coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Complete WARDEN-WP-0012 routing scenario playbooks

Browse Source 
Add platform-secret playbooks for issue-core ingestion, OpenRouter llm-connect,
object-storage STS, and database dynamic credentials. Extend the routing catalog
with draft entries and implement `warden route list --stale` for quarterly drift
review. Document the review cadence in AccessRouting and mark the workplan finished.
This commit is contained in:
Bernd Worsch
2026-06-25 10:27:23 +02:00
parent 318f2558f5
commit 1237cc767b
12 changed files with 720 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
wiki/playbooks/database-dynamic-credentials.md Normal file
View File

@@ -0,0 +1,102 @@
# Database Dynamic Credentials — OpenBao
Date: 2026-06-24
Workplan: WARDEN-WP-0012 T4
Catalog: `database-dynamic-credentials` (draft until engine ships)
Pointer playbook for short-lived database passwords issued by OpenBao dynamic
secret engines (e.g. CNPG-managed PostgreSQL). ops-warden does not issue DB
credentials — custody and engine configuration belong to `railiance-platform`;
consumers request credentials through approved paths after flex-auth policy where
required.
---
## Owners
| Concern | Owner repo | Authoritative doc |
| --- | --- | --- |
| OpenBao database engine, paths, policies | `railiance-platform` | `docs/openbao.md`, `workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md` |
| Authorization before sensitive reads | `flex-auth` | `INTENT.md` |
| Application connection and lease handling | Owning app repo | App-specific deployment docs |
---
## Do not ask ops-warden
```bash
warden route show openbao-api-key --json
warden route show database-dynamic-credentials --json # after promotion
```
Never paste DB passwords, connection strings with credentials, or root DB admin
tokens in Git, State Hub, logs, or agent chat.
---
## Platform path convention
From `railiance-platform/docs/openbao.md`:
```text
platform/databases/<consumer>
```
Dynamic credentials are issued via OpenBao database secrets engine roles — not
static KV copies. Coordinate the exact mount and role name with platform before
wiring workloads.
**Promotion gate:** catalog entry stays `status: draft` until the database
secrets engine and consumer role exist in the live cluster.
---
## Worker checklist
### 1. Confirm need type
- [ ] Short-lived DB password (dynamic) vs long-lived KV secret — prefer dynamic
- [ ] Target database identified (CNPG cluster, service name, database name)
- [ ] flex-auth policy requires approval for this read (if tenant policy says so)
### 2. Platform provisioning (operator)
- [ ] Database secrets engine configured with least-privilege creation statements
- [ ] Role TTL aligned to workload session (minuteshours, not days)
- [ ] Path registered under `platform/databases/<consumer>`
- [ ] Audit logging enabled on secret access
### 3. Workload consumption
- [ ] App uses ESO or CSI to materialize username/password into K8s Secret
- [ ] Connection pool handles credential rotation before lease expiry
- [ ] No hard-coded passwords in Helm values or ConfigMaps
### 4. Verify
- [ ] App connects with issued credentials
- [ ] Lease renewal or re-read succeeds before expiry
- [ ] Revocation on pod teardown (if policy requires)
### 5. Rotation / revocation
- [ ] OpenBao revokes lease on role change
- [ ] Platform operator documents break-glass DB admin path separately (not via warden)
---
## Owner-repo next actions
| Repo | Action |
| --- | --- |
| `railiance-platform` | Configure database secrets engine, roles, and policies |
| Owning application | Wire ESO/CSI and connection handling for lease TTL |
| `flex-auth` | Policy for database credential requests (if gated) |
---
## See also
- `railiance-platform/docs/openbao.md`
- `railiance-platform/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md`
- `wiki/CredentialRouting.md#routing-table`