docs(bf-4ur): document secret templates and credential sources for apexalgo-iad

- Reviewed R2_ACCESS_KEY_SOURCE.md and IAD-ACB-R2-CREDENTIALS-FIX.md
- Documented acb-armor-credentials ExternalSecret structure
- Documented acb-cloudflare-api-token Secret template
- Identified credential sources and OpenBao paths
- Mapped environment variables for both secrets

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
jedarden 2026-07-02 08:27:17 -04:00
parent 78b30043b4
commit 7c18b5a4ce

131
notes/bf-4ur.md Normal file
View file

@ -0,0 +1,131 @@
# Bead bf-4ur: Secret Documentation and Templates Review
## Task Completion Summary
Reviewed secret documentation and existing templates for AI Code Battle on apexalgo-iad cluster.
## Credential Documentation Reviewed
### 1. R2_ACCESS_KEY_SOURCE.md
**Purpose:** Documents the R2 access credential source for the `acb-data` bucket.
**Credential Path:**
```
Cloudflare R2 Dashboard → OpenBao (rs-manager) → ESO → Kubernetes Secret → Application Pods
```
**OpenBao Secret Path:** `secret/rs-manager/ai-code-battle/r2`
**Expected Structure:**
```json
{
"endpoint": "https://e26f015c7ba47a6ad6219385e77072b7.r2.cloudflarestorage.com",
"bucket": "acb-data",
"access-key": "<32-char R2 Access Key ID>",
"secret-key": "<64-char R2 Secret Access Key>"
}
```
**Status:** CORRUPTED - values in OpenBao are swapped/corrupted (documented in IAD-ACB-R2-CREDENTIALS-FIX.md)
### 2. IAD-ACB-R2-CREDENTIALS-FIX.md
**Purpose:** Documents the corruption issue with `acb-r2-credentials` ExternalSecret on **iad-acb** cluster.
**Key Issue:**
- `endpoint` contains a SHA256 hash instead of URL
- `secret-key` contains the endpoint URL (swapped)
- `access-key` contains a hash instead of the R2 access key ID
**Note:** This documentation is for iad-acb cluster. The apexalgo-iad cluster uses different secrets.
## Secret Templates in declarative-config (apexalgo-iad)
### 1. acb-armor-credentials (ExternalSecret)
**File:** `/home/coding/declarative-config/k8s/apexalgo-iad/ai-code-battle/acb-armor-credentials-externalsecret.yml`
**Type:** ExternalSecret (pulls from OpenBao via ESO)
**OpenBao Secret Path:** `secret/rs-manager/iad-acb/armor`
**Secret Keys:**
- `bucket` - ARMOR MinIO bucket name
- `auth-access-key` - MinIO access key
- `auth-secret-key` - MinIO secret key
**Used By:**
- `acb-index-builder-deployment.yml` - uses as ACB_B2_ENDPOINT (warm cache)
- `acb-worker-deployment.yml` - uses for temporary storage before R2 promotion
**Environment Variables (mapped from secret):**
- `ACB_B2_ENDPOINT` = `http://armor:9000` (static)
- `ACB_B2_BUCKET``bucket`
- `ACB_B2_ACCESS_KEY``auth-access-key`
- `ACB_B2_SECRET_KEY``auth-secret-key`
**Purpose:** ARMOR is an internal MinIO service providing S3-compatible storage for staging files before promotion to Cloudflare R2.
### 2. acb-cloudflare-api-token (Secret Template)
**File:** `/home/coding/declarative-config/k8s/apexalgo-iad/ai-code-battle/acb-cloudflare-api-token-secret.yml.template`
**Type:** Template for SealedSecret (needs to be sealed)
**Secret Keys:**
- `token` - Cloudflare API Token
- `account-id` - Cloudflare Account ID (32-char hex string)
**Required Token Permissions:**
- Account > Cloudflare Pages > Edit
- Account > Cloudflare R2 > Edit
- User > User Details > Read
**Used By:**
- `acb-index-builder-deployment.yml` - deploys static indexes to Cloudflare Pages
**Environment Variables (mapped from secret):**
- `ACB_CLOUDFLARE_API_TOKEN``token`
- `ACB_CLOUDFLARE_ACCOUNT_ID``account-id`
**Sealing Command:**
```bash
kubeseal --controller-name=sealed-secrets-apexalgo-iad \
--controller-namespace=sealed-secrets \
--server=http://traefik-apexalgo-iad:8001 \
--format yaml < acb-cloudflare-api-token-secret.yml.template > acb-cloudflare-api-token-sealedsecret.yml
```
**Account ID:** Found in Cloudflare Dashboard URL when viewing Workers & Pages or R2 (e.g., `https://dash.cloudflare.com/<ACCOUNT_ID>/pages/view/...`)
## ESO Configuration (apexalgo-iad)
**ClusterSecretStore:** `openbao`
**File:** `/home/coding/declarative-config/k8s/apexalgo-iad/external-secrets/cluster-secret-store.yml`
**OpenBao Server:** `http://openbao.external-secrets.svc.cluster.local:8200`
**Auth Method:** Token authentication via `openbao-eso-token` secret in `external-secrets` namespace
## Summary Table
| Secret Name | Type | Source Path | Keys | Used By |
|-------------|------|-------------|------|---------|
| acb-armor-credentials | ExternalSecret | OpenBao: `rs-manager/iad-acb/armor` | bucket, auth-access-key, auth-secret-key | index-builder, worker |
| acb-cloudflare-api-token | SealedSecret (template) | Cloudflare Dashboard | token, account-id | index-builder |
## Credential Sources
| Secret | Credential Source | How to Obtain |
|--------|------------------|---------------|
| acb-armor-credentials | OpenBao (rs-manager cluster) | Already stored in OpenBao at `secret/rs-manager/iad-acb/armor` |
| acb-cloudflare-api-token | Cloudflare Dashboard | Create at https://dash.cloudflare.com/profile/api-tokens with Pages+R2 Edit permissions |
## Notes
1. **acb-r2-credentials** documented in R2_ACCESS_KEY_SOURCE.md is for iad-acb cluster, NOT apexalgo-iad
2. apexalgo-iad uses ARMOR (internal MinIO) as staging storage, not direct R2 access
3. The acb-cloudflare-api-token needs to be created and sealed before use - template exists but no sealed secret yet
4. The acb-armor-credentials ExternalSecret references an OpenBao path that must exist: `secret/rs-manager/iad-acb/armor`