coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

openbao king credential bootstrapping

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-24 09:26:02 +02:00
parent 7d55cb8bd3
commit 1d0b0e7330
18 changed files with 3080 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

213
workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md Normal file
View File

@@ -0,0 +1,213 @@
---
id: NET-WP-0015
type: workplan
title: "King Credential And OpenBao Identity Bootstrap"
domain: netkingdom
repo: net-kingdom
status: active
owner: codex
topic_slug: netkingdom
created: "2026-05-24"
updated: "2026-05-24"
depends_on:
- NK-WP-0006
- NK-WP-0012
state_hub_workstream_id: "6b9c25e4-1008-429a-8de6-54361872c0dd"
---
# NET-WP-0015 - King Credential And OpenBao Identity Bootstrap
## Goal
Define and execute the first safe bridge between low-trust setup operations, a
dedicated king credential, NetKingdom identity, and Railiance OpenBao
bootstrap.
The revised decision is that `tegwick` / `bernd.worsch@gmail.com` is the
initial accountable setup operator and notification contact, not the long-term
platform root of trust. The actual platform-root authority should move to a
separate king credential before OpenBao becomes live secret custody.
## Context
Railiance owns OpenBao deployment and operations. NetKingdom owns the identity,
custody, and security semantics that say who can administer the platform and
how that authority transitions from bootstrap material into normal IAM claims.
The platform is still in MVP/prototype bootstrap. That means early databases,
admin accounts, tokens, and access paths must be treated as potentially
contaminated by convenience. The platform should be assembled in low-trust
mode, then handed over to the king credential, reset/rotated, checked, and
reopened under explicit custody.
## Scope
In scope:
- record the setup operator/contact identity;
- define the separate king credential target;
- define the temporary single-operator king custody exception;
- specify target NetKingdom IAM claims for the first admin identity;
- coordinate the OpenBao initialization prerequisites with Railiance;
- define the transition from OpenBao root token to scoped admin access; and
- add follow-up gates for independent escrow, OIDC/JWT admin auth,
reset/rotation, scan checks, and restore verification.
Out of scope:
- storing any secret material in this repo;
- running `bao operator init` from an unattended agent session;
- deploying key-cape, Keycloak, privacyIDEA, or OpenBao itself; and
- granting tenant administrators platform-root authority.
## Tasks
### T01 - Record Setup Operator And King Credential Model
```task
id: NET-WP-0015-T01
status: done
priority: high
state_hub_task_id: "60659e25-fed1-478e-b8a3-4bc7b2f3846b"
```
Record `tegwick` / `bernd.worsch@gmail.com` / Gitea `tegwick` as the initial
setup operator and contact. Define the separate king credential as the actual
platform-root target.
**2026-05-24:** Added `docs/platform-root-custody.md` and updated
`docs/platform-identity-security-architecture.md` plus `SCOPE.md`.
**2026-05-24:** Revised the custody model: `tegwick` is no longer modeled as
the platform root of trust. The day-to-day account can assemble and observe the
platform, while a dedicated king credential receives final custody after the
guided bootstrap path is ready.
### T02 - Define King Credential Kit
```task
id: NET-WP-0015-T02
status: done
priority: high
state_hub_task_id: "1a1c45a2-be66-4667-89f8-581f4fe9970b"
```
Define the first king credential kit: dedicated identity name, local/offline
password-safe storage, second factor, recovery-code handling, no email secret
transfer, no day-to-day browsing/Git use, and operator instructions clear
enough for a non-expert.
**2026-05-24:** Defined the v1 kit in
`docs/security-bootstrap-king-credential-kit.md`: label `platform-root`, setup
operator/contact `tegwick`, notification-only email
`bernd.worsch@gmail.com`, local password safe plus offline custody packet,
