Add credential-change delegated applier flow
This commit is contained in:
@@ -192,16 +192,22 @@ The GitOps contract uses:
|
||||
`ClusterSecretStore`.
|
||||
- OpenBao Kubernetes auth role `external-secrets-issue-core` for the
|
||||
issue-core pilot.
|
||||
- OpenBao Kubernetes auth role `external-secrets-activity-core` for the
|
||||
activity-core/llm-connect provider-secret lane once approved.
|
||||
|
||||
The initial `ClusterSecretStore/openbao` is intentionally limited to the
|
||||
`issue-core` namespace. Broaden it only with a new platform review when another
|
||||
tenant is ready to consume OpenBao through ESO.
|
||||
`ClusterSecretStore/openbao` is limited to the `issue-core` namespace.
|
||||
`ClusterSecretStore/openbao-activity-core` is limited to the `activity-core`
|
||||
namespace and is intended for the llm-connect provider-secret lane. Broaden or
|
||||
add stores only with platform review.
|
||||
|
||||
Configure the OpenBao side without printing token values:
|
||||
|
||||
```bash
|
||||
OPENBAO_TOKEN_FILE=~/.local/openbao/platform-admin.token \
|
||||
make openbao-configure-external-secrets-issue-core
|
||||
|
||||
OPENBAO_TOKEN_FILE=~/.local/openbao/platform-admin.token \
|
||||
make openbao-configure-external-secrets-activity-core
|
||||
```
|
||||
|
||||
The helper keeps Kubernetes auth in local-reviewer mode: OpenBao rereads its
|
||||
|
||||
Reference in New Issue
Block a user