From 5a5eb482d463fa9030fd365ff936367589a1b8c4 Mon Sep 17 00:00:00 2001 From: tegwick Date: Thu, 18 Jun 2026 01:06:43 +0200 Subject: [PATCH] docs(NET-WP-0020): T5 automation ready; operator apply is next gate Update workplan T5 to progress and assessment next-actions for live cluster apply before WP-0008 warden sign smoke. --- ...17-openbao-ssh-custody-and-bootstrap-assessment.md | 11 ++++++----- ...-0020-openbao-unseal-custody-and-ssh-automation.md | 10 ++++++---- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/history/2026-06-17-openbao-ssh-custody-and-bootstrap-assessment.md b/history/2026-06-17-openbao-ssh-custody-and-bootstrap-assessment.md index 74e800e..2a0bcf9 100644 --- a/history/2026-06-17-openbao-ssh-custody-and-bootstrap-assessment.md +++ b/history/2026-06-17-openbao-ssh-custody-and-bootstrap-assessment.md @@ -196,7 +196,7 @@ make security-bootstrap-console METADATA="$METADATA" → railiance-platform openbao-deploy → net-kingdom creds-bootstrap-agent (sops-held init/unseal) [T2] → railiance-platform openbao-configure-initial [exists] - → railiance-platform openbao-configure-ssh [T5 — next] + → railiance-platform openbao-configure-ssh [T5 — scripted; operator apply pending] → railiance-infra bootstrap-ssh-ca (CA pubkey + principals) [T5] → ops-warden warden sign smoke [WP-0008 T2] → (later) flex-auth policy.enabled [WP-0008 T5] @@ -230,10 +230,11 @@ automate actor key lifecycle (`warden issue`, credential roster, rotation). ## 10. Next actions (ordered) 1. ~~Persist this assessment~~ (this file) -2. **NET-WP-0020 T5** — `openbao-apply-ssh-engine.sh` + railiance-infra host CA role -3. **WP-0008 T2** — `warden sign` smoke + append `openbao-production-verify.md` -4. **NET-WP-0020 T2** — wire `creds-bootstrap-agent.sh` for greenfield init/unseal -5. **NET-WP-0020 T3/T4** — unlock attended + auto-unseal console paths +2. ~~**NET-WP-0020 T5** — automation artifacts in railiance-platform + railiance-infra~~ (2026-06-18) +3. **Operator apply** — `make openbao-configure-ssh` then `make bootstrap-ssh-ca` (Track A) +4. **WP-0008 T2** — `warden sign` smoke + append `openbao-production-verify.md` +5. **NET-WP-0020 T2** — wire `creds-bootstrap-agent.sh` for greenfield init/unseal +6. **NET-WP-0020 T3/T4** — unlock attended + auto-unseal console paths --- diff --git a/workplans/NET-WP-0020-openbao-unseal-custody-and-ssh-automation.md b/workplans/NET-WP-0020-openbao-unseal-custody-and-ssh-automation.md index 557c359..3b111b5 100644 --- a/workplans/NET-WP-0020-openbao-unseal-custody-and-ssh-automation.md +++ b/workplans/NET-WP-0020-openbao-unseal-custody-and-ssh-automation.md @@ -8,7 +8,7 @@ status: active owner: codex topic_slug: net-kingdom created: "2026-06-17" -updated: "2026-06-17" +updated: "2026-06-18" --- # NET-WP-0020 — OpenBao Unseal Custody Models and SSH Automation Path @@ -78,12 +78,14 @@ priority: medium ```task id: NET-WP-0020-T05 -status: todo +status: progress priority: high ``` -- [ ] `railiance-platform`: `openbao-configure-ssh` declarative script -- [ ] `railiance-infra`: `bootstrap-ssh-ca` role + inventory sync +- [x] `railiance-platform`: `openbao-configure-ssh` declarative script + Makefile targets +- [x] `railiance-infra`: `bootstrap-ssh-ca` role + `ssh_principals.yaml` inventory +- [ ] Live apply: `make openbao-configure-ssh` on Railiance OpenBao (operator token) +- [ ] Live apply: `make bootstrap-ssh-ca` on managed hosts - [ ] Close `ops-warden` WP-0008 T2 verification gate ---