This website requires JavaScript.
Explore
Help
Register
Sign in
viktor
/
infra
Watch
1
Star
0
Fork
You've already forked infra
0
Code
Issues
Pull requests
Projects
Releases
Packages
Wiki
Activity
Actions
92ff0b92f1
infra
/
cli
/
VERSION
2 lines
7 B
Text
Raw
Normal View
History
Unescape
Escape
homelab ha token: dedicated openclaw/ha-tokens secret + least-priv RBAC for emo `ha token` originally read openclaw/openclaw-secrets -> skill_secrets, which only cluster admins can read — so it hung/failed for the non-admin operator it was built for (emo = emil.barzin@gmail.com, OIDC group "Home Server Admins", whose identity is deliberately barred from secrets in the openclaw namespace). Split the HA tokens into a dedicated secret openclaw/ha-tokens (keys sofia/london) with a Role + RoleBinding granting `get` on JUST that secret to the Home Server Admins group (k8s RBAC can't scope to a JSON sub-key, hence a separate object). emo now resolves the HA token with their own identity, WITHOUT gaining the rest of skill_secrets (slack_webhook, uptime_kuma_password). openclaw's own deployment keeps reading openclaw-secrets — purely additive. - stacks/openclaw/ha_tokens.tf: new secret + least-privilege Role/RoleBinding - cli/cmd_ha.go: read openclaw/ha-tokens (raw base64 per-instance key); drop JSON parse - README + ADR-0012 updated; VERSION -> v0.7.1 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 10:45:32 +00:00
v0.7.1
Reference in a new issue
Copy permalink
