jedarden/ai-code-battle
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ai-code-battle/R2_ACCESS_KEY_SOURCE.md
jedarden 8652e77655 docs: add R2 access key source investigation summary 
Documents the complete path of R2 credentials from Cloudflare Dashboard
through OpenBao (rs-manager), ESO, to Kubernetes Secrets.

Key findings:
- Canonical source: OpenBao at secret/rs-manager/ai-code-battle/r2
- Current values are corrupted/swapped (endpoint in secret-key field)
- R2 account ID: e26f015c7ba47a6ad6219385e77072b7
- Fix options documented

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 10:26:00 -04:00

4.3 KiB
Raw Blame History

R2 Access Key Source for acb-data Bucket

Summary

The R2 access credentials for the acb-data bucket follow this path:

Cloudflare R2 Dashboard (user creates)
         ↓
OpenBao (rs-manager cluster) ← AUTHORTIATIVE SOURCE
         ↓
External Secrets Operator (ESO)
         ↓
Kubernetes Secret (acb-r2-credentials)
         ↓
Application Pods (index-builder, worker, evolver)

Canonical Source

OpenBao Secret Path: secret/rs-manager/ai-code-battle/r2

Cluster: rs-manager (Rackspace Spot, us-east-iad-1)

Expected Structure:

{
  "endpoint": "https://e26f015c7ba47a6ad6219385e77072b7.r2.cloudflarestorage.com",
  "bucket": "acb-data",
  "access-key": "<32-char R2 Access Key ID>",
  "secret-key": "<64-char R2 Secret Access Key>"
}

R2 Account ID: e26f015c7ba47a6ad6219385e77072b7

Current Status: CORRUPTED

The values in OpenBao are corrupted/swapped:

OpenBao Property Current Value Expected Value
endpoint bdaf818e893d8691d2ff24bf1c120d34458a00be8d12b5b74037f930b20cabcd (SHA256 hash) https://e26f015c7ba47a6ad6219385e77072b7.r2.cloudflarestorage.com
bucket acb-data acb-data
access-key 66aabf3cc401c74755910422a903a8af (hash) <32-char R2 Access Key ID>
secret-key https://e26f015c7ba47a6ad6219385e77072b7.r2.cloudflarestorage.com (swapped!) <64-char R2 Secret Access Key>

ESO Configuration

ExternalSecret: acb-r2-credentials (namespace: ai-code-battle)

ClusterSecretStore: openbao (on iad-acb cluster)

Store Config: /home/coding/declarative-config/k8s/iad-acb/external-secrets/cluster-secret-store.yml

spec:
  provider:
    vault:
      server: "http://openbao.external-secrets.svc.cluster.local:8200"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "k8s-iad-acb"
          role: "eso"

ESO is correctly syncing - the problem is upstream in OpenBao.

Where to Get Valid Credentials

Cloudflare Dashboard Path:

  1. R2 > acb-data > Settings > R2 API
  2. Click "Create API Token" or use existing token
  3. Copy Access Key ID (32 chars) and Secret Access Key (64 chars)

R2 Endpoint Format:

https://<account-id>.r2.cloudflarestorage.com

For this project: https://e26f015c7ba47a6ad6219385e77072b7.r2.cloudflarestorage.com

Impact of Corruption

All R2 operations fail with "Custom endpoint was not a valid URI":

  • Replay uploads to R2 fail (index-builder, worker)
  • Thumbnail uploads to R2 fail
  • Bot card uploads to R2 fail
  • Website replay viewer cannot load real matches

Fix Options

Option 1: Fix OpenBao Directly (Recommended)

vault login <root-token>
vault kv put secret/rs-manager/ai-code-battle/r2 \
  endpoint="https://e26f015c7ba47a6ad6219385e77072b7.r2.cloudflarestorage.com" \
  bucket="acb-data" \
  access-key="<R2_ACCESS_KEY_ID>" \
  secret-key="<R2_SECRET_ACCESS_KEY>"

kubectl --kubeconfig=/home/coding/.kube/iad-acb.kubeconfig annotate \
  externalsecret acb-r2-credentials -n ai-code-battle force-sync=$(date +%s)

Option 2: Replace with SealedSecret (Bypass ESO)

kubeseal --controller-name=sealed-secrets -n ai-code-battle \
  > /home/coding/declarative-config/k8s/iad-acb/ai-code-battle/acb-r2-credentials-sealedsecret.yml

Then remove the ExternalSecret from declarative-config.

Option 3: Automated Script

/home/coding/ai-code-battle/fix-iad-acb-r2-credentials.sh

Related Files

  • /home/coding/ai-code-battle/IAD-ACB-R2-CREDENTIALS-FIX.md - R2-specific fix documentation
  • /home/coding/ai-code-battle/IAD-ACB-OPENBAO-FIX.md - Comprehensive OpenBao fix documentation
  • /home/coding/ai-code-battle/fix-iad-acb-r2-credentials.sh - Automated fix script
  • /home/coding/ai-code-battle/manifests/acb-index-builder-deployment.yml - Deployment using the secret
  • /home/coding/declarative-config/k8s/iad-acb/ai-code-battle/acb-externalsecrets.yml - ExternalSecret definitions

Environment Variables Used

Applications use these environment variables (populated from acb-r2-credentials secret):

  • ACB_R2_ENDPOINT - R2 endpoint URL
  • ACB_R2_BUCKET - Bucket name (acb-data)
  • ACB_R2_ACCESS_KEY - R2 Access Key ID (from secret's access-key)
  • ACB_R2_SECRET_KEY - R2 Secret Access Key (from secret's secret-key)