79 lines
3.1 KiB
YAML
79 lines
3.1 KiB
YAML
id: CCR-2026-0003
|
|
kind: credential-change-request
|
|
schema_version: 1
|
|
request_type: workload-kv-read
|
|
title: "llm-connect OpenRouter provider key lane"
|
|
status: proposed
|
|
created: "2026-06-27"
|
|
updated: "2026-06-27"
|
|
requester:
|
|
agent: ops-warden
|
|
message_id: "fe5b1696-8956-4bd5-9d6f-dbde1901a076"
|
|
reason: "Confirm and provision the llm-connect OpenRouter workload KV lane requested in the ops-warden batch."
|
|
review:
|
|
required: true
|
|
required_approvers:
|
|
- platform-operator
|
|
- activity-core-owner
|
|
comments: []
|
|
target:
|
|
domain: financials
|
|
tenant: activity-core
|
|
workload: llm-connect
|
|
environment: production
|
|
purpose: "llm-connect provider access through OpenBao workload KV and External Secrets"
|
|
openbao:
|
|
mount: platform
|
|
kv_path: platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets
|
|
fields:
|
|
- OPENROUTER_API_KEY
|
|
policy_name: workload-kv-read-llm-connect-provider-secrets
|
|
policy_file: openbao/policies/workload-kv-read-llm-connect-provider-secrets.hcl
|
|
auth:
|
|
method: kubernetes
|
|
mount: kubernetes
|
|
role: llm-connect-provider-secrets-read
|
|
bound_claims:
|
|
service_account_names:
|
|
- llm-connect
|
|
service_account_namespaces:
|
|
- activity-core
|
|
bound_claims_confirmed: false
|
|
policies:
|
|
- workload-kv-read-llm-connect-provider-secrets
|
|
ttl: 15m
|
|
access_frontdoor:
|
|
type: ops-warden
|
|
catalog_id: llm-connect-openrouter-api-key
|
|
selector: "llm-connect OpenRouter API key"
|
|
command: "warden access llm-connect-openrouter-api-key --fetch OPENROUTER_API_KEY"
|
|
resolvable: false
|
|
readiness: template
|
|
activation: "draft-until-ccr-verified"
|
|
delivery:
|
|
surface: external-secrets
|
|
target: "Secret llm-connect-provider-secrets in the activity-core namespace"
|
|
risk:
|
|
classification: high
|
|
notes:
|
|
- "Grants read access to the provider key used by llm-connect for OpenRouter requests."
|
|
- "The Kubernetes service account and namespace binding must be confirmed before apply."
|
|
- "ops-warden must proxy reads as the caller and must not retain token values."
|
|
verification:
|
|
positive:
|
|
- "Approved llm-connect service account can read field OPENROUTER_API_KEY through OpenBao or External Secrets without printing the value."
|
|
negative:
|
|
- "A service account outside the approved activity-core/llm-connect binding cannot read the path."
|
|
activation_conditions:
|
|
- "Policy applied with platform-admin/operator authority."
|
|
- "Kubernetes auth role bound to the confirmed llm-connect service account and namespace."
|
|
- "Secret value provisioned directly in OpenBao through approved operator custody."
|
|
- "Positive and negative verification recorded with non-secret audit ids or timestamps."
|
|
lifecycle:
|
|
deactivate: "Disable ops-warden catalog entry and remove or detach auth role policy."
|
|
rotate: "Replace OPENROUTER_API_KEY directly in OpenBao and record non-secret rotation evidence."
|
|
compromised: "Immediately deactivate access front door, rotate the provider key, record blast-radius notes, and open incident follow-up tasks."
|
|
state_hub:
|
|
workplan_id: RAILIANCE-WP-0007
|
|
ops_warden_batch_message_id: "fe5b1696-8956-4bd5-9d6f-dbde1901a076"
|