coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1237cc767bda3d24a71780bda9f3cd1f46c37225
ops-warden/wiki/playbooks/database-dynamic-credentials.md
tegwick 1237cc767b Complete WARDEN-WP-0012 routing scenario playbooks 
Add platform-secret playbooks for issue-core ingestion, OpenRouter llm-connect,
object-storage STS, and database dynamic credentials. Extend the routing catalog
with draft entries and implement `warden route list --stale` for quarterly drift
review. Document the review cadence in AccessRouting and mark the workplan finished.
2026-06-25 10:27:23 +02:00

3.2 KiB
Raw Blame History

Database Dynamic Credentials — OpenBao

Date: 2026-06-24
Workplan: WARDEN-WP-0012 T4
Catalog: database-dynamic-credentials (draft until engine ships)

Pointer playbook for short-lived database passwords issued by OpenBao dynamic secret engines (e.g. CNPG-managed PostgreSQL). ops-warden does not issue DB credentials — custody and engine configuration belong to railiance-platform; consumers request credentials through approved paths after flex-auth policy where required.

Owners

Concern Owner repo Authoritative doc
OpenBao database engine, paths, policies railiance-platform docs/openbao.md, workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md
Authorization before sensitive reads flex-auth INTENT.md
Application connection and lease handling Owning app repo App-specific deployment docs

Do not ask ops-warden

warden route show openbao-api-key --json
warden route show database-dynamic-credentials --json   # after promotion

Never paste DB passwords, connection strings with credentials, or root DB admin tokens in Git, State Hub, logs, or agent chat.

Platform path convention

From railiance-platform/docs/openbao.md:

platform/databases/<consumer>

Dynamic credentials are issued via OpenBao database secrets engine roles — not static KV copies. Coordinate the exact mount and role name with platform before wiring workloads.

Promotion gate: catalog entry stays status: draft until the database secrets engine and consumer role exist in the live cluster.

Worker checklist

1. Confirm need type

  • Short-lived DB password (dynamic) vs long-lived KV secret — prefer dynamic
  • Target database identified (CNPG cluster, service name, database name)
  • flex-auth policy requires approval for this read (if tenant policy says so)

2. Platform provisioning (operator)

  • Database secrets engine configured with least-privilege creation statements
  • Role TTL aligned to workload session (minuteshours, not days)
  • Path registered under platform/databases/<consumer>
  • Audit logging enabled on secret access

3. Workload consumption

  • App uses ESO or CSI to materialize username/password into K8s Secret
  • Connection pool handles credential rotation before lease expiry
  • No hard-coded passwords in Helm values or ConfigMaps

4. Verify

  • App connects with issued credentials
  • Lease renewal or re-read succeeds before expiry
  • Revocation on pod teardown (if policy requires)

5. Rotation / revocation

  • OpenBao revokes lease on role change
  • Platform operator documents break-glass DB admin path separately (not via warden)

Owner-repo next actions

Repo Action
railiance-platform Configure database secrets engine, roles, and policies
Owning application Wire ESO/CSI and connection handling for lease TTL
flex-auth Policy for database credential requests (if gated)

See also

  • railiance-platform/docs/openbao.md
  • railiance-platform/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md
  • wiki/CredentialRouting.md#routing-table
Reference in New Issue View Git Blame Copy Permalink