Add credential-change delegated applier flow

This commit is contained in:
2026-07-01 20:07:26 +02:00
parent c626bfcf15
commit a95236d2e5
21 changed files with 2705 additions and 119 deletions

View File

@@ -192,16 +192,22 @@ The GitOps contract uses:
`ClusterSecretStore`.
- OpenBao Kubernetes auth role `external-secrets-issue-core` for the
issue-core pilot.
- OpenBao Kubernetes auth role `external-secrets-activity-core` for the
activity-core/llm-connect provider-secret lane once approved.
The initial `ClusterSecretStore/openbao` is intentionally limited to the
`issue-core` namespace. Broaden it only with a new platform review when another
tenant is ready to consume OpenBao through ESO.
`ClusterSecretStore/openbao` is limited to the `issue-core` namespace.
`ClusterSecretStore/openbao-activity-core` is limited to the `activity-core`
namespace and is intended for the llm-connect provider-secret lane. Broaden or
add stores only with platform review.
Configure the OpenBao side without printing token values:
```bash
OPENBAO_TOKEN_FILE=~/.local/openbao/platform-admin.token \
make openbao-configure-external-secrets-issue-core
OPENBAO_TOKEN_FILE=~/.local/openbao/platform-admin.token \
make openbao-configure-external-secrets-activity-core
```
The helper keeps Kubernetes auth in local-reviewer mode: OpenBao rereads its