Correct whynot credential tenant path

This commit is contained in:
2026-06-28 01:00:12 +02:00
parent ad47a136f7
commit eb24e04b71
10 changed files with 67 additions and 48 deletions

View File

@@ -25,8 +25,10 @@ Ops-warden batch follow-up:
| Item | Value |
| --- | --- |
| ops-warden catalog id | `whynot-design-npm-publish` |
| Tenant/org | `coulomb` |
| Workload/project | `whynot-design` |
| KV mount | `platform` |
| OpenBao CLI path | `platform/workloads/whynot-design/whynot-design/npm-publish` |
| OpenBao CLI path | `platform/workloads/coulomb/whynot-design/npm-publish` |
| Secret field | `NPM_AUTH_TOKEN` |
| Front-door readiness | `template`, `resolvable=false` until CCR verification |
| Read policy | `workload-kv-read-whynot-design-npm-publish` |
@@ -45,7 +47,7 @@ bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
Expected OpenBao fetch shape:
```bash
bao kv get -field=NPM_AUTH_TOKEN platform/workloads/whynot-design/whynot-design/npm-publish
bao kv get -field=NPM_AUTH_TOKEN platform/workloads/coulomb/whynot-design/npm-publish
```
Expected ops-warden exec shape after activation:
@@ -63,8 +65,8 @@ logging it.
The source policy grants only:
```text
read platform/data/workloads/whynot-design/whynot-design/npm-publish
read platform/metadata/workloads/whynot-design/whynot-design/npm-publish
read platform/data/workloads/coulomb/whynot-design/npm-publish
read platform/metadata/workloads/coulomb/whynot-design/npm-publish
```
It does not grant write, delete, patch, sudo, auth, sibling workload, or parent
@@ -121,7 +123,7 @@ and service account.
An approved operator must create or confirm the secret with:
```text
path: platform/workloads/whynot-design/whynot-design/npm-publish
path: platform/workloads/coulomb/whynot-design/npm-publish
field: NPM_AUTH_TOKEN
```
@@ -129,14 +131,14 @@ In the OpenBao UI, open the `platform` KV engine and create or edit the secret
at:
```text
workloads/whynot-design/whynot-design/npm-publish
workloads/coulomb/whynot-design/npm-publish
```
For policies and API checks, the same KV-v2 secret is addressed as:
```text
platform/data/workloads/whynot-design/whynot-design/npm-publish
platform/metadata/workloads/whynot-design/whynot-design/npm-publish
platform/data/workloads/coulomb/whynot-design/npm-publish
platform/metadata/workloads/coulomb/whynot-design/npm-publish
```
The OpenBao UI path does not include the `data/` or `metadata/` segment. Those
@@ -169,7 +171,7 @@ Send ops-warden only these pointers:
```text
catalog id: whynot-design-npm-publish
mount: platform
path: platform/workloads/whynot-design/whynot-design/npm-publish
path: platform/workloads/coulomb/whynot-design/npm-publish
field: NPM_AUTH_TOKEN
oidc login: bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
policy: workload-kv-read-whynot-design-npm-publish