coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1237cc767bda3d24a71780bda9f3cd1f46c37225
ops-warden/wiki/playbooks/database-dynamic-credentials.md
tegwick 1237cc767b Complete WARDEN-WP-0012 routing scenario playbooks 
Add platform-secret playbooks for issue-core ingestion, OpenRouter llm-connect,
object-storage STS, and database dynamic credentials. Extend the routing catalog
with draft entries and implement `warden route list --stale` for quarterly drift
review. Document the review cadence in AccessRouting and mark the workplan finished.
2026-06-25 10:27:23 +02:00

102 lines
3.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Database Dynamic Credentials — OpenBao
Date: 2026-06-24
Workplan: WARDEN-WP-0012 T4
Catalog: `database-dynamic-credentials` (draft until engine ships)
Pointer playbook for short-lived database passwords issued by OpenBao dynamic
secret engines (e.g. CNPG-managed PostgreSQL). ops-warden does not issue DB
credentials — custody and engine configuration belong to `railiance-platform`;
consumers request credentials through approved paths after flex-auth policy where
required.
---
## Owners
| Concern | Owner repo | Authoritative doc |
| --- | --- | --- |
| OpenBao database engine, paths, policies | `railiance-platform` | `docs/openbao.md`, `workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md` |
| Authorization before sensitive reads | `flex-auth` | `INTENT.md` |
| Application connection and lease handling | Owning app repo | App-specific deployment docs |
---
## Do not ask ops-warden
```bash
warden route show openbao-api-key --json
warden route show database-dynamic-credentials --json # after promotion
```
Never paste DB passwords, connection strings with credentials, or root DB admin
tokens in Git, State Hub, logs, or agent chat.
---
## Platform path convention
From `railiance-platform/docs/openbao.md`:
```text
platform/databases/<consumer>
```
Dynamic credentials are issued via OpenBao database secrets engine roles — not
static KV copies. Coordinate the exact mount and role name with platform before
wiring workloads.
**Promotion gate:** catalog entry stays `status: draft` until the database
secrets engine and consumer role exist in the live cluster.
---
## Worker checklist
### 1. Confirm need type
- [ ] Short-lived DB password (dynamic) vs long-lived KV secret — prefer dynamic
- [ ] Target database identified (CNPG cluster, service name, database name)
- [ ] flex-auth policy requires approval for this read (if tenant policy says so)
### 2. Platform provisioning (operator)
- [ ] Database secrets engine configured with least-privilege creation statements
- [ ] Role TTL aligned to workload session (minuteshours, not days)
- [ ] Path registered under `platform/databases/<consumer>`
- [ ] Audit logging enabled on secret access
### 3. Workload consumption
- [ ] App uses ESO or CSI to materialize username/password into K8s Secret
- [ ] Connection pool handles credential rotation before lease expiry
- [ ] No hard-coded passwords in Helm values or ConfigMaps
### 4. Verify
- [ ] App connects with issued credentials
- [ ] Lease renewal or re-read succeeds before expiry
- [ ] Revocation on pod teardown (if policy requires)
### 5. Rotation / revocation
- [ ] OpenBao revokes lease on role change
- [ ] Platform operator documents break-glass DB admin path separately (not via warden)
---
## Owner-repo next actions
| Repo | Action |
| --- | --- |
| `railiance-platform` | Configure database secrets engine, roles, and policies |
| Owning application | Wire ESO/CSI and connection handling for lease TTL |
| `flex-auth` | Policy for database credential requests (if gated) |
---
## See also
- `railiance-platform/docs/openbao.md`
- `railiance-platform/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md`
- `wiki/CredentialRouting.md#routing-table`
Reference in New Issue View Git Blame Copy Permalink