From 92c5b2497545be0b030f6c1b004b5f341906020d Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 15 Jun 2026 20:19:17 +0000 Subject: [PATCH] docs: ghcr_pull_token is now a scoped read:packages PAT, not the admin alias Minted a dedicated classic GitHub PAT scoped to read:packages and stored it in Vault secret/viktor/ghcr_pull_token (2026-06-15), replacing the previous alias of the broad admin github_pat. Propagated via targeted apply of module.kyverno.kubernetes_secret.ghcr_credentials (Kyverno re-syncs the allowlisted namespaces). Document the new cred + the manual rotation recipe. Closes: code-h2il Co-Authored-By: Claude Fable 5 --- .claude/CLAUDE.md | 9 ++++++--- docs/architecture/ci-cd.md | 10 +++++++--- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md index 1a81118b..d2e581f4 100755 --- a/.claude/CLAUDE.md +++ b/.claude/CLAUDE.md @@ -138,9 +138,12 @@ audiobook-search, council-complaints) now also land on ghcr. wealthfolio-sync, fire-planner, recruiter-responder, tripit, infra-cli, infra-ci, k8s-portal. Pulled via the Kyverno-synced `ghcr-credentials` allowlist (`stacks/kyverno/modules/kyverno/ghcr-credentials.tf`; NOT cluster-wide; cred - = Vault `secret/viktor/ghcr_pull_token`, an alias of the admin `github_pat` — - GitHub has no token-mint API, swap the alias value if a scoped token is ever - UI-minted). + = Vault `secret/viktor/ghcr_pull_token`, a dedicated classic PAT scoped to + `read:packages` (UI-minted 2026-06-15; no longer the admin `github_pat` + alias). GitHub has no token-mint API, so rotation is manual: re-mint → + `vault kv patch secret/viktor ghcr_pull_token=…` → targeted apply + `module.kyverno.kubernetes_secret.ghcr_credentials` (reads Vault, dodges the + git-crypt tls-secret-sync landmine), Kyverno re-syncs the allowlist). **Infra-owned images (issues #29/#30)** build on GHA workflows IN the infra repo's own `.github/workflows/` (added to the GitHub lineage via PR; the diff --git a/docs/architecture/ci-cd.md b/docs/architecture/ci-cd.md index c4493f86..1c78950f 100644 --- a/docs/architecture/ci-cd.md +++ b/docs/architecture/ci-cd.md @@ -100,9 +100,13 @@ Private-image pulls use the `ghcr-credentials` dockerconfigjson, cloned by the kyverno stack's `sync-ghcr-credentials` ClusterPolicy to an explicit **ALLOWLIST** of private-ghcr namespaces only (NOT cluster-wide; source `stacks/kyverno/modules/kyverno/ghcr-credentials.tf`). Cred = Vault -`secret/viktor/ghcr_pull_token` (an alias of the admin `github_pat` — GitHub -has no token-mint API; swap the alias value if a scoped token is ever -UI-minted). +`secret/viktor/ghcr_pull_token` (a dedicated classic PAT scoped to +`read:packages`, UI-minted 2026-06-15 — no longer the admin `github_pat` alias. +GitHub has no token-mint API, so rotation is manual: re-mint the classic +`read:packages` PAT → `vault kv patch secret/viktor ghcr_pull_token=…` → +targeted apply `module.kyverno.kubernetes_secret.ghcr_credentials` (reads Vault; +avoids the git-crypt `tls-secret-sync` landmine on a locked clone), which +Kyverno then re-syncs to the allowlisted namespaces). ### Migrated apps (issues #13–#27)