TOTP/WebAuthn/hardware-token second factor, no day-to-day use, and no email or
Git secret transfer. Added
`examples/security-bootstrap/king-credential-metadata.example.json` plus
console validation for non-secret kit metadata. Custody-mode approval remains
blocked under T03.
### T03 - Approve King Custody Mode
```task
id: NET-WP-0015-T03
status: blocked
priority: high
state_hub_task_id: "56a6266a-4acd-41e6-a395-85e90a5c35c6"
```
Choose either the preferred independent two-of-three king custody model or an
explicit temporary single-operator king credential exception for pre-production
bootstrap. Do not run OpenBao initialization until this choice is recorded.
**2026-05-24:** Added local approval surfaces for this human gate:
`approve-custody-mode` for the CLI and `web-ui` for the localhost console.
Both write non-secret metadata only and keep live OpenBao initialization as a
separate attended ceremony. Current recommended approval mode is
`temporary-single-king`; `two-of-three-planned` records the target state but
does not unblock live init.
**2026-05-24:** Tightened MFA handling after review: a TOTP QR code or setup
key must come from the authority that will verify login, not from the local
metadata console. Custody approval now requires explicit non-secret
confirmation that the factor was enrolled with its real verifier.
### T04 - Complete Railiance OpenBao Bootstrap Ceremony
```task
id: NET-WP-0015-T04
status: blocked
priority: high
state_hub_task_id: "2102366e-064b-4071-8b6a-574d9d37d109"
```
Coordinate with `RAIL-PL-WP-0002-T03` to initialize and unseal OpenBao under
the king credential model, enable audit and the first mounts/policies, create a
non-root `platform-admin` access path, and revoke or offline-escrow the initial
root token.
### T05 - Provision First NetKingdom Admin Identity
```task
id: NET-WP-0015-T05
status: todo
priority: high
state_hub_task_id: "d2a81d7b-9964-4bd5-9b8c-ef1324e02cd4"
```
Provision the first king/admin identity in the selected NetKingdom IAM
implementation. The target claims are `tenant=platform`,
`principal_type=human` or `break_glass`, MFA-backed assurance, and groups/roles
for `platform-root`, `platform-admin`, `netkingdom-admin`, and
`railiance-platform-admin`. `tegwick` may receive delegated day-to-day admin
roles later, but must be revocable without losing root custody.
### T06 - Bind OpenBao Admin Auth To NetKingdom IAM
```task
id: NET-WP-0015-T06
status: todo
priority: medium
state_hub_task_id: "ef97f3cb-9792-4b9d-bd2b-8871d368a50f"
```
Replace temporary operator tokens with NetKingdom IAM-backed OpenBao admin
auth when the issuer and claim mapping are ready. The OpenBao root token must
not be the normal admin path.
### T07 - Verify Recovery, Audit, And Rotation
```task
id: NET-WP-0015-T07
status: todo
priority: medium
state_hub_task_id: "aa40cbb4-36d3-405d-b59d-0c21ae8c9539"
```
Confirm snapshot/restore drill, durable audit-log handling, root-token
disposition, unseal/recovery rotation expectations, and the follow-up owner
for adding at least one additional human escrow holder.
### T08 - Reset, Rotate, And Reopen Under King Oversight
```task
id: NET-WP-0015-T08
status: todo
priority: high
state_hub_task_id: "e6a60dca-547b-4493-a36c-f6b668d1bf52"
```
After the king credential accepts custody, reset or rotate bootstrap-era
database credentials, admin passwords, service tokens, OpenBao tokens, and
temporary access paths. Run host/workload checks and reopen the platform only
after the new custody state is verified.
## Acceptance Criteria
- The setup operator and king credential model are recorded without secret
values.
- The custody mode is explicit before OpenBao initialization.
- OpenBao root-token use is limited to bootstrap or break-glass handling.
- Routine admin access has a non-root path and a target NetKingdom IAM path.
- Production readiness has a clear gate for independent escrow, audit, restore,
reset/rotation, and reopening under king oversight.

