Skip to content

feat(deploy): own the GitHub App credential ExternalSecret + ProviderConfig#41

Merged
botantler-1[bot] merged 1 commit into
mainfrom
claude/tenant-owned-creds
Jun 17, 2026
Merged

feat(deploy): own the GitHub App credential ExternalSecret + ProviderConfig#41
botantler-1[bot] merged 1 commit into
mainfrom
claude/tenant-owned-creds

Conversation

@devantler

Copy link
Copy Markdown
Contributor

What

Moves the tenant-specific GitHub auth wiring out of the platform repo and into this repo's deploy/ artifact, so the platform only provisions generic scaffolding (namespace, SA, RBAC, and a namespaced SecretStore). Pairs with platform #2039.

  • deploy/external-secret.yaml — the github-app-credentials ExternalSecret, now reading through the platform-provisioned namespaced SecretStore openbao (a dedicated github-config Vault role scoped to secret/data/infrastructure/github/* only — not the broad cluster-scoped store).
  • deploy/provider-config.yaml — the namespaced github.m.upbound.io ProviderConfig.

namespace is omitted on both; the platform tenant Kustomization injects github-config via targetNamespace (same as the Repository MRs). Applied by the app's own ServiceAccount, whose Role was extended (platform side) with verbs on external-secrets.io + github.m.upbound.io.

Why

Two maintainer asks: (1) these manifests are tenant-specific, not platform-specific, so they belong here; (2) the tenant should use a namespace-scoped SecretStore — read access to the cluster SecretStore (which can reach every infra + app path) was too broad a privilege. This mirrors the wedding-app tenant pattern.

Rollout

Merge + tag a new v* release so the published github-config artifact includes these, alongside platform #2039. Until the maintainer overwrites the OpenBao placeholders at secret/infrastructure/github/app, the credential is non-working and the provider's auth simply fails (isolated to the leaf apps layer).

🤖 Generated with Claude Code

…Config

Move the tenant-specific auth wiring into this repo's deploy/ artifact (applied
by the github-config app's own ServiceAccount on the platform), so the platform
only provisions the namespaced SecretStore + RBAC:

- external-secret.yaml: github-app-credentials, read via the platform-provided
  NAMESPACED SecretStore 'openbao' (dedicated github-config Vault role scoped to
  infrastructure/github/* only — not the shared cluster store)
- provider-config.yaml: the namespaced github.m.upbound.io ProviderConfig

namespace is omitted; the platform tenant Kustomization injects it via
targetNamespace (github-config), like the Repository MRs.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant