Correct whynot credential tenant path
This commit is contained in:
@@ -123,12 +123,16 @@ Kubernetes workloads, use External Secrets Operator to materialize OpenBao
|
||||
values as Kubernetes Secrets. Do not use the OpenBao injector in the current
|
||||
deployment.
|
||||
|
||||
Runtime path convention:
|
||||
Runtime path convention for workload credential custody:
|
||||
|
||||
```text
|
||||
platform/workloads/<namespace>/<service-account>/<secret-name>
|
||||
platform/workloads/<tenant-or-org>/<workload>/<secret-purpose>
|
||||
```
|
||||
|
||||
Kubernetes namespace and service-account bounds belong in the auth role or
|
||||
External Secrets binding unless the namespace is itself the approved workload
|
||||
identity.
|
||||
|
||||
ArgoCD repository credentials are operator credentials, not workload secrets,
|
||||
and should live under:
|
||||
|
||||
|
||||
@@ -52,11 +52,10 @@ whynot-design.
|
||||
|
||||
## Proposed Contract
|
||||
|
||||
Use the existing workload convention documented in `docs/openbao.md` and
|
||||
`docs/argocd-gitops.md`:
|
||||
Use the workload credential convention documented in `docs/openbao.md`:
|
||||
|
||||
```text
|
||||
platform/workloads/<namespace>/<service-account>/<secret-name>
|
||||
platform/workloads/<tenant-or-org>/<workload>/<secret-purpose>
|
||||
```
|
||||
|
||||
For this lane, the proposed non-secret contract is:
|
||||
@@ -64,9 +63,11 @@ For this lane, the proposed non-secret contract is:
|
||||
| Item | Proposed value |
|
||||
| --- | --- |
|
||||
| KV mount | `platform` |
|
||||
| CLI path | `platform/workloads/whynot-design/whynot-design/npm-publish` |
|
||||
| KV-v2 policy data path | `platform/data/workloads/whynot-design/whynot-design/npm-publish` |
|
||||
| KV-v2 policy metadata path | `platform/metadata/workloads/whynot-design/whynot-design/npm-publish` |
|
||||
| Tenant/org | `coulomb` |
|
||||
| Workload/project | `whynot-design` |
|
||||
| CLI path | `platform/workloads/coulomb/whynot-design/npm-publish` |
|
||||
| KV-v2 policy data path | `platform/data/workloads/coulomb/whynot-design/npm-publish` |
|
||||
| KV-v2 policy metadata path | `platform/metadata/workloads/coulomb/whynot-design/npm-publish` |
|
||||
| Secret field | `NPM_AUTH_TOKEN` |
|
||||
| OpenBao read policy | `workload-kv-read-whynot-design-npm-publish` |
|
||||
| OIDC auth mount | `netkingdom` unless KeyCape compatibility requires `keycape` |
|
||||
@@ -78,7 +79,7 @@ The expected caller-facing read shape is:
|
||||
|
||||
```bash
|
||||
bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
|
||||
bao kv get -field=NPM_AUTH_TOKEN platform/workloads/whynot-design/whynot-design/npm-publish
|
||||
bao kv get -field=NPM_AUTH_TOKEN platform/workloads/coulomb/whynot-design/npm-publish
|
||||
```
|
||||
|
||||
The command shape is illustrative only. Verification must avoid printing the
|
||||
@@ -109,7 +110,7 @@ Acceptance:
|
||||
ops-warden signing smoke.
|
||||
|
||||
**2026-06-27:** Reviewed the unread ops-warden request and existing
|
||||
`platform/workloads/<namespace>/<service-account>/<secret-name>` convention.
|
||||
`platform/workloads/<tenant-or-org>/<workload>/<secret-purpose>` convention.
|
||||
Captured the proposed `whynot-design` npm publish lane above with no secret
|
||||
values.
|
||||
|
||||
@@ -129,7 +130,7 @@ the selected `npm-publish` path.
|
||||
Acceptance:
|
||||
|
||||
- A policy file under `openbao/policies/` defines read access to the exact
|
||||
`platform/data/workloads/whynot-design/whynot-design/npm-publish` path.
|
||||
`platform/data/workloads/coulomb/whynot-design/npm-publish` path.
|
||||
- Metadata/list capabilities are only as broad as needed for the caller and
|
||||
ops-warden fetch UX.
|
||||
- The policy grants no write, delete, patch, sudo, auth, or unrelated workload
|
||||
@@ -140,7 +141,7 @@ Acceptance:
|
||||
**2026-06-27:** Added the concrete policy artifact at
|
||||
`openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl`. It grants
|
||||
only `read` on the exact KV-v2 data and metadata paths for
|
||||
`platform/workloads/whynot-design/whynot-design/npm-publish`; it does not grant
|
||||
`platform/workloads/coulomb/whynot-design/npm-publish`; it does not grant
|
||||
write/delete/list/sudo/auth or sibling workload access. Added
|
||||
`scripts/openbao-apply-workload-kv-lanes.sh`,
|
||||
`make openbao-workload-kv-lanes-dry-run`, and
|
||||
@@ -195,7 +196,7 @@ publish token.
|
||||
Acceptance:
|
||||
|
||||
- The path exists at
|
||||
`platform/workloads/whynot-design/whynot-design/npm-publish`.
|
||||
`platform/workloads/coulomb/whynot-design/npm-publish`.
|
||||
- The field is named exactly `NPM_AUTH_TOKEN`.
|
||||
- The token value is entered through an approved operator/OpenBao path and is
|
||||
never written to Git, State Hub, chat, prompts, shell history, or workplan
|
||||
|
||||
Reference in New Issue
Block a user