NET-WP-0020-T02: wire OpenBao init/unseal as Phase 7b in creds-bootstrap-agent (operator-reviewed)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 13:32:58 +02:00
parent abde6b1fd4
commit 67b4677cea
3 changed files with 59 additions and 5 deletions

View File

@@ -298,6 +298,45 @@ else
echo " [dry-run] would run: bash creds-verify.sh"
fi
# ── Phase 7b: OpenBao init/unseal (sops-held-automation, optional) ───────────
step "7b — OpenBao init/unseal (sops-held-automation, optional)"
# NET-WP-0020 T2: greenfield-rebuild hook. Runs only when the openbao
# namespace exists AND the console has selected sops-held-automation
# (the helper enforces that gate itself and refuses attended-ceremony /
# auto-unseal-transit). Skipped silently on clusters without OpenBao.
if kubectl get namespace openbao &>/dev/null; then
if [[ "$(state_get openbao_post_unseal_verified)" == "true" ]]; then
ok "OpenBao already verified — skipping"
elif [[ "$DRY_RUN" == false ]]; then
if (cd "$SCRIPT_DIR" && bash openbao-init-unseal.sh "$SECRETS_DIR"); then
state_set "openbao_initialized" "true"
state_set "openbao_post_unseal_verified" "true"
ok "OpenBao initialized/unsealed and verified"
# New init material must reach age custody before cleanup.
if [[ -d "$SECRETS_DIR/openbao" ]]; then
log "encrypting OpenBao init material → secrets.enc/ ..."
(cd "$SCRIPT_DIR" && bash encrypt-secrets.sh \
"$SECRETS_DIR" "$AGE_KEY" --no-shred)
cd "$REPO_ROOT"
git add sso-mfa/bootstrap/secrets.enc/ \
sso-mfa/bootstrap/creds-state.yaml
git diff --cached --quiet || git commit -m \
"chore(creds): encrypted OpenBao init material [agent]"
fi
else
warn "OpenBao init/unseal did not complete — see output"
warn "(gate unselected or pod not ready; bootstrap continues)"
fi
else
echo " [dry-run] would run: openbao-init-unseal.sh $SECRETS_DIR"
fi
else
ok "no openbao namespace in this cluster — skipping"
fi
# ── Phase 8: Ops bundle ────────────────────────────────────────────────────────
step "8 — Create ops bundle (age-encrypted snapshot)"

View File

@@ -28,5 +28,12 @@ secrets_applied:
enckey_bootstrapped: true
pi_admin_created: true
# OpenBao init/unseal (NET-WP-0020 T2, sops-held-automation lane only).
# false here because the current cluster's OpenBao was initialized via the
# attended ceremony (NET-WP-00150017), not this automation path. These flip
# to true only when Phase 7b runs on a greenfield rebuild.
openbao_initialized: false
openbao_post_unseal_verified: false
# Derived: all true → bootstrap complete
bootstrap_complete: true