id: CCR-2026-0002 kind: credential-change-request schema_version: 1 request_type: workload-kv-read title: "issue-core runtime ingestion key lane" status: proposed created: "2026-06-27" updated: "2026-06-27" requester: agent: ops-warden message_id: "fe5b1696-8956-4bd5-9d6f-dbde1901a076" reason: "Confirm and provision the issue-core workload KV lane requested in the ops-warden batch." review: required: true required_approvers: - platform-operator - issue-core-owner comments: [] target: domain: financials tenant: issue-core workload: issue-core environment: production purpose: "issue-core runtime ingestion through OpenBao workload KV and External Secrets" openbao: mount: platform kv_path: platform/workloads/issue-core/issue-core/issue-core-runtime fields: - ISSUE_CORE_API_KEY - GITEA_BACKEND_TOKEN policy_name: workload-kv-read-issue-core-runtime policy_file: openbao/policies/workload-kv-read-issue-core-runtime.hcl auth: method: kubernetes mount: kubernetes role: issue-core-runtime-workload-kv-read bound_claims: service_account_names: - issue-core service_account_namespaces: - issue-core bound_claims_confirmed: false policies: - workload-kv-read-issue-core-runtime ttl: 15m access_frontdoor: type: ops-warden catalog_id: issue-core-ingestion-api-key selector: "issue-core ingestion API key" command: "warden access issue-core-ingestion-api-key --fetch ISSUE_CORE_API_KEY" resolvable: false readiness: template activation: "draft-until-ccr-verified" delivery: surface: external-secrets target: "issue-core namespace" risk: classification: high notes: - "Grants read access to issue-core runtime ingestion credentials." - "GITEA_BACKEND_TOKEN is included because ops-warden asked to confirm whether it is used; remove it before approval if issue-core does not require it." - "The Kubernetes service account and namespace binding must be confirmed before apply." - "ops-warden must proxy reads as the caller and must not retain token values." verification: positive: - "Approved issue-core service account can read the configured fields through OpenBao or External Secrets without printing values." negative: - "A service account outside the approved issue-core binding cannot read the path." activation_conditions: - "Policy applied with platform-admin/operator authority." - "Kubernetes auth role bound to the confirmed issue-core service account and namespace." - "Secret values provisioned directly in OpenBao through approved operator custody." - "Positive and negative verification recorded with non-secret audit ids or timestamps." lifecycle: deactivate: "Disable ops-warden catalog entry and remove or detach auth role policy." rotate: "Replace issue-core runtime secret values directly in OpenBao and record non-secret rotation evidence." compromised: "Immediately deactivate access front door, rotate affected values, record blast-radius notes, and open incident follow-up tasks." state_hub: workplan_id: RAILIANCE-WP-0007 ops_warden_batch_message_id: "fe5b1696-8956-4bd5-9d6f-dbde1901a076"