generated from coulomb/repo-seed
openbao king credential bootstrapping
This commit is contained in:
@@ -1,7 +1,7 @@
|
||||
# Platform Identity and Security Architecture
|
||||
|
||||
Status: implemented architecture baseline for NetKingdom/Railiance/Coulomb
|
||||
Date: 2026-05-18
|
||||
Date: 2026-05-24
|
||||
|
||||
## Purpose
|
||||
|
||||
@@ -214,6 +214,32 @@ identifies actors and workloads; flex-auth decides whether a credential
|
||||
or secret request is allowed; OpenBao stores, issues, audits, and revokes
|
||||
the resulting secret material.
|
||||
|
||||
## Platform Root Custody
|
||||
|
||||
Platform root authority is an accountable custody role, not a tenant admin role
|
||||
and not a Git account secret. `docs/platform-root-custody.md` records
|
||||
`tegwick` / `bernd.worsch@gmail.com` as the initial setup operator and contact,
|
||||
not as the long-term platform root of trust.
|
||||
|
||||
The actual root-of-trust target is a separate king credential: a dedicated,
|
||||
rarely used platform-root identity independent from day-to-day Gitea and email
|
||||
accounts. Email may receive notifications, but Git, Gitea, State Hub, chat,
|
||||
tickets, shell history, and email must never store or transfer unseal keys,
|
||||
root tokens, private keys, OTP seeds, recovery codes, or screenshots of secret
|
||||
output.
|
||||
|
||||
Production-ready custody should move toward independent escrow, preferably
|
||||
two-of-three human or institutional recovery control. Temporary single-operator
|
||||
king custody is allowed only as a pre-production bootstrap posture with
|
||||
second-factor protection, encrypted offline storage, and a low-friction upgrade
|
||||
path to additional custodians.
|
||||
|
||||
The normal admin path should become NetKingdom IAM claims mapped to scoped
|
||||
OpenBao policies. The initial OpenBao root token remains a bootstrap or
|
||||
break-glass artifact and must not become the standing operator credential. The
|
||||
platform must also reset or rotate bootstrap-era credentials and access paths
|
||||
before live workloads rely on it.
|
||||
|
||||
## Recursive Trust Rule
|
||||
|
||||
Normal tenant administration must never be sufficient to alter the
|
||||
@@ -444,6 +470,7 @@ an explicit check:
|
||||
|
||||
| Area | Readiness check |
|
||||
| --- | --- |
|
||||
| Platform root custody | setup operator, dedicated king credential, second factor, recovery storage, escrow posture, and root-token disposition are recorded without storing secret values |
|
||||
| MFA and identity | key-cape or Keycloak issues IAM Profile v0.2-compatible tokens and passes `tools/iam-profile-conformance/`; privacyIDEA or the selected MFA provider enforces required assurance for privileged actions |
|
||||
| Bootstrap and recovery | age/SOPS material, emergency bundle, and break-glass credentials are present, tested, and separated from tenant administration |
|
||||
| OpenBao runtime secrets | OpenBao is initialized, unsealed or auto-unsealed by the approved mechanism, backed up, audited, and using scoped auth methods and mounts |
|
||||
|
||||
Reference in New Issue
Block a user