NET-WP-0020-T02: SOPS-held OpenBao init/unseal automation helper

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 11:01:34 +02:00
parent 764c3cfd6d
commit 60142241a3
4 changed files with 235 additions and 8 deletions

View File

@@ -25,8 +25,14 @@ during bootstrap and rebuild.
### `sops-held-automation` (default for greenfield dev)
- Init/unseal material lives in **SOPS/age** custody bundle (not Git plaintext).
- Applied by `sso-mfa/bootstrap/creds-bootstrap-agent.sh` and related `creds-apply`
tooling after cluster + OpenBao pod exist.
- Applied by `sso-mfa/bootstrap/openbao-init-unseal.sh` (`make
openbao-init-unseal`, NET-WP-0020 T2) after cluster + OpenBao pod exist. The
helper enforces the console custody-model gate, initializes only when
uninitialized (init JSON written straight into the age-custody secrets dir),
replays unseal shares stdin-to-stdin, verifies post-unseal state, and emits
non-secret `openbao_initialized` / `openbao_post_unseal_verified` evidence.
Set `OPENBAO_RUN_CONFIGURE_INITIAL=1` to chain `railiance-platform: make
openbao-configure-initial`.
- Enables **unattended rebuild test cycles** on a 3-node slate.
- **Not** production trust posture — use to prove S1→S3→SSH engine automation,
then graduate to stronger models.
@@ -88,7 +94,7 @@ Metadata field: `openbao_unseal_custody_model`
| S1 OS baseline | railiance-infra | 3 nodes |
| S2 k3s HA | railiance-cluster | ThreePhoenix |
| S3 OpenBao deploy | railiance-platform | `make openbao-deploy` |
| Init/unseal apply | net-kingdom | `creds-bootstrap-agent.sh` (sops-held) |
| Init/unseal apply | net-kingdom | `make openbao-init-unseal` (sops-held) |
| Platform config | railiance-platform | `openbao-configure-initial` |
| SSH engine | railiance-platform | `openbao-configure-ssh` (planned) |
| Host CA trust | railiance-infra | `bootstrap-ssh-ca` (planned) |