Context
Wire up the chart-side requirements for stateless requests-proxy auth. Companion to client-runtime CR-1 (proxy verify) and CR-2 (jobs-manager mint).
Parent feature: tracebloc/client-runtime#14
Scope
client/templates/secrets.yaml
Expand <release>-requests-proxy-admin from { token: <64-char> } to a multi-key shape:
data:
active: \"v1\"
key.v1: \"<64-char>\"
key.v2: \"...\" # only present mid-rotation
Migration: if the existing Secret has only token, copy that value into key.v1 and set active: v1 via the existing lookup pattern. Keep helm.sh/resource-policy: keep (per docs/MIGRATIONS.md: the annotation must render into the stored manifest, not just the live resource).
New: client/templates/requests-proxy-revoked-configmap.yaml
ConfigMap with empty initial JSON array. helm.sh/resource-policy: keep so revocations survive a helm uninstall accident.
New RBAC
- ServiceAccount + Role + RoleBinding for jobs-manager:
get,update,patch on the revoked ConfigMap; get on the keys Secret; get,list on Jobs (for prune).
- ServiceAccount + Role + RoleBinding for proxy:
get on the revoked ConfigMap; get on the keys Secret.
client/templates/requests-proxy-deployment.yaml + client/templates/jobs-manager-deployment.yaml
- Mount keys Secret at
/etc/proxy/keys/ (read-only).
- Mount revoked ConfigMap at
/etc/proxy/revoked.json (read-only on proxy).
- Attach respective ServiceAccounts.
- Inject
REQUESTS_PROXY_STATELESS env from requestsProxy.statelessTokens value (default false).
- Inject
RELEASE_NAME and NAMESPACE envs on both pods (used in the JWT aud claim).
client/values.yaml + client/values.schema.json
requestsProxy.statelessTokens (bool, default false).requestsProxy.tokenTtlSeconds (integer, default 7776000 = 90d).
Acceptance criteria
helm template renders cleanly with the flag on and off.- Helm-unittest cases: legacy single-key Secret migrates to multi-key, multi-key Secret renders correctly, RBAC objects present, ConfigMap present with
resource-policy: keep.
helm install → helm upgrade smoke test from the current chart shape to the new shape preserves the existing token as key.v1.
Dependencies
- Required by CR-1, CR-2, and OPS-1 (cutover).
- This ticket does not flip the flag; that is OPS-1.
Context
Wire up the chart-side requirements for stateless requests-proxy auth. Companion to client-runtime CR-1 (proxy verify) and CR-2 (jobs-manager mint).
Parent feature: tracebloc/client-runtime#14
Scope
client/templates/secrets.yamlExpand
<release>-requests-proxy-adminfrom{ token: <64-char> }to a multi-key shape:Migration: if the existing Secret has only
token, copy that value intokey.v1and setactive: v1via the existinglookuppattern. Keephelm.sh/resource-policy: keep(perdocs/MIGRATIONS.md: the annotation must render into the stored manifest, not just the live resource).New:
client/templates/requests-proxy-revoked-configmap.yamlConfigMap with empty initial JSON array.
helm.sh/resource-policy: keepso revocations survive ahelm uninstallaccident.New RBAC
get,update,patchon the revoked ConfigMap;geton the keys Secret;get,liston Jobs (for prune).geton the revoked ConfigMap;geton the keys Secret.client/templates/requests-proxy-deployment.yaml+client/templates/jobs-manager-deployment.yaml/etc/proxy/keys/(read-only)./etc/proxy/revoked.json(read-only on proxy).REQUESTS_PROXY_STATELESSenv fromrequestsProxy.statelessTokensvalue (defaultfalse).RELEASE_NAMEandNAMESPACEenvs on both pods (used in the JWTaudclaim).client/values.yaml+client/values.schema.jsonrequestsProxy.statelessTokens(bool, defaultfalse).requestsProxy.tokenTtlSeconds(integer, default7776000= 90d).Acceptance criteria
helm templaterenders cleanly with the flag on and off.resource-policy: keep.helm install→helm upgradesmoke test from the current chart shape to the new shape preserves the existingtokenaskey.v1.Dependencies