generated from coulomb/repo-seed
tegwick
1865e0744e
Add credential routing, actor patterns, security map, OpenBao SSH checklist, and policy-gated signing design. Update registry and SCOPE; record INTENT↔SCOPE reassessment (C3 completeness).
5.2 KiB
5.2 KiB
Credential Routing — NetKingdom Access Desk
Date: 2026-06-17
Use this page when a development worker (human, kaizen agent, CI job, or custodian tool) needs access or credentials and is unsure which subsystem owns the request.
ops-warden maintains this routing guide. It issues SSH certificates only. For every other credential type, follow the routed path — do not paste secrets into Git, State Hub, agent chat, or workplans.
Quick decision tree
What do you need?
|
+-- Log in as a human / get OIDC claims / MFA
| -> key-cape (lightweight) or Keycloak (expanded)
| net-kingdom/docs/platform-identity-security-architecture.md
|
+-- Permission to perform an action on a resource
| -> flex-auth (policy decision)
| flex-auth/INTENT.md
|
+-- API key, DB password, provider token, K8s secret, dynamic lease
| -> OpenBao (after flex-auth approval where policy requires it)
| railiance-platform/docs/openbao.md
| NEVER ops-warden
|
+-- S3 / object-storage temporary credentials
| -> NK-WP-0007 vending path (flex-auth + OpenBao + storage STS)
| net-kingdom/docs/object-storage-sts-credential-vending.md
| NEVER ops-warden
|
+-- SSH certificate for host / ops reachability (adm/agt/atm)
| -> ops-warden (warden sign / cert_command)
| wiki/OpsWardenConfig.md
|
+-- SSH tunnel / port forward (already have or will get a cert)
| -> ops-bridge
| ops-bridge tunnels.yaml + cert_command from ops-warden
|
+-- Host accepts your SSH principal / force-command on server
| -> railiance-infra Ansible
| /etc/ssh/auth_principals/, sshd hardening
Under two minutes: match your need to a branch above, open the linked doc, stop if you landed on "NEVER ops-warden" for non-SSH secrets.
Routing table
| I need… | Subsystem | ops-warden role |
|---|---|---|
| Interactive login, OIDC token, MFA | key-cape / Keycloak | Document only — use IAM Profile |
| "May I do X on resource Y?" | flex-auth (+ Topaz PDP) | Future pre-sign gate for SSH; document only today |
| OpenRouter / LLM provider API key | OpenBao → K8s Secret | Do not ask ops-warden |
| Inter-Hub operator / runtime API key | OpenBao or 0600 temp file |
See wiki/InterHubBootstrapAccessLane.md |
| Database or service password | OpenBao dynamic/KV | Document only |
| Short-lived SSH cert for operator | ops-warden (adm-*) |
Issue via warden sign |
| Short-lived SSH cert for agent | ops-warden (agt-*) |
Issue via warden sign / wrapper |
| Short-lived SSH cert for CI/cron | ops-warden (atm-*) |
Issue via warden sign / warden issue |
| Tunnel to remote service | ops-bridge | Consumer of cert_command |
| Principal file on host | railiance-infra | Document only |
Examples — do NOT ask ops-warden
| Request | Correct path |
|---|---|
"Populate OPENROUTER_API_KEY for llm-connect" |
Operator → OpenBao/K8s Secret in activity-core namespace |
| "Store Inter-Hub admin key for bootstrap" | Operator → OpenBao or IHUB_OPERATOR_KEY_FILE (CUST-WP-0049) |
| "Give me Vault root token" | Break-glass ceremony → railiance-platform/docs/openbao.md |
| "S3 credentials for artifact upload" | NK-WP-0007 / artifact-store consumer path |
| "JWT for my app" | key-cape / Keycloak IAM Profile |
Examples — ops-warden IS correct
| Request | Command / pattern |
|---|---|
| ops-bridge tunnel needs a cert | cert_command: warden sign <actor> --pubkey <path> |
| Agent reaching bootstrap host | agt-codex-interhub-bootstrap — wiki/InterHubBootstrapAccessLane.md |
| Check cert expiry before shift | warden status <actor> |
| New tunnel actor | warden inventory add — wiki/ActorInventoryPatterns.md |
| Lab without OpenBao | backend: local — wiki/OpsWardenConfig.md |
Typical flows
Human operator → remote host
- Identity: key-cape login if web/API access needed (optional for pure SSH).
- SSH cert:
warden sign adm-<you> --pubkey ~/.ssh/id_ed25519.pub. - Tunnel (if needed): ops-bridge with
cert_commandpointing at warden. - Host: principal deployed by railiance-infra.
Kaizen / Codex agent → attended task
- Register actor:
agt-codex-<task>perwiki/ActorInventoryPatterns.md. - SSH cert:
WARDEN_ACTOR=... ops-ssh-wrapper ssh ...orwarden sign. - Secrets for task (API keys): OpenBao path — not warden.
- Tunnel: ops-bridge if required.
CI automation → scheduled job
- Actor:
atm-<job>with narrow principal and low TTL (≤ 8 h). warden issue atm-<job>or sign with pre-provisioned key.- No long-lived keys in CI env vars.
When guidance drifts
NetKingdom security architecture is canonical in net-kingdom. When it
changes (OpenBao, IAM Profile, new bootstrap lanes), ops-warden updates:
- This file
wiki/NetKingdomSecurityMap.mdSCOPE.md/INTENT.mdas needed
Report drift via custodian workplan or State Hub message to ops-warden.
See also
INTENT.md— steward missionwiki/NetKingdomSecurityMap.md— component literacywiki/ActorInventoryPatterns.md— actor namingwiki/OpenBaoSshEngineChecklist.md— production SSH signing verifynet-kingdom/docs/platform-identity-security-architecture.md— platform canon