generated from coulomb/repo-seed
REUSE_SURFACE_TOKEN is custody of the Railiance01 K8s secret reuse-surface-env, not OpenBao. Workers blocked on hub register can now discover the lane via warden route find and obtain it through the documented kubectl handoff.
283 lines
15 KiB
YAML
283 lines
15 KiB
YAML
# ops-warden routing catalog — POINTER LAYER
|
|
#
|
|
# This file is a machine-readable index of NetKingdom credential needs. It tells a
|
|
# worker WHICH subsystem owns a need and WHERE the authoritative doc is. It is NOT
|
|
# a second copy of any subsystem's procedure.
|
|
#
|
|
# No-double-source rule (binding — see workplans/WARDEN-WP-0010-access-routing-charter.md):
|
|
# - For any subsystem ops-warden does not own, an entry carries identifiers +
|
|
# pointers ONLY: owner_repo, subsystem, wiki_ref, canon_ref, need_keywords.
|
|
# - Authored procedure (a `steps:` block and `cert_command:`) is allowed ONLY on
|
|
# entries with `warden_executes: true` — i.e. the SSH certificate lane, the one
|
|
# lane ops-warden owns.
|
|
# - A CI/test (WARDEN-WP-0011 T5) FAILS any non-SSH entry that carries a `steps`
|
|
# block, and checks that every `wiki_ref` anchor resolves to a real section.
|
|
# - No secret material in this file, ever.
|
|
#
|
|
# Field reference:
|
|
# id kebab-case stable identifier (lookup key)
|
|
# title human-readable need
|
|
# need_keywords tokens for `warden route find` keyword matching
|
|
# owner_repo repo/subsystem that owns the procedure
|
|
# subsystem platform component a worker acts on
|
|
# warden_executes true only for the SSH lane; false everywhere else
|
|
# wiki_ref anchor into an in-repo wiki section (authoritative restatement)
|
|
# canon_ref upstream net-kingdom doc the wiki section tracks
|
|
# reviewed date this pointer was last checked against canon (YYYY-MM-DD)
|
|
# status active (surfaced by default) | draft (hidden unless --all)
|
|
# steps ONLY when warden_executes: true
|
|
# cert_command ONLY when warden_executes: true
|
|
|
|
version: 1
|
|
|
|
entries:
|
|
- id: ssh-cert-host-access
|
|
title: Short-lived SSH certificate for host / ops reachability
|
|
need_keywords: [ssh, certificate, cert, host, access, sign, adm, agt, atm, reachability, ops]
|
|
owner_repo: ops-warden
|
|
subsystem: ops-warden
|
|
warden_executes: true
|
|
wiki_ref: wiki/AccessRouting.md#issue-vs-route
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path
|
|
reviewed: "2026-06-18"
|
|
status: active
|
|
cert_command: "warden sign <actor> --pubkey <path>"
|
|
steps:
|
|
- "Confirm the actor is in inventory (`warden inventory list`); add with `warden inventory add` if not — see wiki/ActorInventoryPatterns.md."
|
|
- "Confirm the backend is configured (`warden status`) — local CA for labs, vault for production."
|
|
- "Sign: `warden sign <actor> --pubkey <path>` — cert is written to stdout (the cert_command contract)."
|
|
- "TTL is enforced per actor type: adm 48h / agt 24h / atm 8h. No long-lived keys."
|
|
|
|
- id: ops-warden-warden-sign-token
|
|
title: Scoped OpenBao token for ops-warden SSH signing (warden-sign)
|
|
need_keywords: [vault_token, vault, token, warden-sign, warden, ops-warden, signing, sign, smoke, flex-auth, credential, broker, lease, openbao, ssh, production]
|
|
owner_repo: railiance-platform
|
|
subsystem: OpenBao credential broker
|
|
warden_executes: false
|
|
wiki_ref: wiki/playbooks/ops-warden-warden-sign-token.md#worker-checklist
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
|
|
reviewed: "2026-07-01"