202
workplans/NET-WP-0016-guided-security-bootstrap-experience.md Normal file
View File

@@ -0,0 +1,202 @@
---
id: NET-WP-0016
type: workplan
title: "Guided Security Bootstrap Experience"
domain: netkingdom
repo: net-kingdom
status: finished
owner: codex
topic_slug: netkingdom
created: "2026-05-24"
updated: "2026-05-24"
depends_on:
- NET-WP-0015
- NK-WP-0012
state_hub_workstream_id: "16069174-6698-4855-ad9e-5092c8571f38"
---
# NET-WP-0016 - Guided Security Bootstrap Experience
## Goal
Create the operator-facing bootstrap experience that makes NetKingdom and
OpenBao security setup understandable, repeatable, and safe for non-experts.
The platform should be possible to assemble with a low-trust setup operator,
then hand over to a dedicated king credential, reset and harden the bootstrap
state, and reopen under explicit custody.
## Context
Railiance and NetKingdom have reached a point where raw runbooks are not enough.
The infrastructure is still early and evolving, and the human operator does not
need to be an OpenBao/Keycloak/flex-auth expert to take the next safe step.
Good security here should feel like guided operations: visible trust stage,
clear blocked actions, plain-language explanations, and no accidental secret
exposure.
## Scope
In scope:
- define bootstrap use cases for king credential setup, user lifecycle,
OpenBao bootstrap, fabric setup, break-glass, and multi-custodian upgrade;
- design the first local operator console/checklist flow;
- define safety gates for live OpenBao initialization;
- define non-secret status records and audit/progress events;
- define where the UI reads status from NetKingdom, Railiance, and State Hub;
and
- implement a first minimal CLI or local UI if the design stabilizes.
Out of scope:
- storing or displaying secret values;
- implementing the full web UI before the workflow is validated;
- replacing OpenBao, key-cape, Keycloak, or flex-auth administrative UIs;
- unattended OpenBao initialization; and
- sending root material or recovery secrets by email.
## Tasks
### T01 - Define Bootstrap Use Cases
```task
id: NET-WP-0016-T01
status: done
priority: high
state_hub_task_id: "67af8a29-7ca1-4a9d-be3e-bdc48dd2d1fd"
```
Document the canonical bootstrap use cases and trust stages.
**2026-05-24:** Added `docs/security-bootstrap-use-cases.md` covering king
credential setup, onboarding, temporary lockout, permanent lockout/offboarding,
credential review/rotation, new fabric admin setup, OpenBao bootstrap, custody
handover, and later multi-custodian upgrade.
### T02 - Design The First Operator Journey
```task
id: NET-WP-0016-T02
status: done
priority: high
state_hub_task_id: "662e439b-5fba-4e17-bc62-0ace97ba8788"
```
Design the first command-driven or local-web operator journey: trust stage,
next safe action, blocked gates, preflight checks, custody packet template, and
clear plain-language instructions.
**2026-05-24:** Added `docs/security-bootstrap-operator-journey.md`. The first
journey uses a quiet `whynot-design` control surface: trust stage, one next
safe action, blocked gates, evidence rows, and a refusal boundary around live
OpenBao initialization.
### T03 - Define King Credential Kit Output
```task
id: NET-WP-0016-T03
status: done
priority: high
state_hub_task_id: "98aba75f-a7c1-4486-be7f-e8d1148d5303"
```
Define the non-secret artifacts the bootstrap experience can generate for the
king credential: checklist, custody packet template, OTP setup instructions,
password-safe guidance, and verification prompts.
**2026-05-24:** Added `docs/security-bootstrap-king-credential-kit.md`.
### T04 - Define User Lifecycle Flows
```task
id: NET-WP-0016-T04
status: done
priority: high
state_hub_task_id: "44766b45-21b8-45cd-8c0a-0ca8281ae8e9"
```
Define guided flows for onboarding, temporary lockout, permanent lockout,
offboarding, credential review, credential rotation, and delegated fabric admin
setup.
**2026-05-24:** Added `docs/security-bootstrap-user-lifecycle.md`.
### T05 - Define OpenBao Ceremony UX
```task
id: NET-WP-0016-T05
status: done
priority: high
state_hub_task_id: "53f55c99-8403-4b58-9ed4-b03e68c1ef3c"
```
Translate the Railiance OpenBao ceremony into a guided sequence that can show
status, block unsafe live init, guide offline custody, and record non-secret
completion evidence.
**2026-05-24:** Added `docs/security-bootstrap-openbao-ceremony-ux.md`.
### T06 - Prototype Local Bootstrap Console
```task
id: NET-WP-0016-T06
status: done
priority: medium
state_hub_task_id: "ef1c8ee4-250c-479a-b0fb-0b5cf4249bd9"
```
Implement the first minimal local operator console or CLI once the journey is
clear. It should read status, print checklists, run safe preflight commands,
and refuse live bootstrap when gates are missing.
**2026-05-24:** Added
`tools/security-bootstrap-console/security_bootstrap_console.py`, a read-only
local console with status, king-kit, custody-packet, handover-checklist,
metadata-template, and OpenBao preflight commands. Added Make targets for the
safe entry points. The console refuses live OpenBao init.
### T07 - Define Handover And Cleanup Gates
```task
id: NET-WP-0016-T07
status: done
priority: medium
state_hub_task_id: "46c7e3dc-e824-46ef-833d-9a83189735e0"
```
Define the post-king handover cleanup flow: reset databases, rotate tokens,
review admin accounts, run scan/check steps, verify backups, and mark the
platform reopened under king oversight.
**2026-05-24:** Added `docs/security-bootstrap-handover-cleanup.md`.
### T08 - Review Related Workplans On Closeout
```task
id: NET-WP-0016-T08
status: done
priority: medium
state_hub_task_id: "7665f6ac-6b0e-4a09-8a9b-9d2150310114"
```
When this workplan closes, review related NetKingdom and Railiance security
workplans to update stale bootstrap assumptions, retire superseded tasks, and
add follow-ups where the guided bootstrap experience becomes the canonical
operator path.
**2026-05-24:** Added
`docs/security-bootstrap-related-workplan-review.md`, kept `NK-WP-0004` and
`NK-WP-0005` as substrate workplans with closeout notes, left historical
`NK-WP-0001` archived, and updated stale Railiance OpenBao custody wording.
## Acceptance Criteria
- The setup operator can see the current trust stage and next safe action.
- Live OpenBao init remains blocked until king credential and custody gates are
satisfied.
- User lifecycle operations are described in plain, auditable flows.
- New fabrics can receive delegated admins without granting platform root.
- Secret values are never stored or displayed by the bootstrap experience.
- The path to two-of-three custody is explicit and low-friction.

