RAILIANCE-WP-0011 plans migration of REUSE_SURFACE_TOKEN and REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET from bootstrap K8s Secret custody to OpenBao KV plus External Secrets, following the issue-core lane pattern.
4 KiB
| id | type | title | domain | repo | status | owner | topic_slug | created | updated | depends_on_workplans | related_repos | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| RAILIANCE-WP-0011 | workplan | reuse-surface Runtime Secrets OpenBao Lane | financials | railiance-platform | backlog | codex | railiance | 2026-07-07 | 2026-07-07 |
|
|
RAILIANCE-WP-0011 — reuse-surface Runtime Secrets OpenBao Lane
Goal
Promote reuse-surface hub runtime secrets from bootstrap Kubernetes Secret custody to a reviewed OpenBao workload KV lane delivered by External Secrets Operator, matching the platform pattern used by issue-core, OpenRouter, and Forgejo mailer.
Today both secrets live in reuse/reuse-surface-env on Railiance01:
| Field | Consumer |
|---|---|
REUSE_SURFACE_TOKEN |
Hub write API; operators via warden access / kubectl |
REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET |
Hub webhook receiver; Forgejo org webhook HMAC |
Functional custody in K8s is sufficient for production today (live since 2026-07-07). This workplan is hygiene and standardization, not a blocker.
No task may paste, commit, log, or send secret values through Git, State Hub, chat, prompts, shell history, or workplan text.
Proposed contract
| Item | Proposed value |
|---|---|
| Tenant/org | reuse |
| Workload | reuse-surface |
| KV mount | platform |
| OpenBao CLI path | platform/workloads/reuse/reuse-surface/runtime-secrets |
| Secret fields | REUSE_SURFACE_TOKEN, REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET |
| Read policy | workload-kv-read-reuse-surface-runtime (name TBD at CCR) |
| K8s auth role | external-secrets-reuse-surface (name TBD at CCR) |
| ExternalSecret | reuse/reuse-surface-runtime → target Secret reuse-surface-env |
| ops-warden catalog | migrate reuse-surface-hub-write-token handoff to Bao path |
Dual-consumer note: Forgejo org webhook must be updated whenever the webhook
HMAC rotates — document in railiance-apps/docs/reuse-surface-on-railiance01.md
and keep make reuse-forgejo-webhook idempotent.
Draft OpenBao + ESO Lane
id: RAILIANCE-WP-0011-T01
status: todo
priority: medium
- Draft CCR for the lane (path, fields, policy, k8s role, ESO target)
- Align with
docs/openbao.mdpath convention anddocs/credential-lane-lifecycle-runbook.md - Negative review: no secret values in CCR or workplan text
Platform Apply And Verification
id: RAILIANCE-WP-0011-T02
status: wait
priority: medium
Blocked on T01 approval.
- Apply OpenBao policy + Kubernetes auth role (mirror forgejo-mailer / issue-core scripts)
- Seed path from existing cluster Secret (one-time operator step; value never logged)
- Add
manifests/reuse-surface-runtime-externalsecret.yamlinrailiance-apps - Verify ExternalSecret
SecretSyncedand pod env injection after rollout - Record non-secret audit evidence (positive + negative reads)
Consumer Handoff And Catalog Migration
id: RAILIANCE-WP-0011-T03
status: wait
priority: low
Blocked on T02 verification.
- Update
railiance-apps/docs/reuse-surface-on-railiance01.mdcustody section - Update ops-warden
reuse-surface-hub-write-tokenplaybook + routing catalog (fetch_command→bao kv get -field=...) - Add lane to
docs/workload-kv-access-lanes.md - Deprecate direct kubectl fetch as primary handoff (keep as break-glass note)
Forgejo Webhook Rotation Runbook
id: RAILIANCE-WP-0011-T04
status: wait
priority: low
Blocked on T02.
- Document rotation: update OpenBao field → ESO sync → rollout →
make reuse-forgejo-webhook(updates org hook secret) - Add smoke: signed webhook POST returns 200/accepted or expected no-op
Acceptance
- Both fields readable from
platform/workloads/reuse/reuse-surface/runtime-secrets - ESO owns
reuse-surface-env; manualkubectl create secretno longer required for steady state warden access reuse-surface-hub-write-token --fetchuses OpenBao path- Forgejo org webhook and hub HMAC stay aligned after a test rotation