id: CCR-2026-0005 kind: credential-change-request schema_version: 1 request_type: workload-kv-read title: reuse-surface runtime secrets lane status: active created: '2026-07-07' updated: '2026-07-07' requester: agent: grok reason: Promote reuse-surface hub runtime secrets from bootstrap Kubernetes Secret custody to OpenBao workload KV per RAILIANCE-WP-0011-T01. review: required: true required_approvers: - platform-operator - reuse-surface-owner comments: - at: '2026-07-07T20:15:00+00:00' reviewer: codex decision: metadata_review_binding_confirmed_pending_owner_approval comment: 'Live Railiance01 metadata on 2026-07-07 confirms namespace reuse exists; Deployment reuse-surface consumes envFrom secretRef reuse-surface-env (default service account). Secret reuse-surface-env holds REUSE_SURFACE_TOKEN and REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET. External Secrets operator service account external-secrets/external-secrets exists. No ExternalSecret in reuse yet; ClusterSecretStore openbao-forgejo is the interim reference pattern on this cluster (token auth to https://bao.coulomb.social). Proposed Railiance01 interim delivery mirrors forgejo-mailer: periodic OpenBao token with policy workload-kv-read-reuse-surface-runtime stored in external-secrets/openbao-reuse-eso-token, ClusterSecretStore openbao-reuse namespace-limited to reuse, ExternalSecret reuse/reuse-surface-runtime targeting Secret reuse-surface-env. Forgejo org webhook id=1 on coulomb is live and must stay aligned with REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET on rotation. Keep CCR status proposed until platform-operator and reuse-surface-owner approval.' - at: '2026-07-07T20:31:05+00:00' reviewer: bernd.worsch decision: approved comment: 'Approved in chat acting as platform-operator and reuse-surface-owner: promote reuse-surface runtime secrets to OpenBao workload KV with Railiance01 interim ESO delivery per CCR-2026-0005.' target: domain: financials tenant: reuse workload: reuse-surface environment: production purpose: reuse-surface federation hub runtime secrets through OpenBao workload KV and External Secrets openbao: mount: platform kv_path: platform/workloads/reuse/reuse-surface/runtime-secrets fields: - REUSE_SURFACE_TOKEN - REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET policy_name: workload-kv-read-reuse-surface-runtime policy_file: openbao/policies/workload-kv-read-reuse-surface-runtime.hcl auth: method: kubernetes mount: kubernetes role: external-secrets-reuse-surface bound_claims: service_account_names: - external-secrets service_account_namespaces: - external-secrets bound_claims_confirmed: true policies: - workload-kv-read-reuse-surface-runtime ttl: 15m access_frontdoor: type: ops-warden catalog_id: reuse-surface-hub-write-token selector: reuse-surface federation hub write bearer token command: warden access reuse-surface-hub-write-token --fetch REUSE_SURFACE_TOKEN resolvable: true readiness: ready activation: verified-positive-and-negative-access-frontdoor-active-2026-07-07 delivery: surface: external-secrets target: ExternalSecret reuse/reuse-surface-runtime -> Secret reuse-surface-env in the reuse namespace on Railiance01; interim ClusterSecretStore openbao-reuse (token auth to coulombcore OpenBao, namespace-limited to reuse) until railiance01-local OpenBao Wave 7 bootstrap risk: classification: high notes: - REUSE_SURFACE_TOKEN grants authenticated writes to the production federation hub at https://reuse.coulomb.social. - "REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET is a dual-consumer HMAC \u2014 the hub pod\ \ and the Forgejo org webhook must share the same value; rotation requires railiance-apps\ \ make reuse-forgejo-webhook after ESO sync." - "Railiance01 interim delivery uses a policy-limited periodic OpenBao token in\ \ external-secrets/openbao-reuse-eso-token, mirroring the forgejo-mailer lane\ \ \u2014 not the kubernetes auth role until coulombcore kubernetes auth covers\ \ this cluster or railiance01 OpenBao is bootstrapped." - ops-warden must proxy reads as the caller and must not retain token values. verification: positive: - ExternalSecret reuse/reuse-surface-runtime is Ready=True and syncs both fields to Secret reuse-surface-env without printing values. - reuse-surface Deployment rolls cleanly and hub write plus signed webhook POST succeed after migration. negative: - A namespace outside the approved ClusterSecretStore condition cannot use openbao-reuse to read the path. - A periodic token without workload-kv-read-reuse-surface-runtime cannot read the KV path. activation_conditions: - Policy applied on coulombcore OpenBao with platform-admin/operator authority. - Secret values seeded from the existing reuse-surface-env cluster Secret through approved operator custody (values never logged). - Railiance01 ClusterSecretStore openbao-reuse and ExternalSecret deployed. - Positive and negative verification recorded with non-secret audit ids or timestamps. - ops-warden catalog handoff migrated from kubectl to bao kv get (RAILIANCE-WP-0011-T03). evidence: - at: '2026-07-07T20:31:17+00:00' actor: bernd.worsch kind: delegated_metadata_apply result: passed details: - Delegated metadata applier ran as bernd.worsch using local bao CLI ambient authority. - 'Policy metadata write: sys/policies/acl/workload-kv-read-reuse-surface-runtime' - 'Auth role metadata write: auth/kubernetes/role/external-secrets-reuse-surface' - No secret values were read, written, printed, or accepted in argv. - at: '2026-07-07T20:33:52+00:00' actor: bernd.worsch kind: secret_provisioned result: passed details: - Seeded platform/workloads/reuse/reuse-surface/runtime-secrets from live reuse/reuse-surface-env; field presence confirmed without printing values (KV version 1) - at: '2026-07-07T20:33:54+00:00' actor: bernd.worsch kind: positive_verification result: passed details: - ExternalSecret reuse/reuse-surface-runtime Ready=True SecretSynced 2026-07-07T20:33:17Z; hub /v1/federated 200 (61 capabilities); signed webhook POST 200 - at: '2026-07-07T20:33:55+00:00' actor: bernd.worsch kind: negative_verification result: passed details: - default-policy OpenBao token denied on platform/workloads/reuse/reuse-surface/runtime-secrets (HTTP permission denied) - at: '2026-07-07T20:38:32+00:00' actor: bernd.worsch kind: frontdoor_activation result: passed details: - ops-warden catalog reuse-surface-hub-write-token migrated to bao kv get handoff; resolvable=true; playbook and workload-kv-access-lanes updated (RAILIANCE-WP-0011-T03) lifecycle: deactivate: Disable ops-warden catalog entry, remove ExternalSecret, and detach auth role policy; delete materialized reuse-surface-env only after confirming workload decommission or break-glass fallback. rotate: Replace field values directly in OpenBao, wait for ESO refresh, rollout reuse-surface, then run make reuse-forgejo-webhook when rotating the webhook HMAC. compromised: Immediately deactivate access front door, rotate both fields, re-sync Forgejo org webhook, record blast-radius notes, and open incident follow-up tasks. state_hub: workplan_id: RAILIANCE-WP-0011 task_id: RAILIANCE-WP-0011-T01