Correct whynot credential tenant path
This commit is contained in:
parent
ad47a136f7
commit
eb24e04b71
10 changed files with 67 additions and 48 deletions
|
|
@ -123,12 +123,16 @@ Kubernetes workloads, use External Secrets Operator to materialize OpenBao
|
|||
values as Kubernetes Secrets. Do not use the OpenBao injector in the current
|
||||
deployment.
|
||||
|
||||
Runtime path convention:
|
||||
Runtime path convention for workload credential custody:
|
||||
|
||||
```text
|
||||
platform/workloads/<namespace>/<service-account>/<secret-name>
|
||||
platform/workloads/<tenant-or-org>/<workload>/<secret-purpose>
|
||||
```
|
||||
|
||||
Kubernetes namespace and service-account bounds belong in the auth role or
|
||||
External Secrets binding unless the namespace is itself the approved workload
|
||||
identity.
|
||||
|
||||
ArgoCD repository credentials are operator credentials, not workload secrets,
|
||||
and should live under:
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue