Support activity-core ISSUE_CORE_API_KEY ExternalSecret on railiance01
Switch openbao-activity-core ClusterSecretStore to interim coulombcore token auth like forgejo/reuse, broaden the activity-core ESO policy to include the shared issue-core runtime path, and document ESO-managed rotation.
This commit is contained in:
parent
a323b7e04d
commit
e36694648a
4 changed files with 43 additions and 14 deletions
2
Makefile
2
Makefile
|
|
@ -191,7 +191,7 @@ openbao-configure-external-secrets-issue-core: ## Configure OpenBao policy/role
|
||||||
scripts/openbao-apply-external-secrets-issue-core.sh
|
scripts/openbao-apply-external-secrets-issue-core.sh
|
||||||
|
|
||||||
openbao-configure-external-secrets-activity-core: ## Configure OpenBao policy/role for activity-core ESO lane
|
openbao-configure-external-secrets-activity-core: ## Configure OpenBao policy/role for activity-core ESO lane
|
||||||
KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) OPENBAO_RELEASE=$(OPENBAO_RELEASE) ESO_NAMESPACE=$(EXTERNAL_SECRETS_NAMESPACE) OPENBAO_ESO_ROLE=external-secrets-activity-core OPENBAO_ESO_POLICY=workload-kv-read-llm-connect-provider-secrets POLICY_FILE='$(CURDIR)/openbao/policies/workload-kv-read-llm-connect-provider-secrets.hcl' scripts/openbao-apply-external-secrets-issue-core.sh
|
KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) OPENBAO_RELEASE=$(OPENBAO_RELEASE) ESO_NAMESPACE=$(EXTERNAL_SECRETS_NAMESPACE) OPENBAO_ESO_ROLE=external-secrets-activity-core OPENBAO_ESO_POLICY=external-secrets-activity-core POLICY_FILE='$(CURDIR)/openbao/policies/external-secrets-activity-core.hcl' OPENBAO_ESO_NEXT_PATH=platform/workloads/issue-core/issue-core/issue-core-runtime OPENBAO_ESO_NEXT_FIELDS=ISSUE_CORE_API_KEY OPENBAO_ESO_NEXT_TARGET=ExternalSecret/activity-core/actcore-issue-core-runtime scripts/openbao-apply-external-secrets-issue-core.sh
|
||||||
|
|
||||||
openbao-configure-external-secrets-forgejo: ## Configure OpenBao policy/role for Forgejo mailer ESO lane
|
openbao-configure-external-secrets-forgejo: ## Configure OpenBao policy/role for Forgejo mailer ESO lane
|
||||||
KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
|
KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,12 @@
|
||||||
|
# Interim: activity-core on railiance01 reads runtime secrets from coulombcore
|
||||||
|
# OpenBao (https://bao.coulomb.social) until railiance01 OpenBao is bootstrapped
|
||||||
|
# (Wave 7). Target state uses in-cluster OpenBao + Kubernetes auth role
|
||||||
|
# external-secrets-activity-core.
|
||||||
|
#
|
||||||
|
# Prereq: Secret external-secrets/openbao-activity-core-eso-token (key: token)
|
||||||
|
# with a policy-limited OpenBao token that can read
|
||||||
|
# platform/workloads/issue-core/issue-core/issue-core-runtime (ISSUE_CORE_API_KEY).
|
||||||
|
# Bootstrap: activity-core scripts/openbao-eso-token-apply.sh
|
||||||
apiVersion: external-secrets.io/v1beta1
|
apiVersion: external-secrets.io/v1beta1
|
||||||
kind: ClusterSecretStore
|
kind: ClusterSecretStore
|
||||||
metadata:
|
metadata:
|
||||||
|
|
@ -8,16 +17,14 @@ metadata:
|
||||||
spec:
|
spec:
|
||||||
provider:
|
provider:
|
||||||
vault:
|
vault:
|
||||||
server: http://openbao.openbao.svc.cluster.local:8200
|
server: https://bao.coulomb.social
|
||||||
path: platform
|
path: platform
|
||||||
version: v2
|
version: v2
|
||||||
auth:
|
auth:
|
||||||
kubernetes:
|
tokenSecretRef:
|
||||||
mountPath: kubernetes
|
name: openbao-activity-core-eso-token
|
||||||
role: external-secrets-activity-core
|
|
||||||
serviceAccountRef:
|
|
||||||
name: external-secrets
|
|
||||||
namespace: external-secrets
|
namespace: external-secrets
|
||||||
|
key: token
|
||||||
conditions:
|
conditions:
|
||||||
- namespaces:
|
- namespaces:
|
||||||
- activity-core
|
- activity-core
|
||||||
|
|
@ -40,11 +40,12 @@ secret value ever appears in Git, State Hub, chat, prompts, or shell history.
|
||||||
`secret/issue-core-runtime` in the `issue-core` namespace (ESO will not
|
`secret/issue-core-runtime` in the `issue-core` namespace (ESO will not
|
||||||
recreate it while the lane is down) and restart the issue-core Deployment.
|
recreate it while the lane is down) and restart the issue-core Deployment.
|
||||||
- **`ISSUE_CORE_API_KEY` has a second consumer**: railiance01's
|
- **`ISSUE_CORE_API_KEY` has a second consumer**: railiance01's
|
||||||
`activity-core/actcore-runtime-secret` holds an operator-injected copy
|
`activity-core/ExternalSecret actcore-issue-core-runtime` merges the key into
|
||||||
(2026-07-02, ISSUE-WP-0003-T06). Rotation and compromise response MUST
|
`actcore-runtime-secret` (1h refresh). Rotation and compromise response MUST
|
||||||
re-inject the new value there (stdin-only pipe from OpenBao) and restart
|
update OpenBao first, wait for ExternalSecret refresh (or annotate
|
||||||
`deploy/actcore-worker`, or activity-core emission silently starts failing
|
`force-sync`), then restart `deploy/actcore-worker` and
|
||||||
with 401s on the next run.
|
`deploy/actcore-event-router`, or activity-core emission silently starts
|
||||||
|
failing with 401s on the next run.
|
||||||
- `GITEA_BACKEND_TOKEN` is a scoped Gitea token for service user
|
- `GITEA_BACKEND_TOKEN` is a scoped Gitea token for service user
|
||||||
`issue-core-svc`; rotating it means minting a new token in Gitea first,
|
`issue-core-svc`; rotating it means minting a new token in Gitea first,
|
||||||
then updating OpenBao — order matters, or ingestion breaks between steps.
|
then updating OpenBao — order matters, or ingestion breaks between steps.
|
||||||
|
|
|
||||||
21
openbao/policies/external-secrets-activity-core.hcl
Normal file
21
openbao/policies/external-secrets-activity-core.hcl
Normal file
|
|
@ -0,0 +1,21 @@
|
||||||
|
# External Secrets Operator policy for the activity-core namespace.
|
||||||
|
#
|
||||||
|
# Covers:
|
||||||
|
# - llm-connect provider secrets (OPENROUTER_API_KEY)
|
||||||
|
# - shared issue-core ingestion key for activity-core IssueSink emission
|
||||||
|
|
||||||
|
path "platform/data/workloads/activity-core/llm-connect/llm-connect-provider-secrets" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
path "platform/metadata/workloads/activity-core/llm-connect/llm-connect-provider-secrets" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
path "platform/data/workloads/issue-core/issue-core/issue-core-runtime" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
path "platform/metadata/workloads/issue-core/issue-core/issue-core-runtime" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue