coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e8bb46903366599fa93091b00a1693a033c7a4ed
ops-warden/wiki/playbooks/openrouter-llm-connect.md
tegwick 1237cc767b Complete WARDEN-WP-0012 routing scenario playbooks 
Add platform-secret playbooks for issue-core ingestion, OpenRouter llm-connect,
object-storage STS, and database dynamic credentials. Extend the routing catalog
with draft entries and implement `warden route list --stale` for quarterly drift
review. Document the review cadence in AccessRouting and mark the workplan finished.
2026-06-25 10:27:23 +02:00

104 lines
3.3 KiB
Markdown
Raw Blame History

# OpenRouter API Key — llm-connect in activity-core
Date: 2026-06-24
Workplan: WARDEN-WP-0012 T4
Catalog: `openrouter-llm-connect` (draft until OpenBao path ships)
Pointer playbook for LLM provider credentials consumed by `llm-connect` in the
`activity-core` namespace. ops-warden issues SSH certs only — API keys are an
OpenBao → Kubernetes Secret action owned by `railiance-platform` and
`activity-core` deployment repos.
---
## Owners
| Concern | Owner repo | Authoritative doc |
| --- | --- | --- |
| OpenBao path and ESO delivery | `railiance-platform` | `docs/openbao.md` — path convention |
| llm-connect K8s overlay and smoke | `llm-connect` | `deploy/k8s/activity-core-llm-connect/README.md` |
| activity-core runtime config (`LLM_CONNECT_URL`) | `activity-core` | `llm-connect/docs/activity-core-llm-endpoint.md` |
---
## Do not ask ops-warden
```bash
warden route show openbao-api-key --json
warden route show openrouter-llm-connect --json # after promotion
```
`OPENROUTER_API_KEY` must not appear in Git, State Hub, workplans, logs, or chat.
---
## Expected custody shape
Documented platform path convention (coordinate before writing secrets):
```text
platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets
```
Property name: `OPENROUTER_API_KEY`
Until the OpenBao path is provisioned, operators may create the K8s Secret
directly for pilot smoke (`llm-connect` README) — that is a bootstrap bridge,
not the long-term custody model.
**Promotion gate:** catalog entry stays `status: draft` until the OpenBao path
exists and ESO (or approved equivalent) delivers the Secret in cluster.
---
## Worker checklist
### 1. Confirm need
- [ ] Consumer is `llm-connect` in `activity-core` namespace (not a generic OpenRouter client)
- [ ] Default profile uses `provider=openrouter` (`llm-connect/docs/activity-core-llm-endpoint.md`)
- [ ] flex-auth policy applies if your tenant requires pre-approval for secret reads
### 2. Platform path (production)
- [ ] Path provisioned under `platform/workloads/activity-core/...`
- [ ] Workload KV read policy scoped to `llm-connect` service account
- [ ] ExternalSecret syncs to Secret `llm-connect-provider-secrets`
### 3. Deployment wiring
- [ ] `kubectl apply -k deploy/k8s/activity-core-llm-connect` (llm-connect repo)
- [ ] Deployment mounts provider Secret; env provides `OPENROUTER_API_KEY`
- [ ] activity-core sets `LLM_CONNECT_URL` to in-cluster service URL
### 4. Smoke
```bash
# From llm-connect repo — cluster smoke after apply
kubectl -n activity-core rollout status deployment/llm-connect
# See deploy/k8s/activity-core-llm-connect/README.md for endpoint smoke script
```
### 5. Rotation
- [ ] Update OpenBao KV value
- [ ] ESO refresh or rollout restart llm-connect Deployment
- [ ] Run cluster smoke; confirm activity-core triage profile still reaches provider
---
## Owner-repo next actions
| Repo | Action |
| --- | --- |
| `railiance-platform` | Provision OpenBao path + policy for activity-core llm-connect |
| `llm-connect` | Maintain K8s overlay and document Secret key names |
| `activity-core` | Set `LLM_CONNECT_URL` and triage profile after llm-connect is live |
---
## See also
- `llm-connect/docs/activity-core-llm-endpoint.md`
- `wiki/CredentialRouting.md#examples-do-not-ask-ops-warden`
- `net-kingdom/docs/platform-identity-security-architecture.md`
Reference in New Issue View Git Blame Copy Permalink