tegwick
1237cc767b
Add platform-secret playbooks for issue-core ingestion, OpenRouter llm-connect, object-storage STS, and database dynamic credentials. Extend the routing catalog with draft entries and implement `warden route list --stale` for quarterly drift review. Document the review cadence in AccessRouting and mark the workplan finished.
3.3 KiB
OpenRouter API Key — llm-connect in activity-core
Date: 2026-06-24
Workplan: WARDEN-WP-0012 T4
Catalog: openrouter-llm-connect (draft until OpenBao path ships)
Pointer playbook for LLM provider credentials consumed by llm-connect in the
activity-core namespace. ops-warden issues SSH certs only — API keys are an
OpenBao → Kubernetes Secret action owned by railiance-platform and
activity-core deployment repos.
Owners
| Concern | Owner repo | Authoritative doc |
|---|---|---|
| OpenBao path and ESO delivery | railiance-platform |
docs/openbao.md — path convention |
| llm-connect K8s overlay and smoke | llm-connect |
deploy/k8s/activity-core-llm-connect/README.md |
activity-core runtime config (LLM_CONNECT_URL) |
activity-core |
llm-connect/docs/activity-core-llm-endpoint.md |
Do not ask ops-warden
warden route show openbao-api-key --json
warden route show openrouter-llm-connect --json # after promotion
OPENROUTER_API_KEY must not appear in Git, State Hub, workplans, logs, or chat.
Expected custody shape
Documented platform path convention (coordinate before writing secrets):
platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets
Property name: OPENROUTER_API_KEY
Until the OpenBao path is provisioned, operators may create the K8s Secret
directly for pilot smoke (llm-connect README) — that is a bootstrap bridge,
not the long-term custody model.
Promotion gate: catalog entry stays status: draft until the OpenBao path
exists and ESO (or approved equivalent) delivers the Secret in cluster.
Worker checklist
1. Confirm need
- Consumer is
llm-connectinactivity-corenamespace (not a generic OpenRouter client) - Default profile uses
provider=openrouter(llm-connect/docs/activity-core-llm-endpoint.md) - flex-auth policy applies if your tenant requires pre-approval for secret reads
2. Platform path (production)
- Path provisioned under
platform/workloads/activity-core/... - Workload KV read policy scoped to
llm-connectservice account - ExternalSecret syncs to Secret
llm-connect-provider-secrets
3. Deployment wiring
kubectl apply -k deploy/k8s/activity-core-llm-connect(llm-connect repo)- Deployment mounts provider Secret; env provides
OPENROUTER_API_KEY - activity-core sets
LLM_CONNECT_URLto in-cluster service URL
4. Smoke
# From llm-connect repo — cluster smoke after apply
kubectl -n activity-core rollout status deployment/llm-connect
# See deploy/k8s/activity-core-llm-connect/README.md for endpoint smoke script
5. Rotation
- Update OpenBao KV value
- ESO refresh or rollout restart llm-connect Deployment
- Run cluster smoke; confirm activity-core triage profile still reaches provider
Owner-repo next actions
| Repo | Action |
|---|---|
railiance-platform |
Provision OpenBao path + policy for activity-core llm-connect |
llm-connect |
Maintain K8s overlay and document Secret key names |
activity-core |
Set LLM_CONNECT_URL and triage profile after llm-connect is live |
See also
llm-connect/docs/activity-core-llm-endpoint.mdwiki/CredentialRouting.md#examples-do-not-ask-ops-wardennet-kingdom/docs/platform-identity-security-architecture.md