Files
railiance-platform/credential-change-requests/CCR-2026-0002-issue-core-ingestion-api-key.yaml
tegwick 4936b8970b RAILIANCE-WP-0009/0010 finished: front doors active; WP-0005 T10 done
- CCR-2026-0002/0003: frontdoor_activation evidence recorded, status active,
  readiness ready/resolvable (ops-warden catalog promotion commit 364eb7d)
- WP-0009/0010 T06 done; both workplans finished
- WP-0005 T10 closed on acceptance (fast path, break-glass, routing truth
  consistent); phase-2 readonly-diagnostics grant deferred as follow-up
- WP-0005 T07 stays wait: flex-auth lacks a credential-grant authorization
  surface (capability request sent, State Hub message 893ff109)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-02 20:54:29 +02:00

133 lines
5.7 KiB
YAML

id: CCR-2026-0002
kind: credential-change-request
schema_version: 1
request_type: workload-kv-read
title: issue-core runtime ingestion key lane
status: active
created: '2026-06-27'
updated: '2026-07-02'
requester:
agent: ops-warden
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
reason: Confirm and provision the issue-core workload KV lane requested in the ops-warden
batch.
review:
required: true
required_approvers:
- platform-operator
- issue-core-owner
comments:
- at: '2026-06-29T22:53:03+00:00'
reviewer: codex
decision: metadata_review_binding_confirmed
comment: Live cluster metadata on 2026-06-30 confirms ExternalSecret issue-core/issue-core-runtime
is Ready=True (SecretSynced) and maps ISSUE_CORE_API_KEY plus GITEA_BACKEND_TOKEN
from platform/workloads/issue-core/issue-core/issue-core-runtime. The workload
Deployment uses the default service account; OpenBao auth for this delivery
path is the platform ClusterSecretStore/openbao role external-secrets-issue-core
bound to service account external-secrets/external-secrets. Keep CCR status
proposed until platform/operator and issue-core-owner approval.
- at: '2026-07-02T09:59:54+00:00'
reviewer: bernd.worsch
decision: approved
comment: 'Approved in chat (Claude Code coached-approvals session, 2026-07-02)
acting as all required approvers: platform-operator, issue-core-owner. Field-set
decision: keep both ISSUE_CORE_API_KEY and GITEA_BACKEND_TOKEN, matching the
live ExternalSecret mapping.'
target:
domain: financials
tenant: issue-core
workload: issue-core
environment: production
purpose: issue-core runtime ingestion through OpenBao workload KV and External Secrets
openbao:
mount: platform
kv_path: platform/workloads/issue-core/issue-core/issue-core-runtime
fields:
- ISSUE_CORE_API_KEY
- GITEA_BACKEND_TOKEN
policy_name: workload-kv-read-issue-core-runtime
policy_file: openbao/policies/workload-kv-read-issue-core-runtime.hcl
auth:
method: kubernetes
mount: kubernetes
role: external-secrets-issue-core
bound_claims:
service_account_names:
- external-secrets
service_account_namespaces:
- external-secrets
bound_claims_confirmed: true
policies:
- workload-kv-read-issue-core-runtime
ttl: 15m
access_frontdoor:
type: ops-warden
catalog_id: issue-core-ingestion-api-key
selector: issue-core ingestion API key
command: warden access issue-core-ingestion-api-key --fetch ISSUE_CORE_API_KEY
resolvable: true
readiness: ready
activation: verified-positive-and-negative-access-frontdoor-active-2026-07-02
delivery:
surface: external-secrets
target: ExternalSecret issue-core/issue-core-runtime -> Secret issue-core-runtime
in the issue-core namespace
risk:
classification: high
notes:
- Grants read access to issue-core runtime ingestion credentials through the platform
External Secrets path.
- GITEA_BACKEND_TOKEN remains included because the live issue-core ExternalSecret
maps it alongside ISSUE_CORE_API_KEY; remove it before approval only if the issue-core
owner confirms it is no longer required.
- The Kubernetes auth subject is the External Secrets operator service account external-secrets/external-secrets,
with ClusterSecretStore usage limited to the issue-core namespace.
- ops-warden must proxy reads as the caller and must not retain token values.
verification:
positive:
- ExternalSecret issue-core/issue-core-runtime is Ready=True and syncs the configured
fields without printing values.
- Approved issue-core runtime can consume the resulting Kubernetes Secret without
exposing values.
negative:
- A namespace outside the approved ClusterSecretStore condition cannot use this
store to read the path.
- A service account outside external-secrets/external-secrets cannot authenticate
through the External Secrets OpenBao role.
activation_conditions:
- Policy applied with platform-admin/operator authority.
- Kubernetes auth role bound to external-secrets/external-secrets for the issue-core
External Secrets delivery path.
- Secret values provisioned directly in OpenBao through approved operator custody.
- Positive and negative verification recorded with non-secret audit ids or timestamps.
evidence:
- at: '2026-07-02T10:08:00+00:00'
actor: bernd.worsch
kind: delegated_metadata_apply
result: passed
details:
- Delegated metadata applier ran as bernd.worsch using local bao CLI ambient authority.
- 'Policy metadata write: sys/policies/acl/workload-kv-read-issue-core-runtime'
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-issue-core'
- No secret values were read, written, printed, or accepted in argv.
- at: '2026-07-02T18:49:04+00:00'
actor: railiance-platform
kind: frontdoor_activation
result: passed
details:
- 'ops-warden promoted catalog id issue-core-ingestion-api-key to status active
(ops-warden commit 364eb7d, reviewed 2026-07-02): entry is exec_capable and
resolvable with zero-placeholder handoff; ops-warden proxies reads as the caller
and holds no secret value. Promotion followed positive/negative verification
recorded 2026-07-02.'
lifecycle:
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
rotate: Replace issue-core runtime secret values directly in OpenBao and record
non-secret rotation evidence.
compromised: Immediately deactivate access front door, rotate affected values, record
blast-radius notes, and open incident follow-up tasks.
state_hub:
workplan_id: RAILIANCE-WP-0007
ops_warden_batch_message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076