Skip to content

Single source of truth for the ghcr pull credential (OpenBao + ExternalSecret) #2613

Description

@devantler

🤖 Generated by the Daily AI Engineer

Problem: The ghcr pull credential currently has three independent sources of truth: the org-level GHCR_TOKEN Actions secret (materialized into flux-system/ksail-registry-credentials by ksail cluster update on every deploy), OpenBao infrastructure/ghcr/auth (materialized into tenant ghcr-auth secrets by External Secrets), and the Talos machine.registries auth (env-expanded at cluster create). A rotation therefore requires updating several places in the right order, and missing one leaves a stale credential live — fragile and easy to get wrong.

Proposed direction: Make OpenBao infrastructure/ghcr/auth the single source of truth for the pull credential: add a flux-system ExternalSecret deriving ksail-registry-credentials from it, and stop the deploy path from upserting that secret once devantler-tech/ksail#6083 (pull/push token split) lands. The org GHCR_TOKEN secret then has exactly one job (the deploy's OCI push). Document the two-write rotation runbook (OpenBao pull + org push) in the platform docs.

Rough size: M — one ExternalSecret manifest + ksail config change (gated on ksail#6083) + runbook docs. Sequencing: ES manifest can land first; until #6083, the deploy overwriting the ES-managed secret is a known benign conflict.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions