106 lines
4.3 KiB
YAML
106 lines
4.3 KiB
YAML
id: CCR-2026-0002
|
|
kind: credential-change-request
|
|
schema_version: 1
|
|
request_type: workload-kv-read
|
|
title: issue-core runtime ingestion key lane
|
|
status: proposed
|
|
created: '2026-06-27'
|
|
updated: '2026-06-30'
|
|
requester:
|
|
agent: ops-warden
|
|
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
|
reason: Confirm and provision the issue-core workload KV lane requested in the ops-warden
|
|
batch.
|
|
review:
|
|
required: true
|
|
required_approvers:
|
|
- platform-operator
|
|
- issue-core-owner
|
|
comments:
|
|
- at: '2026-06-29T22:53:03+00:00'
|
|
reviewer: codex
|
|
decision: metadata_review_binding_confirmed
|
|
comment: Live cluster metadata on 2026-06-30 confirms ExternalSecret issue-core/issue-core-runtime
|
|
is Ready=True (SecretSynced) and maps ISSUE_CORE_API_KEY plus GITEA_BACKEND_TOKEN
|
|
from platform/workloads/issue-core/issue-core/issue-core-runtime. The workload
|
|
Deployment uses the default service account; OpenBao auth for this delivery
|
|
path is the platform ClusterSecretStore/openbao role external-secrets-issue-core
|
|
bound to service account external-secrets/external-secrets. Keep CCR status
|
|
proposed until platform/operator and issue-core-owner approval.
|
|
target:
|
|
domain: financials
|
|
tenant: issue-core
|
|
workload: issue-core
|
|
environment: production
|
|
purpose: issue-core runtime ingestion through OpenBao workload KV and External Secrets
|
|
openbao:
|
|
mount: platform
|
|
kv_path: platform/workloads/issue-core/issue-core/issue-core-runtime
|
|
fields:
|
|
- ISSUE_CORE_API_KEY
|
|
- GITEA_BACKEND_TOKEN
|
|
policy_name: workload-kv-read-issue-core-runtime
|
|
policy_file: openbao/policies/workload-kv-read-issue-core-runtime.hcl
|
|
auth:
|
|
method: kubernetes
|
|
mount: kubernetes
|
|
role: external-secrets-issue-core
|
|
bound_claims:
|
|
service_account_names:
|
|
- external-secrets
|
|
service_account_namespaces:
|
|
- external-secrets
|
|
bound_claims_confirmed: true
|
|
policies:
|
|
- workload-kv-read-issue-core-runtime
|
|
ttl: 15m
|
|
access_frontdoor:
|
|
type: ops-warden
|
|
catalog_id: issue-core-ingestion-api-key
|
|
selector: issue-core ingestion API key
|
|
command: warden access issue-core-ingestion-api-key --fetch ISSUE_CORE_API_KEY
|
|
resolvable: false
|
|
readiness: template
|
|
activation: draft-until-ccr-verified
|
|
delivery:
|
|
surface: external-secrets
|
|
target: ExternalSecret issue-core/issue-core-runtime -> Secret issue-core-runtime
|
|
in the issue-core namespace
|
|
risk:
|
|
classification: high
|
|
notes:
|
|
- Grants read access to issue-core runtime ingestion credentials through the platform
|
|
External Secrets path.
|
|
- GITEA_BACKEND_TOKEN remains included because the live issue-core ExternalSecret
|
|
maps it alongside ISSUE_CORE_API_KEY; remove it before approval only if the issue-core
|
|
owner confirms it is no longer required.
|
|
- The Kubernetes auth subject is the External Secrets operator service account external-secrets/external-secrets,
|
|
with ClusterSecretStore usage limited to the issue-core namespace.
|
|
- ops-warden must proxy reads as the caller and must not retain token values.
|
|
verification:
|
|
positive:
|
|
- ExternalSecret issue-core/issue-core-runtime is Ready=True and syncs the configured
|
|
fields without printing values.
|
|
- Approved issue-core runtime can consume the resulting Kubernetes Secret without
|
|
exposing values.
|
|
negative:
|
|
- A namespace outside the approved ClusterSecretStore condition cannot use this
|
|
store to read the path.
|
|
- A service account outside external-secrets/external-secrets cannot authenticate
|
|
through the External Secrets OpenBao role.
|
|
activation_conditions:
|
|
- Policy applied with platform-admin/operator authority.
|
|
- Kubernetes auth role bound to external-secrets/external-secrets for the issue-core
|
|
External Secrets delivery path.
|
|
- Secret values provisioned directly in OpenBao through approved operator custody.
|
|
- Positive and negative verification recorded with non-secret audit ids or timestamps.
|
|
lifecycle:
|
|
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
|
rotate: Replace issue-core runtime secret values directly in OpenBao and record
|
|
non-secret rotation evidence.
|
|
compromised: Immediately deactivate access front door, rotate affected values, record
|
|
blast-radius notes, and open incident follow-up tasks.
|
|
state_hub:
|
|
workplan_id: RAILIANCE-WP-0007
|
|
ops_warden_batch_message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|