Files
ops-warden/wiki/playbooks/openrouter-llm-connect.md
tegwick 364eb7dfe1 Promote issue-core-ingestion-api-key and openrouter-llm-connect lanes to active
RAILIANCE-WP-0009 T06 / RAILIANCE-WP-0010 T06 (CCR-2026-0002, CCR-2026-0003):
both OpenBao KV paths are live, ESO delivers the Secrets in cluster, and
positive/negative access verification is audit-logged. Catalog entries gain
concrete zero-placeholder handoffs (exec_capable, resolvable); draft tables
and playbook gates updated; routing tests repointed to still-draft lanes.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-02 20:48:39 +02:00

3.8 KiB

OpenRouter API Key — llm-connect in activity-core

Date: 2026-06-24 (promoted active 2026-07-02)
Workplan: WARDEN-WP-0012 T4 · RAILIANCE-WP-0010 / CCR-2026-0003
Catalog: openrouter-llm-connect (active — OpenBao path live, ESO delivering)

Pointer playbook for LLM provider credentials consumed by llm-connect in the activity-core namespace. ops-warden issues SSH certs only — API keys are an OpenBao → Kubernetes Secret action owned by railiance-platform and activity-core deployment repos.


Owners

Concern Owner repo Authoritative doc
OpenBao path and ESO delivery railiance-platform docs/openbao.md — path convention
llm-connect K8s overlay and smoke llm-connect deploy/k8s/activity-core-llm-connect/README.md
activity-core runtime config (LLM_CONNECT_URL) activity-core llm-connect/docs/activity-core-llm-endpoint.md

Do not ask ops-warden

warden route show openbao-api-key --json
warden route show openrouter-llm-connect --json

OPENROUTER_API_KEY must not appear in Git, State Hub, workplans, logs, or chat.


Custody shape (live since 2026-07-02)

platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets

Property name: OPENROUTER_API_KEY

Delivery: ExternalSecret activity-core/llm-connect-provider-secrets (ClusterSecretStore openbao-activity-core, read policy workload-kv-read-llm-connect-provider-secrets, k8s auth role external-secrets-activity-core) syncs to Secret llm-connect-provider-secrets; the llm-connect Deployment consumes it. Positive + negative access verified with OpenBao audit evidence (RAILIANCE-WP-0010 T05). Lifecycle (deactivate/rotate/compromise): railiance-platform/docs/credential-lane-lifecycle-runbook.md.

Promotion gate (met 2026-07-02): the OpenBao path exists and ESO delivers the Secret in cluster. The earlier manually created bootstrap Secret has been taken over by ESO on the CoulombCore cluster; the railiance01 k3s llm-connect instance still uses its bootstrap Secret (separate migration, not this lane).


Worker checklist

1. Confirm need

  • Consumer is llm-connect in activity-core namespace (not a generic OpenRouter client)
  • Default profile uses provider=openrouter (llm-connect/docs/activity-core-llm-endpoint.md)
  • flex-auth policy applies if your tenant requires pre-approval for secret reads

2. Platform path (production)

  • Path provisioned under platform/workloads/activity-core/...
  • Workload KV read policy scoped to llm-connect service account
  • ExternalSecret syncs to Secret llm-connect-provider-secrets

3. Deployment wiring

  • kubectl apply -k deploy/k8s/activity-core-llm-connect (llm-connect repo)
  • Deployment mounts provider Secret; env provides OPENROUTER_API_KEY
  • activity-core sets LLM_CONNECT_URL to in-cluster service URL

4. Smoke

# From llm-connect repo — cluster smoke after apply
kubectl -n activity-core rollout status deployment/llm-connect
# See deploy/k8s/activity-core-llm-connect/README.md for endpoint smoke script

5. Rotation

  • Update OpenBao KV value
  • ESO refresh or rollout restart llm-connect Deployment
  • Run cluster smoke; confirm activity-core triage profile still reaches provider

Owner-repo next actions

Repo Action
railiance-platform Provision OpenBao path + policy for activity-core llm-connect
llm-connect Maintain K8s overlay and document Secret key names
activity-core Set LLM_CONNECT_URL and triage profile after llm-connect is live

See also

  • llm-connect/docs/activity-core-llm-endpoint.md
  • wiki/CredentialRouting.md#examples-do-not-ask-ops-warden
  • net-kingdom/docs/platform-identity-security-architecture.md