Correct whynot credential tenant path

This commit is contained in:
tegwick 2026-06-28 01:00:12 +02:00
parent ad47a136f7
commit eb24e04b71
10 changed files with 67 additions and 48 deletions

View file

@ -52,11 +52,10 @@ whynot-design.
## Proposed Contract
Use the existing workload convention documented in `docs/openbao.md` and
`docs/argocd-gitops.md`:
Use the workload credential convention documented in `docs/openbao.md`:
```text
platform/workloads/<namespace>/<service-account>/<secret-name>
platform/workloads/<tenant-or-org>/<workload>/<secret-purpose>
```
For this lane, the proposed non-secret contract is:
@ -64,9 +63,11 @@ For this lane, the proposed non-secret contract is:
| Item | Proposed value |
| --- | --- |
| KV mount | `platform` |
| CLI path | `platform/workloads/whynot-design/whynot-design/npm-publish` |
| KV-v2 policy data path | `platform/data/workloads/whynot-design/whynot-design/npm-publish` |
| KV-v2 policy metadata path | `platform/metadata/workloads/whynot-design/whynot-design/npm-publish` |
| Tenant/org | `coulomb` |
| Workload/project | `whynot-design` |
| CLI path | `platform/workloads/coulomb/whynot-design/npm-publish` |
| KV-v2 policy data path | `platform/data/workloads/coulomb/whynot-design/npm-publish` |
| KV-v2 policy metadata path | `platform/metadata/workloads/coulomb/whynot-design/npm-publish` |
| Secret field | `NPM_AUTH_TOKEN` |
| OpenBao read policy | `workload-kv-read-whynot-design-npm-publish` |
| OIDC auth mount | `netkingdom` unless KeyCape compatibility requires `keycape` |
@ -78,7 +79,7 @@ The expected caller-facing read shape is:
```bash
bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
bao kv get -field=NPM_AUTH_TOKEN platform/workloads/whynot-design/whynot-design/npm-publish
bao kv get -field=NPM_AUTH_TOKEN platform/workloads/coulomb/whynot-design/npm-publish
```
The command shape is illustrative only. Verification must avoid printing the
@ -109,7 +110,7 @@ Acceptance:
ops-warden signing smoke.
**2026-06-27:** Reviewed the unread ops-warden request and existing
`platform/workloads/<namespace>/<service-account>/<secret-name>` convention.
`platform/workloads/<tenant-or-org>/<workload>/<secret-purpose>` convention.
Captured the proposed `whynot-design` npm publish lane above with no secret
values.
@ -129,7 +130,7 @@ the selected `npm-publish` path.
Acceptance:
- A policy file under `openbao/policies/` defines read access to the exact
`platform/data/workloads/whynot-design/whynot-design/npm-publish` path.
`platform/data/workloads/coulomb/whynot-design/npm-publish` path.
- Metadata/list capabilities are only as broad as needed for the caller and
ops-warden fetch UX.
- The policy grants no write, delete, patch, sudo, auth, or unrelated workload
@ -140,7 +141,7 @@ Acceptance:
**2026-06-27:** Added the concrete policy artifact at
`openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl`. It grants
only `read` on the exact KV-v2 data and metadata paths for
`platform/workloads/whynot-design/whynot-design/npm-publish`; it does not grant
`platform/workloads/coulomb/whynot-design/npm-publish`; it does not grant
write/delete/list/sudo/auth or sibling workload access. Added
`scripts/openbao-apply-workload-kv-lanes.sh`,
`make openbao-workload-kv-lanes-dry-run`, and
@ -195,7 +196,7 @@ publish token.
Acceptance:
- The path exists at
`platform/workloads/whynot-design/whynot-design/npm-publish`.
`platform/workloads/coulomb/whynot-design/npm-publish`.
- The field is named exactly `NPM_AUTH_TOKEN`.
- The token value is entered through an approved operator/OpenBao path and is
never written to Git, State Hub, chat, prompts, shell history, or workplan