Support activity-core ISSUE_CORE_API_KEY ExternalSecret on railiance01
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 3s

Switch openbao-activity-core ClusterSecretStore to interim coulombcore
token auth like forgejo/reuse, broaden the activity-core ESO policy to
include the shared issue-core runtime path, and document ESO-managed rotation.
This commit is contained in:
tegwick 2026-07-08 00:04:59 +02:00
parent a323b7e04d
commit e36694648a
4 changed files with 43 additions and 14 deletions

View file

@ -40,11 +40,12 @@ secret value ever appears in Git, State Hub, chat, prompts, or shell history.
`secret/issue-core-runtime` in the `issue-core` namespace (ESO will not
recreate it while the lane is down) and restart the issue-core Deployment.
- **`ISSUE_CORE_API_KEY` has a second consumer**: railiance01's
`activity-core/actcore-runtime-secret` holds an operator-injected copy
(2026-07-02, ISSUE-WP-0003-T06). Rotation and compromise response MUST
re-inject the new value there (stdin-only pipe from OpenBao) and restart
`deploy/actcore-worker`, or activity-core emission silently starts failing
with 401s on the next run.
`activity-core/ExternalSecret actcore-issue-core-runtime` merges the key into
`actcore-runtime-secret` (1h refresh). Rotation and compromise response MUST
update OpenBao first, wait for ExternalSecret refresh (or annotate
`force-sync`), then restart `deploy/actcore-worker` and
`deploy/actcore-event-router`, or activity-core emission silently starts
failing with 401s on the next run.
- `GITEA_BACKEND_TOKEN` is a scoped Gitea token for service user
`issue-core-svc`; rotating it means minting a new token in Gitea first,
then updating OpenBao — order matters, or ingestion breaks between steps.