Correct whynot credential tenant path
This commit is contained in:
@@ -137,12 +137,16 @@ Default pattern:
|
||||
workload namespace.
|
||||
3. Reference that Kubernetes Secret from the Deployment, Job, or CronJob.
|
||||
|
||||
Path convention:
|
||||
Path convention for workload credential custody:
|
||||
|
||||
```text
|
||||
platform/workloads/<namespace>/<service-account>/<secret-name>
|
||||
platform/workloads/<tenant-or-org>/<workload>/<secret-purpose>
|
||||
```
|
||||
|
||||
Kubernetes namespace and service-account bounds belong in the OpenBao auth role
|
||||
or External Secrets binding, not in the tenant segment unless the namespace is
|
||||
itself the approved workload identity.
|
||||
|
||||
Use CSI-mounted files only for workloads that need file references, sharper
|
||||
mount boundaries, or refresh behavior that should not rewrite application
|
||||
manifests. Do not use the OpenBao injector in the current deployment.
|
||||
|
||||
@@ -103,7 +103,7 @@ A reviewer should see a concise rendered proposal:
|
||||
Request: whynot-design npm publish token lane
|
||||
Type: workload-kv-read
|
||||
Mount/path/field:
|
||||
platform/workloads/whynot-design/whynot-design/npm-publish
|
||||
platform/workloads/coulomb/whynot-design/npm-publish
|
||||
NPM_AUTH_TOKEN
|
||||
Policy:
|
||||
workload-kv-read-whynot-design-npm-publish
|
||||
|
||||
@@ -395,7 +395,7 @@ tenant contract):
|
||||
Path convention:
|
||||
|
||||
```text
|
||||
platform/workloads/<namespace>/<service-account>/<secret-name>
|
||||
platform/workloads/<tenant-or-org>/<workload>/<secret-purpose>
|
||||
platform/object-storage/<consumer>
|
||||
platform/databases/<consumer>
|
||||
platform/operators/<purpose>
|
||||
|
||||
@@ -25,8 +25,10 @@ Ops-warden batch follow-up:
|
||||
| Item | Value |
|
||||
| --- | --- |
|
||||
| ops-warden catalog id | `whynot-design-npm-publish` |
|
||||
| Tenant/org | `coulomb` |
|
||||
| Workload/project | `whynot-design` |
|
||||
| KV mount | `platform` |
|
||||
| OpenBao CLI path | `platform/workloads/whynot-design/whynot-design/npm-publish` |
|
||||
| OpenBao CLI path | `platform/workloads/coulomb/whynot-design/npm-publish` |
|
||||
| Secret field | `NPM_AUTH_TOKEN` |
|
||||
| Front-door readiness | `template`, `resolvable=false` until CCR verification |
|
||||
| Read policy | `workload-kv-read-whynot-design-npm-publish` |
|
||||
@@ -45,7 +47,7 @@ bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
|
||||
Expected OpenBao fetch shape:
|
||||
|
||||
```bash
|
||||
bao kv get -field=NPM_AUTH_TOKEN platform/workloads/whynot-design/whynot-design/npm-publish
|
||||
bao kv get -field=NPM_AUTH_TOKEN platform/workloads/coulomb/whynot-design/npm-publish
|
||||
```
|
||||
|
||||
Expected ops-warden exec shape after activation:
|
||||
@@ -63,8 +65,8 @@ logging it.
|
||||
The source policy grants only:
|
||||
|
||||
```text
|
||||
read platform/data/workloads/whynot-design/whynot-design/npm-publish
|
||||
read platform/metadata/workloads/whynot-design/whynot-design/npm-publish
|
||||
read platform/data/workloads/coulomb/whynot-design/npm-publish
|
||||
read platform/metadata/workloads/coulomb/whynot-design/npm-publish
|
||||
```
|
||||
|
||||
It does not grant write, delete, patch, sudo, auth, sibling workload, or parent
|
||||
@@ -121,7 +123,7 @@ and service account.
|
||||
An approved operator must create or confirm the secret with:
|
||||
|
||||
```text
|
||||
path: platform/workloads/whynot-design/whynot-design/npm-publish
|
||||
path: platform/workloads/coulomb/whynot-design/npm-publish
|
||||
field: NPM_AUTH_TOKEN
|
||||
```
|
||||
|
||||
@@ -129,14 +131,14 @@ In the OpenBao UI, open the `platform` KV engine and create or edit the secret
|
||||
at:
|
||||
|
||||
```text
|
||||
workloads/whynot-design/whynot-design/npm-publish
|
||||
workloads/coulomb/whynot-design/npm-publish
|
||||
```
|
||||
|
||||
For policies and API checks, the same KV-v2 secret is addressed as:
|
||||
|
||||
```text
|
||||
platform/data/workloads/whynot-design/whynot-design/npm-publish
|
||||
platform/metadata/workloads/whynot-design/whynot-design/npm-publish
|
||||
platform/data/workloads/coulomb/whynot-design/npm-publish
|
||||
platform/metadata/workloads/coulomb/whynot-design/npm-publish
|
||||
```
|
||||
|
||||
The OpenBao UI path does not include the `data/` or `metadata/` segment. Those
|
||||
@@ -169,7 +171,7 @@ Send ops-warden only these pointers:
|
||||
```text
|
||||
catalog id: whynot-design-npm-publish
|
||||
mount: platform
|
||||
path: platform/workloads/whynot-design/whynot-design/npm-publish
|
||||
path: platform/workloads/coulomb/whynot-design/npm-publish
|
||||
field: NPM_AUTH_TOKEN
|
||||
oidc login: bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
|
||||
policy: workload-kv-read-whynot-design-npm-publish
|
||||
|
||||
Reference in New Issue
Block a user