14
workplans/NK-WP-0004-credential-management-foundation.md
View File

@@ -8,7 +8,7 @@ status: done
owner: custodian
topic_slug: netkingdom
created: "2026-03-20"
updated: "2026-05-18"
updated: "2026-05-24"
state_hub_workstream_id: "d9cf7c4b-886b-4cd1-ad7b-99c4e1929c9e"
---
@@ -92,6 +92,18 @@ be treated as bootstrap artifacts, delivery caches, or compatibility
mechanisms. Long-lived workload secret authority belongs in OpenBao,
governed by NetKingdom policy and Railiance platform operations.
## NET-WP-0016 Closeout Review
`NET-WP-0016` keeps this workplan as the low-level bootstrap credential
foundation. SOPS/age, encrypted bundles, generated secrets, and Kubernetes
Secret injection remain useful substrate tooling.
The operator-facing path is no longer the old `/creds-bootstrap` experience by
itself. The canonical guided path is the security bootstrap console and related
docs from `NET-WP-0016`, with the dedicated king credential model from
`NET-WP-0015`. KeePassXC remains optional personal/offline storage; it is not
the platform root of trust.
## Dependency on canon standard
All design decisions in this workplan follow

15
workplans/NK-WP-0005-agent-driven-credential-bootstrap.md
View File

@@ -8,7 +8,7 @@ status: done
owner: custodian
topic_slug: netkingdom
created: "2026-03-21"
updated: "2026-05-18"
updated: "2026-05-24"
depends_on: NK-WP-0004
state_hub_workstream_id: "75bc472b-cc0a-48f2-afb6-62b896f7cc19"
---
@@ -86,6 +86,19 @@ to tenant administrators. If they are included in an emergency bundle,
that bundle is platform-control-plane break-glass material and requires
the strongest storage and review procedure available for the deployment.
## NET-WP-0016 Closeout Review
This workplan remains useful as automation substrate, but its "zero human ops"
framing is superseded at the product and custody layer by `NET-WP-0015` and
`NET-WP-0016`.
Agents may still generate, encrypt, inject, verify, and rotate bootstrap
material. They must not silently assume king credential custody, run live
OpenBao initialization unattended, or treat emergency bundles as ordinary
operator conveniences. The guided bootstrap experience is the canonical
operator path for king credential setup, OpenBao ceremony readiness, handover
cleanup, and reopening under custody.
## Design
### What changes from NK-WP-0004