From 7360d24d8eee4310cd410f2a0427baee2ee1637a Mon Sep 17 00:00:00 2001 From: jedarden Date: Thu, 2 Jul 2026 08:33:04 -0400 Subject: [PATCH] docs(bf-4ur): document secret templates and credential sources for apexalgo-iad Reviewed R2_ACCESS_KEY_SOURCE.md and IAD-ACB-R2-CREDENTIALS-FIX.md (for context on iad-acb). Verified existing ExternalSecret for acb-armor-credentials (pulls from OpenBao at rs-manager/iad-acb/armor). Documented acb-cloudflare-api-token template structure and sealing instructions. Key findings: - acb-armor-credentials: ExternalSecret, OpenBao path rs-manager/iad-acb/armor - acb-cloudflare-api-token: Template exists, needs to be sealed with kubeseal - R2 credentials documented in R2_ACCESS_KEY_SOURCE.md are for iad-acb cluster Co-Authored-By: Claude --- notes/bf-4ur.md | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/notes/bf-4ur.md b/notes/bf-4ur.md index 5e03ddd..f497c7b 100644 --- a/notes/bf-4ur.md +++ b/notes/bf-4ur.md @@ -29,6 +29,8 @@ Cloudflare R2 Dashboard → OpenBao (rs-manager) → ESO → Kubernetes Secret **Status:** CORRUPTED - values in OpenBao are swapped/corrupted (documented in IAD-ACB-R2-CREDENTIALS-FIX.md) +**Note:** This secret is for **iad-acb cluster**, not apexalgo-iad. + ### 2. IAD-ACB-R2-CREDENTIALS-FIX.md **Purpose:** Documents the corruption issue with `acb-r2-credentials` ExternalSecret on **iad-acb** cluster. @@ -38,17 +40,24 @@ Cloudflare R2 Dashboard → OpenBao (rs-manager) → ESO → Kubernetes Secret - `secret-key` contains the endpoint URL (swapped) - `access-key` contains a hash instead of the R2 access key ID +**Fix Options:** +1. Fix OpenBao directly at `secret/rs-manager/ai-code-battle/r2` +2. Replace with SealedSecret (bypass ESO) +3. Run automated fix script + **Note:** This documentation is for iad-acb cluster. The apexalgo-iad cluster uses different secrets. ## Secret Templates in declarative-config (apexalgo-iad) ### 1. acb-armor-credentials (ExternalSecret) -**File:** `/home/coding/declarative-config/k8s/apexalgo-iad/ai-code-battle/acb-armor-credentials-externalsecret.yml` +**File:** `declarative-config/k8s/apexalgo-iad/ai-code-battle/acb-armor-credentials-externalsecret.yml` **Type:** ExternalSecret (pulls from OpenBao via ESO) -**OpenBao Secret Path:** `secret/rs-manager/iad-acb/armor` +**OpenBao Remote Path:** `rs-manager/iad-acb/armor` (note: no `secret/` prefix in the remoteRef) + +**ClusterSecretStore:** `openbao` (defined in `declarative-config/k8s/apexalgo-iad/external-secrets/cluster-secret-store.yml`) **Secret Keys:** - `bucket` - ARMOR MinIO bucket name @@ -57,10 +66,9 @@ Cloudflare R2 Dashboard → OpenBao (rs-manager) → ESO → Kubernetes Secret **Used By:** - `acb-index-builder-deployment.yml` - uses as ACB_B2_ENDPOINT (warm cache) -- `acb-worker-deployment.yml` - uses for temporary storage before R2 promotion **Environment Variables (mapped from secret):** -- `ACB_B2_ENDPOINT` = `http://armor:9000` (static) +- `ACB_B2_ENDPOINT` = `http://armor:9000` (static, not from secret) - `ACB_B2_BUCKET` ← `bucket` - `ACB_B2_ACCESS_KEY` ← `auth-access-key` - `ACB_B2_SECRET_KEY` ← `auth-secret-key` @@ -69,7 +77,7 @@ Cloudflare R2 Dashboard → OpenBao (rs-manager) → ESO → Kubernetes Secret ### 2. acb-cloudflare-api-token (Secret Template) -**File:** `/home/coding/declarative-config/k8s/apexalgo-iad/ai-code-battle/acb-cloudflare-api-token-secret.yml.template` +**File:** `declarative-config/k8s/apexalgo-iad/ai-code-battle/acb-cloudflare-api-token-secret.yml.template` **Type:** Template for SealedSecret (needs to be sealed) @@ -103,24 +111,28 @@ kubeseal --controller-name=sealed-secrets-apexalgo-iad \ **ClusterSecretStore:** `openbao` -**File:** `/home/coding/declarative-config/k8s/apexalgo-iad/external-secrets/cluster-secret-store.yml` +**File:** `declarative-config/k8s/apexalgo-iad/external-secrets/cluster-secret-store.yml` **OpenBao Server:** `http://openbao.external-secrets.svc.cluster.local:8200` +**Vault Path:** `secret` + +**Vault Version:** `v2` + **Auth Method:** Token authentication via `openbao-eso-token` secret in `external-secrets` namespace ## Summary Table | Secret Name | Type | Source Path | Keys | Used By | |-------------|------|-------------|------|---------| -| acb-armor-credentials | ExternalSecret | OpenBao: `rs-manager/iad-acb/armor` | bucket, auth-access-key, auth-secret-key | index-builder, worker | +| acb-armor-credentials | ExternalSecret | OpenBao remoteRef: `rs-manager/iad-acb/armor` | bucket, auth-access-key, auth-secret-key | index-builder | | acb-cloudflare-api-token | SealedSecret (template) | Cloudflare Dashboard | token, account-id | index-builder | ## Credential Sources | Secret | Credential Source | How to Obtain | |--------|------------------|---------------| -| acb-armor-credentials | OpenBao (rs-manager cluster) | Already stored in OpenBao at `secret/rs-manager/iad-acb/armor` | +| acb-armor-credentials | OpenBao (rs-manager cluster) | Already stored in OpenBao at path `rs-manager/iad-acb/armor` (ESO adds `secret/` prefix per ClusterSecretStore config) | | acb-cloudflare-api-token | Cloudflare Dashboard | Create at https://dash.cloudflare.com/profile/api-tokens with Pages+R2 Edit permissions | ## Notes @@ -128,4 +140,5 @@ kubeseal --controller-name=sealed-secrets-apexalgo-iad \ 1. **acb-r2-credentials** documented in R2_ACCESS_KEY_SOURCE.md is for iad-acb cluster, NOT apexalgo-iad 2. apexalgo-iad uses ARMOR (internal MinIO) as staging storage, not direct R2 access 3. The acb-cloudflare-api-token needs to be created and sealed before use - template exists but no sealed secret yet -4. The acb-armor-credentials ExternalSecret references an OpenBao path that must exist: `secret/rs-manager/iad-acb/armor` +4. The acb-armor-credentials ExternalSecret references OpenBao path `rs-manager/iad-acb/armor` - ESO's ClusterSecretStore has `path: secret` so the full path becomes `secret/rs-manager/iad-acb/armor` +5. The ExternalSecret for acb-armor-credentials exists but the corresponding OpenBao secret must exist at the correct path for ESO to sync it