Support activity-core ISSUE_CORE_API_KEY ExternalSecret on railiance01
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 3s

Switch openbao-activity-core ClusterSecretStore to interim coulombcore
token auth like forgejo/reuse, broaden the activity-core ESO policy to
include the shared issue-core runtime path, and document ESO-managed rotation.
This commit is contained in:
tegwick 2026-07-08 00:04:59 +02:00
parent a323b7e04d
commit e36694648a
4 changed files with 43 additions and 14 deletions

View file

@ -191,7 +191,7 @@ openbao-configure-external-secrets-issue-core: ## Configure OpenBao policy/role
scripts/openbao-apply-external-secrets-issue-core.sh scripts/openbao-apply-external-secrets-issue-core.sh
openbao-configure-external-secrets-activity-core: ## Configure OpenBao policy/role for activity-core ESO lane openbao-configure-external-secrets-activity-core: ## Configure OpenBao policy/role for activity-core ESO lane
KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) OPENBAO_RELEASE=$(OPENBAO_RELEASE) ESO_NAMESPACE=$(EXTERNAL_SECRETS_NAMESPACE) OPENBAO_ESO_ROLE=external-secrets-activity-core OPENBAO_ESO_POLICY=workload-kv-read-llm-connect-provider-secrets POLICY_FILE='$(CURDIR)/openbao/policies/workload-kv-read-llm-connect-provider-secrets.hcl' scripts/openbao-apply-external-secrets-issue-core.sh KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) OPENBAO_RELEASE=$(OPENBAO_RELEASE) ESO_NAMESPACE=$(EXTERNAL_SECRETS_NAMESPACE) OPENBAO_ESO_ROLE=external-secrets-activity-core OPENBAO_ESO_POLICY=external-secrets-activity-core POLICY_FILE='$(CURDIR)/openbao/policies/external-secrets-activity-core.hcl' OPENBAO_ESO_NEXT_PATH=platform/workloads/issue-core/issue-core/issue-core-runtime OPENBAO_ESO_NEXT_FIELDS=ISSUE_CORE_API_KEY OPENBAO_ESO_NEXT_TARGET=ExternalSecret/activity-core/actcore-issue-core-runtime scripts/openbao-apply-external-secrets-issue-core.sh
openbao-configure-external-secrets-forgejo: ## Configure OpenBao policy/role for Forgejo mailer ESO lane openbao-configure-external-secrets-forgejo: ## Configure OpenBao policy/role for Forgejo mailer ESO lane
KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \ KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \

View file

@ -1,3 +1,12 @@
# Interim: activity-core on railiance01 reads runtime secrets from coulombcore
# OpenBao (https://bao.coulomb.social) until railiance01 OpenBao is bootstrapped
# (Wave 7). Target state uses in-cluster OpenBao + Kubernetes auth role
# external-secrets-activity-core.
#
# Prereq: Secret external-secrets/openbao-activity-core-eso-token (key: token)
# with a policy-limited OpenBao token that can read
# platform/workloads/issue-core/issue-core/issue-core-runtime (ISSUE_CORE_API_KEY).
# Bootstrap: activity-core scripts/openbao-eso-token-apply.sh
apiVersion: external-secrets.io/v1beta1 apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore kind: ClusterSecretStore
metadata: metadata:
@ -8,16 +17,14 @@ metadata:
spec: spec:
provider: provider:
vault: vault:
server: http://openbao.openbao.svc.cluster.local:8200 server: https://bao.coulomb.social
path: platform path: platform
version: v2 version: v2
auth: auth:
kubernetes: tokenSecretRef:
mountPath: kubernetes name: openbao-activity-core-eso-token
role: external-secrets-activity-core
serviceAccountRef:
name: external-secrets
namespace: external-secrets namespace: external-secrets
key: token
conditions: conditions:
- namespaces: - namespaces:
- activity-core - activity-core

View file

@ -40,11 +40,12 @@ secret value ever appears in Git, State Hub, chat, prompts, or shell history.
`secret/issue-core-runtime` in the `issue-core` namespace (ESO will not `secret/issue-core-runtime` in the `issue-core` namespace (ESO will not
recreate it while the lane is down) and restart the issue-core Deployment. recreate it while the lane is down) and restart the issue-core Deployment.
- **`ISSUE_CORE_API_KEY` has a second consumer**: railiance01's - **`ISSUE_CORE_API_KEY` has a second consumer**: railiance01's
`activity-core/actcore-runtime-secret` holds an operator-injected copy `activity-core/ExternalSecret actcore-issue-core-runtime` merges the key into
(2026-07-02, ISSUE-WP-0003-T06). Rotation and compromise response MUST `actcore-runtime-secret` (1h refresh). Rotation and compromise response MUST
re-inject the new value there (stdin-only pipe from OpenBao) and restart update OpenBao first, wait for ExternalSecret refresh (or annotate
`deploy/actcore-worker`, or activity-core emission silently starts failing `force-sync`), then restart `deploy/actcore-worker` and
with 401s on the next run. `deploy/actcore-event-router`, or activity-core emission silently starts
failing with 401s on the next run.
- `GITEA_BACKEND_TOKEN` is a scoped Gitea token for service user - `GITEA_BACKEND_TOKEN` is a scoped Gitea token for service user
`issue-core-svc`; rotating it means minting a new token in Gitea first, `issue-core-svc`; rotating it means minting a new token in Gitea first,
then updating OpenBao — order matters, or ingestion breaks between steps. then updating OpenBao — order matters, or ingestion breaks between steps.

View file

@ -0,0 +1,21 @@
# External Secrets Operator policy for the activity-core namespace.
#
# Covers:
# - llm-connect provider secrets (OPENROUTER_API_KEY)
# - shared issue-core ingestion key for activity-core IssueSink emission
path "platform/data/workloads/activity-core/llm-connect/llm-connect-provider-secrets" {
capabilities = ["read"]
}
path "platform/metadata/workloads/activity-core/llm-connect/llm-connect-provider-secrets" {
capabilities = ["read"]
}
path "platform/data/workloads/issue-core/issue-core/issue-core-runtime" {
capabilities = ["read"]
}
path "platform/metadata/workloads/issue-core/issue-core/issue-core-runtime" {
capabilities = ["read"]
}