|
|
status: active
|
|
# Concrete broker lane — RAILIANCE-WP-0005 pilot (live 2026-07-01):
|
|
# credential exec injects VAULT_TOKEN only into the child process; ops-warden
|
|
# issues SSH certs and never mints or holds OpenBao tokens.
|
|
auth_method: "railiance-platform credential broker (issuer via OPENBAO_TOKEN_FILE for apply; child tokens via grant)"
|
|
path_template: "credential-grants/catalog.yaml grant ops-warden/warden-sign"
|
|
fetch_command: "scripts/credential.py request --grant ops-warden/warden-sign --purpose ops-warden-sign --ttl 15m"
|
|
policy_ref: "flex-auth optional preflight per grant catalog"
|
|
exec_owner: railiance-platform
|
|
exec_command: "scripts/credential.py exec --grant ops-warden/warden-sign --ttl 15m -- <cmd>"
|
|
pointer_command: "make credential-exec-ops-warden-smoke"
|
|
|
|
- id: openbao-api-key
|
|
title: API key, DB credential, or dynamic lease
|
|
need_keywords: [api, key, secret, database, db, password, token, lease, openbao, vault, kv, dynamic, credential, npm, npm_auth_token, registry]
|
|
owner_repo: railiance-platform
|
|
subsystem: OpenBao
|
|
warden_executes: false
|
|
wiki_ref: wiki/CredentialRouting.md#routing-table
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
|
|
reviewed: "2026-06-27"
|
|
status: active
|
|
# Structured handoff (WP-0014) — reference example. Templates only, no values.
|
|
# ops-warden does not own this secret; it advises and (exec_capable) proxies the
|
|
# fetch *as the caller* via `warden access`, never holding or persisting the value.
|
|
auth_method: "key-cape OIDC → bao login -method=oidc role=<domain>"
|
|
path_template: "platform/workloads/<domain>/<workload>/<bundle>"
|
|
fetch_command: "bao kv get -field=<FIELD> <path_template>"
|
|
policy_ref: "flex-auth check secret.read:<domain>"
|
|
exec_capable: true
|
|
|
|
- id: whynot-design-npm-publish
|
|
title: whynot-design npm publish token (@whynot/design → coulomb Gitea registry)
|
|
need_keywords: [whynot-design, whynot, npm, publish, npm_auth_token, gitea, registry, coulomb, package]
|
|
owner_repo: railiance-platform
|
|
subsystem: OpenBao
|
|
warden_executes: false
|
|
wiki_ref: wiki/playbooks/whynot-design-npm-publish.md#worker-checklist
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
|
|
reviewed: "2026-06-29"
|
|
status: active
|
|
# Concrete, owner-confirmed lane — railiance-platform CCR-2026-0001 (commit 8f617fc):
|
|
# status=active, access_frontdoor.readiness=ready, resolvable=true; positive fetch
|
|
# passed and negative (non-whynot) login denied. Zero-placeholder fetch: an automated
|
|
# caller can `warden access whynot-design-npm-publish --exec -- npm publish` directly.
|
|
# The path was corrected to the `coulomb` tenant — the whynot-design/whynot-design/…
|
|
# form is superseded; do not reintroduce it.
|
|
auth_method: "bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read"
|
|
path_template: "platform/workloads/coulomb/whynot-design/npm-publish"
|
|
fetch_command: "bao kv get -field=NPM_AUTH_TOKEN platform/workloads/coulomb/whynot-design/npm-publish"
|
|
policy_ref: "flex-auth check secret.read:whynot-design"
|
|
exec_capable: true
|
|
lane: secret
|
|
# Owner-native exec front door (WP-0019, secrets-engine SECRETS-WP-0003, decision
|
|
# e6381a56): route-primary, proxy-fallback. The secrets-engine exec is the primary
|
|
# path; warden access --fetch/--exec remains a transparent fallback.
|
|
exec_owner: secrets-engine
|
|
exec_command: "secrets-engine exec --catalog whynot-design-npm-publish -- <cmd>"
|
|
pointer_command: "secrets-engine route whynot-design-npm-publish --json"
|
|
|
|
- id: flex-auth-policy-check
|
|
title: Authorization decision — may this actor perform this action
|
|
need_keywords: [authorization, policy, permission, allow, deny, may, flex-auth, topaz, pdp, decision]
|
|
owner_repo: flex-auth
|
|
subsystem: flex-auth
|
|
warden_executes: false
|
|
wiki_ref: wiki/CredentialRouting.md#quick-decision-tree
|
|
canon_ref: net-kingdom/docs/responsibility-map.md
|
|
reviewed: "2026-06-18"
|
|
status: active
|
|
|
|
- id: key-cape-oidc-login
|
|
title: Interactive login, OIDC token, or MFA
|
|
need_keywords: [login, oidc, identity, mfa, token, jwt, sso, keycloak, key-cape, iam, claims, authenticate, signin]
|
|
owner_repo: key-cape
|
|
subsystem: key-cape / Keycloak
|
|
warden_executes: false
|
|
wiki_ref: wiki/CredentialRouting.md#quick-decision-tree
|
|
canon_ref: net-kingdom/docs/canon/standards/iam-profile_v0.2.md
|
|
reviewed: "2026-06-27"
