Support activity-core ISSUE_CORE_API_KEY ExternalSecret on railiance01
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 3s

Switch openbao-activity-core ClusterSecretStore to interim coulombcore
token auth like forgejo/reuse, broaden the activity-core ESO policy to
include the shared issue-core runtime path, and document ESO-managed rotation.
This commit is contained in:
tegwick 2026-07-08 00:04:59 +02:00
parent a323b7e04d
commit e36694648a
4 changed files with 43 additions and 14 deletions

View file

@ -1,3 +1,12 @@
# Interim: activity-core on railiance01 reads runtime secrets from coulombcore
# OpenBao (https://bao.coulomb.social) until railiance01 OpenBao is bootstrapped
# (Wave 7). Target state uses in-cluster OpenBao + Kubernetes auth role
# external-secrets-activity-core.
#
# Prereq: Secret external-secrets/openbao-activity-core-eso-token (key: token)
# with a policy-limited OpenBao token that can read
# platform/workloads/issue-core/issue-core/issue-core-runtime (ISSUE_CORE_API_KEY).
# Bootstrap: activity-core scripts/openbao-eso-token-apply.sh
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
@ -8,16 +17,14 @@ metadata:
spec:
provider:
vault:
server: http://openbao.openbao.svc.cluster.local:8200
server: https://bao.coulomb.social
path: platform
version: v2
auth:
kubernetes:
mountPath: kubernetes
role: external-secrets-activity-core
serviceAccountRef:
name: external-secrets
namespace: external-secrets
tokenSecretRef:
name: openbao-activity-core-eso-token
namespace: external-secrets
key: token
conditions:
- namespaces:
- activity-core
- activity-core