Record OpenBao audit rollout evidence

2026-06-01 22:30:33 +02:00
parent 53f20bf3e6
commit 1f09e6dcae
1 changed files with 12 additions and 0 deletions
--- a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
+++ b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
@@ -153,6 +153,18 @@ is visible, an audit log is written, durable audit shipping beyond the PVC is
 selected, and restore/emergency drill evidence plus a next escrow holder are
 recorded.

+**2026-06-01:** Completed the attended live rollout of the Railiance
+declarative file-audit configuration. The Helm release was upgraded, the
+`OnDelete` StatefulSet pod was deliberately recycled, the operator unsealed the
+new pod, and `make openbao-verify-post-unseal` now reports OpenBao `2.5.4`,
+`Sealed: false`, an audit directory, and a non-empty
+`/openbao/audit/openbao-audit.log`. The Railiance source now pins the live
+OpenBao image tag to `2.5.4` after the chart upgrade advanced the runtime from
+`2.5.3`; a follow-up Helm revision 3 applied the explicit tag while the pod
+remained ready. T02 remains open for the authenticated `bao audit list` proof,
+durable audit shipping beyond the audit PVC, restore-drill evidence, emergency
+seal/unseal drill evidence, and the next independent escrow holder.
+
 ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths

 ```task