|
|
status: active
|
|
# Login lane (WP-0014 T4) — interactive auth bootstrap, not a secret read. No
|
|
# secret-read gate (you have no identity yet) and no caller-auth precheck (the
|
|
# point is to obtain one). warden runs it interactively as the caller and never
|
|
# captures the resulting token — the owner tool writes it to the caller's store.
|
|
lane: login
|
|
auth_method: "browser OIDC via key-cape / Keycloak"
|
|
fetch_command: "bao login -method=oidc role=<domain>"
|
|
exec_capable: true
|
|
|
|
- id: ops-bridge-tunnel
|
|
title: SSH tunnel or port forward
|
|
need_keywords: [tunnel, port, forward, bridge, ops-bridge, reverse, transport, ssh-tunnel, cert_command]
|
|
owner_repo: ops-bridge
|
|
subsystem: ops-bridge
|
|
warden_executes: false
|
|
wiki_ref: wiki/playbooks/ops-bridge-tunnel-cert.md#migration-checklist
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path
|
|
reviewed: "2026-06-24"
|
|
status: active
|
|
|
|
- id: railiance-infra-principals
|
|
title: Host SSH principal file or force-command deployment
|
|
need_keywords: [principal, auth_principals, force-command, host, sshd, hardening, railiance-infra, ansible]
|
|
owner_repo: railiance-infra
|
|
subsystem: railiance-infra
|
|
warden_executes: false
|
|
wiki_ref: wiki/CredentialRouting.md#routing-table
|
|
canon_ref: net-kingdom/docs/responsibility-map.md
|
|
reviewed: "2026-06-18"
|
|
status: active
|
|
|
|
- id: inter-hub-bootstrap-ssh
|
|
title: Inter-Hub bootstrap SSH envelope
|
|
need_keywords: [inter-hub, interhub, bootstrap, ops-hub, agt-interhub-bootstrap, envelope, force-command, CUST-WP-0049]
|
|
owner_repo: ops-warden
|
|
subsystem: ops-warden + railiance-infra
|
|
warden_executes: false
|
|
wiki_ref: wiki/InterHubBootstrapAccessLane.md#worker-checklist
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path
|
|
reviewed: "2026-06-24"
|
|
status: active
|
|
|
|
- id: activity-core-issue-sink
|
|
title: activity-core IssueSink → issue-core REST emission
|
|
need_keywords: [activity-core, issue-sink, issue-core, emission, issue_core_url, issue_core_api_key, tasks, ingest, rest, issuesink]
|
|
owner_repo: activity-core
|
|
subsystem: activity-core + issue-core
|
|
warden_executes: false
|
|
wiki_ref: wiki/playbooks/activity-core-issue-sink.md#worker-checklist
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
|
|
reviewed: "2026-06-18"
|
|
status: active
|
|
|
|
- id: issue-core-ingestion-api-key
|
|
title: issue-core ingestion API key (OpenBao KV + ESO)
|
|
need_keywords: [issue-core, ingestion, api, key, openbao, issue_core_api_key, eso, external-secrets]
|
|
owner_repo: railiance-platform
|
|
subsystem: OpenBao + issue-core + activity-core
|
|
warden_executes: false
|
|
wiki_ref: wiki/playbooks/issue-core-ingestion-api-key.md#worker-checklist
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
|
|
reviewed: "2026-07-02"
