Skip to content

security(challenger): [sc-19438] add RPC Secret references#324

Open
devkoriel wants to merge 3 commits into
mainfrom
sc-19438-challenger-rpc-secrets
Open

security(challenger): [sc-19438] add RPC Secret references#324
devkoriel wants to merge 3 commits into
mainfrom
sc-19438-challenger-rpc-secrets

Conversation

@devkoriel

@devkoriel devkoriel commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add optional existing-Secret references for the ETH and Flashbots RPC endpoints
  • reject incomplete references, dual plaintext/Secret sources, and reserved environment-variable collisions
  • bump the Challenger chart to 0.2.0 and run regression renders in CI
  • make the existing chart-install fixtures render zero replicas so they no longer wait on a nonexistent test keystore Secret

Security scope

This is the chart prerequisite for sc-19438. It does not rotate provider credentials, write Vault data, change app-of-apps, publish the chart before merge, or deploy a workload.

The follow-through remains gated on provider rotation and audit review, Vault population, ExternalSecret readiness, staging verification, and explicit production approval. Existing credential-bearing Git history must still be treated as exposed after source removal.

Test plan

  • bash charts/challenger/ci/test-rpc-secret-refs.sh
  • shellcheck charts/challenger/ci/test-rpc-secret-refs.sh
  • helm lint --strict charts/challenger
  • ct lint --config ct.yaml --charts charts/challenger
  • render all four existing Challenger CI values files with helm template
  • actionlint on the changed workflow, ignoring its pre-existing deprecated set-output warning
  • git diff --check origin/main...HEAD

Rollout

  1. Merge and publish chart 0.2.0 after review.
  2. Populate replacement endpoint properties in the existing per-Challenger Vault records.
  3. Add the properties to existing ExternalSecrets without restarting workloads.
  4. Switch staging consumers one at a time and verify RPC behavior.
  5. Review the production Argo diff and obtain explicit approval before its auto-syncing merge.

@devkoriel devkoriel added the bug Something isn't working label Jul 10, 2026
@devkoriel devkoriel self-assigned this Jul 10, 2026
@devkoriel devkoriel requested a review from paulohpigatto July 10, 2026 14:15
@devkoriel

Copy link
Copy Markdown
Contributor Author

Vault prerequisite completed and verified on 2026-07-11. Managed stdout audit is active with log_raw=false and confirmed Loki ingestion. The four existing staging Challenger records now include ethRpcUrl at the expected CAS versions, independent metadata and subkey checks passed, all four existing ExternalSecrets remain Ready=True, all Vault pods report zero audit backend errors, and no temporary sc-19438 token or policy remains. No secret value was printed or copied. This PR is the next gate and still requires human approval. Merging it publishes chart 0.2.0 only and does not roll a workload. @paulohpigatto please review when available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant