docs(bf-4ur): document secret templates and credential sources for apexalgo-iad

Reviewed R2_ACCESS_KEY_SOURCE.md and IAD-ACB-R2-CREDENTIALS-FIX.md (for context on iad-acb).
Verified existing ExternalSecret for acb-armor-credentials (pulls from OpenBao at rs-manager/iad-acb/armor).
Documented acb-cloudflare-api-token template structure and sealing instructions.

Key findings:
- acb-armor-credentials: ExternalSecret, OpenBao path rs-manager/iad-acb/armor
- acb-cloudflare-api-token: Template exists, needs to be sealed with kubeseal
- R2 credentials documented in R2_ACCESS_KEY_SOURCE.md are for iad-acb cluster

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
jedarden 2026-07-02 08:33:04 -04:00
parent 7c18b5a4ce
commit 7360d24d8e

View file

@ -29,6 +29,8 @@ Cloudflare R2 Dashboard → OpenBao (rs-manager) → ESO → Kubernetes Secret
**Status:** CORRUPTED - values in OpenBao are swapped/corrupted (documented in IAD-ACB-R2-CREDENTIALS-FIX.md)
**Note:** This secret is for **iad-acb cluster**, not apexalgo-iad.
### 2. IAD-ACB-R2-CREDENTIALS-FIX.md
**Purpose:** Documents the corruption issue with `acb-r2-credentials` ExternalSecret on **iad-acb** cluster.
@ -38,17 +40,24 @@ Cloudflare R2 Dashboard → OpenBao (rs-manager) → ESO → Kubernetes Secret
- `secret-key` contains the endpoint URL (swapped)
- `access-key` contains a hash instead of the R2 access key ID
**Fix Options:**
1. Fix OpenBao directly at `secret/rs-manager/ai-code-battle/r2`
2. Replace with SealedSecret (bypass ESO)
3. Run automated fix script
**Note:** This documentation is for iad-acb cluster. The apexalgo-iad cluster uses different secrets.
## Secret Templates in declarative-config (apexalgo-iad)
### 1. acb-armor-credentials (ExternalSecret)
**File:** `/home/coding/declarative-config/k8s/apexalgo-iad/ai-code-battle/acb-armor-credentials-externalsecret.yml`
**File:** `declarative-config/k8s/apexalgo-iad/ai-code-battle/acb-armor-credentials-externalsecret.yml`
**Type:** ExternalSecret (pulls from OpenBao via ESO)
**OpenBao Secret Path:** `secret/rs-manager/iad-acb/armor`
**OpenBao Remote Path:** `rs-manager/iad-acb/armor` (note: no `secret/` prefix in the remoteRef)
**ClusterSecretStore:** `openbao` (defined in `declarative-config/k8s/apexalgo-iad/external-secrets/cluster-secret-store.yml`)
**Secret Keys:**
- `bucket` - ARMOR MinIO bucket name
@ -57,10 +66,9 @@ Cloudflare R2 Dashboard → OpenBao (rs-manager) → ESO → Kubernetes Secret
**Used By:**
- `acb-index-builder-deployment.yml` - uses as ACB_B2_ENDPOINT (warm cache)
- `acb-worker-deployment.yml` - uses for temporary storage before R2 promotion
**Environment Variables (mapped from secret):**
- `ACB_B2_ENDPOINT` = `http://armor:9000` (static)
- `ACB_B2_ENDPOINT` = `http://armor:9000` (static, not from secret)
- `ACB_B2_BUCKET``bucket`
- `ACB_B2_ACCESS_KEY``auth-access-key`
- `ACB_B2_SECRET_KEY``auth-secret-key`
@ -69,7 +77,7 @@ Cloudflare R2 Dashboard → OpenBao (rs-manager) → ESO → Kubernetes Secret
### 2. acb-cloudflare-api-token (Secret Template)
**File:** `/home/coding/declarative-config/k8s/apexalgo-iad/ai-code-battle/acb-cloudflare-api-token-secret.yml.template`
**File:** `declarative-config/k8s/apexalgo-iad/ai-code-battle/acb-cloudflare-api-token-secret.yml.template`
**Type:** Template for SealedSecret (needs to be sealed)
@ -103,24 +111,28 @@ kubeseal --controller-name=sealed-secrets-apexalgo-iad \
**ClusterSecretStore:** `openbao`
**File:** `/home/coding/declarative-config/k8s/apexalgo-iad/external-secrets/cluster-secret-store.yml`
**File:** `declarative-config/k8s/apexalgo-iad/external-secrets/cluster-secret-store.yml`
**OpenBao Server:** `http://openbao.external-secrets.svc.cluster.local:8200`
**Vault Path:** `secret`
**Vault Version:** `v2`
**Auth Method:** Token authentication via `openbao-eso-token` secret in `external-secrets` namespace
## Summary Table
| Secret Name | Type | Source Path | Keys | Used By |
|-------------|------|-------------|------|---------|
| acb-armor-credentials | ExternalSecret | OpenBao: `rs-manager/iad-acb/armor` | bucket, auth-access-key, auth-secret-key | index-builder, worker |
| acb-armor-credentials | ExternalSecret | OpenBao remoteRef: `rs-manager/iad-acb/armor` | bucket, auth-access-key, auth-secret-key | index-builder |
| acb-cloudflare-api-token | SealedSecret (template) | Cloudflare Dashboard | token, account-id | index-builder |
## Credential Sources
| Secret | Credential Source | How to Obtain |
|--------|------------------|---------------|
| acb-armor-credentials | OpenBao (rs-manager cluster) | Already stored in OpenBao at `secret/rs-manager/iad-acb/armor` |
| acb-armor-credentials | OpenBao (rs-manager cluster) | Already stored in OpenBao at path `rs-manager/iad-acb/armor` (ESO adds `secret/` prefix per ClusterSecretStore config) |
| acb-cloudflare-api-token | Cloudflare Dashboard | Create at https://dash.cloudflare.com/profile/api-tokens with Pages+R2 Edit permissions |
## Notes
@ -128,4 +140,5 @@ kubeseal --controller-name=sealed-secrets-apexalgo-iad \
1. **acb-r2-credentials** documented in R2_ACCESS_KEY_SOURCE.md is for iad-acb cluster, NOT apexalgo-iad
2. apexalgo-iad uses ARMOR (internal MinIO) as staging storage, not direct R2 access
3. The acb-cloudflare-api-token needs to be created and sealed before use - template exists but no sealed secret yet
4. The acb-armor-credentials ExternalSecret references an OpenBao path that must exist: `secret/rs-manager/iad-acb/armor`
4. The acb-armor-credentials ExternalSecret references OpenBao path `rs-manager/iad-acb/armor` - ESO's ClusterSecretStore has `path: secret` so the full path becomes `secret/rs-manager/iad-acb/armor`
5. The ExternalSecret for acb-armor-credentials exists but the corresponding OpenBao secret must exist at the correct path for ESO to sync it