|
|
status: active
|
|
# Concrete, owner-confirmed lane — railiance-platform CCR-2026-0002 / RAILIANCE-WP-0009
|
|
# (promoted 2026-07-02): policy workload-kv-read-issue-core-runtime and k8s auth role
|
|
# external-secrets-issue-core applied; ExternalSecret issue-core/issue-core-runtime
|
|
# SecretSynced; positive + negative access verified with OpenBao audit evidence.
|
|
# Production consumer is ESO; warden access proxies reads as the caller (caller's own
|
|
# OpenBao authority) and never holds the value.
|
|
auth_method: "caller's own OpenBao token (operator OIDC via key-cape, or a token carrying workload-kv-read-issue-core-runtime)"
|
|
path_template: "platform/workloads/issue-core/issue-core/issue-core-runtime"
|
|
fetch_command: "bao kv get -field=ISSUE_CORE_API_KEY platform/workloads/issue-core/issue-core/issue-core-runtime"
|
|
policy_ref: "flex-auth check secret.read:issue-core"
|
|
exec_capable: true
|
|
lane: secret
|
|
|
|
- id: reuse-surface-hub-write-token
|
|
title: reuse-surface federation hub write bearer token
|
|
need_keywords: [reuse-surface, reuse_surface, hub, register, federation, write, token, bearer, REUSE_SURFACE_TOKEN, reuse.coulomb.social]
|
|
owner_repo: reuse-surface
|
|
subsystem: reuse-surface federation hub
|
|
warden_executes: false
|
|
wiki_ref: wiki/playbooks/reuse-surface-hub-write-token.md#worker-checklist
|
|
canon_ref: reuse-surface/specs/FederationHubAPI.md
|
|
reviewed: "2026-07-07"
|
|
status: active
|
|
# Concrete, owner-confirmed lane — REUSE-WP-0011 / RAILIANCE-WP-0007 (hub live
|
|
# 2026-06-15): token is the cluster Secret reuse-surface-env on Railiance01,
|
|
# not OpenBao. warden access proxies kubectl as the caller and never holds the value.
|
|
auth_method: "kubectl with Railiance01 kubeconfig (~/.kube/config-hosteurope)"
|
|
path_template: "reuse/reuse-surface-env"
|
|
fetch_command: "kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse -o jsonpath='{.data.REUSE_SURFACE_TOKEN}' | base64 -d"
|
|
exec_capable: true
|
|
lane: secret
|
|
|
|
- id: openrouter-llm-connect
|
|
title: OpenRouter API key for llm-connect in activity-core
|
|
need_keywords: [openrouter, llm, llm-connect, api, key, activity-core, gemini, provider, openrouter_api_key]
|
|
owner_repo: railiance-platform
|
|
subsystem: OpenBao + activity-core
|
|
warden_executes: false
|
|
wiki_ref: wiki/playbooks/openrouter-llm-connect.md#worker-checklist
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
|
|
reviewed: "2026-07-02"
|
|
status: active
|
|
# Concrete, owner-confirmed lane — railiance-platform CCR-2026-0003 / RAILIANCE-WP-0010
|
|
# (promoted 2026-07-02): policy workload-kv-read-llm-connect-provider-secrets and k8s
|
|
# auth role external-secrets-activity-core applied; ExternalSecret
|
|
# activity-core/llm-connect-provider-secrets SecretSynced and llm-connect rolled out on
|
|
# the OpenBao-delivered value; positive + negative access verified with audit evidence.
|
|
# Production consumer is ESO; warden access proxies reads as the caller and never holds
|
|
# the provider key.
|
|
auth_method: "caller's own OpenBao token (operator OIDC via key-cape, or a token carrying workload-kv-read-llm-connect-provider-secrets)"
|
|
path_template: "platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets"
|
|
fetch_command: "bao kv get -field=OPENROUTER_API_KEY platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets"
|
|
policy_ref: "flex-auth check secret.read:llm-connect"
|
|
exec_capable: true
|
|
lane: secret
|
|
|
|
# --- draft: owner path not yet shipped; hidden from default lookup ---
|
|
|
|
- id: object-storage-sts
|
|
title: Object-storage STS / temporary S3 credentials
|
|
need_keywords: [s3, sts, object-storage, minio, artifact-store, temporary, credentials, bucket, vending]
|
|
owner_repo: net-kingdom
|
|
subsystem: flex-auth + OpenBao + artifact-store
|
|
warden_executes: false
|
|
wiki_ref: wiki/playbooks/object-storage-sts.md#worker-checklist
|
|
canon_ref: net-kingdom/docs/object-storage-sts-credential-vending.md
|
|
reviewed: "2026-06-24"
|
|
status: draft
|
|
|
|
- id: database-dynamic-credentials
|
|
title: Database dynamic credentials (OpenBao secrets engine)
|
|
need_keywords: [database, db, postgres, cnpg, dynamic, credentials, password, lease, openbao]
|
|
owner_repo: railiance-platform
|
|
subsystem: OpenBao
|
|
warden_executes: false
|
|
wiki_ref: wiki/playbooks/database-dynamic-credentials.md#worker-checklist
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
|
|
reviewed: "2026-06-24"
|
|
status: draft
|