Correct whynot credential tenant path

This commit is contained in:
2026-06-28 01:00:12 +02:00
parent ad47a136f7
commit eb24e04b71
10 changed files with 67 additions and 48 deletions

View File

@@ -123,12 +123,16 @@ Kubernetes workloads, use External Secrets Operator to materialize OpenBao
values as Kubernetes Secrets. Do not use the OpenBao injector in the current
deployment.
Runtime path convention:
Runtime path convention for workload credential custody:
```text
platform/workloads/<namespace>/<service-account>/<secret-name>
platform/workloads/<tenant-or-org>/<workload>/<secret-purpose>
```
Kubernetes namespace and service-account bounds belong in the auth role or
External Secrets binding unless the namespace is itself the approved workload
identity.
ArgoCD repository credentials are operator credentials, not workload secrets,
and should live under:

View File

@@ -52,11 +52,10 @@ whynot-design.
## Proposed Contract
Use the existing workload convention documented in `docs/openbao.md` and
`docs/argocd-gitops.md`:
Use the workload credential convention documented in `docs/openbao.md`:
```text
platform/workloads/<namespace>/<service-account>/<secret-name>
platform/workloads/<tenant-or-org>/<workload>/<secret-purpose>
```
For this lane, the proposed non-secret contract is:
@@ -64,9 +63,11 @@ For this lane, the proposed non-secret contract is:
| Item | Proposed value |
| --- | --- |
| KV mount | `platform` |
| CLI path | `platform/workloads/whynot-design/whynot-design/npm-publish` |
| KV-v2 policy data path | `platform/data/workloads/whynot-design/whynot-design/npm-publish` |
| KV-v2 policy metadata path | `platform/metadata/workloads/whynot-design/whynot-design/npm-publish` |
| Tenant/org | `coulomb` |
| Workload/project | `whynot-design` |
| CLI path | `platform/workloads/coulomb/whynot-design/npm-publish` |
| KV-v2 policy data path | `platform/data/workloads/coulomb/whynot-design/npm-publish` |
| KV-v2 policy metadata path | `platform/metadata/workloads/coulomb/whynot-design/npm-publish` |
| Secret field | `NPM_AUTH_TOKEN` |
| OpenBao read policy | `workload-kv-read-whynot-design-npm-publish` |
| OIDC auth mount | `netkingdom` unless KeyCape compatibility requires `keycape` |
@@ -78,7 +79,7 @@ The expected caller-facing read shape is:
```bash
bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
bao kv get -field=NPM_AUTH_TOKEN platform/workloads/whynot-design/whynot-design/npm-publish
bao kv get -field=NPM_AUTH_TOKEN platform/workloads/coulomb/whynot-design/npm-publish
```
The command shape is illustrative only. Verification must avoid printing the
@@ -109,7 +110,7 @@ Acceptance:
ops-warden signing smoke.
**2026-06-27:** Reviewed the unread ops-warden request and existing
`platform/workloads/<namespace>/<service-account>/<secret-name>` convention.
`platform/workloads/<tenant-or-org>/<workload>/<secret-purpose>` convention.
Captured the proposed `whynot-design` npm publish lane above with no secret
values.
@@ -129,7 +130,7 @@ the selected `npm-publish` path.
Acceptance:
- A policy file under `openbao/policies/` defines read access to the exact
`platform/data/workloads/whynot-design/whynot-design/npm-publish` path.
`platform/data/workloads/coulomb/whynot-design/npm-publish` path.
- Metadata/list capabilities are only as broad as needed for the caller and
ops-warden fetch UX.
- The policy grants no write, delete, patch, sudo, auth, or unrelated workload
@@ -140,7 +141,7 @@ Acceptance:
**2026-06-27:** Added the concrete policy artifact at
`openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl`. It grants
only `read` on the exact KV-v2 data and metadata paths for
`platform/workloads/whynot-design/whynot-design/npm-publish`; it does not grant
`platform/workloads/coulomb/whynot-design/npm-publish`; it does not grant
write/delete/list/sudo/auth or sibling workload access. Added
`scripts/openbao-apply-workload-kv-lanes.sh`,
`make openbao-workload-kv-lanes-dry-run`, and
@@ -195,7 +196,7 @@ publish token.
Acceptance:
- The path exists at
`platform/workloads/whynot-design/whynot-design/npm-publish`.
`platform/workloads/coulomb/whynot-design/npm-publish`.
- The field is named exactly `NPM_AUTH_TOKEN`.
- The token value is entered through an approved operator/OpenBao path and is
never written to Git, State Hub, chat, prompts, shell history, or workplan