-core
|
||||
serviceAccountRef:
|
||||
name: external-secrets
|
||||
namespace: external-secrets
|
||||
tokenSecretRef:
|
||||
name: openbao-activity-core-eso-token
|
||||
namespace: external-secrets
|
||||
key: token
|
||||
conditions:
|
||||
- namespaces:
|
||||
- activity-core
|
||||
- activity-core
|
||||
Loading…
Add table
Add a link
Reference in a new issue