generated from coulomb/repo-seed
Add OpenBao runtime secret authority; complete NK-WP-0006/0007/0008
Refine the recursive platform security architecture to make OpenBao the canonical runtime secret authority, with SOPS/age, K8s Secrets, and the emergency bundle reframed as bootstrap/delivery/break-glass mechanisms. - credential-management standard v0.2: add OpenBao runtime authority section, rotation rules, and prohibited patterns (OpenBao-as-PDP, tenant platform-root) - platform-identity-security-architecture: mark implemented; add flex-auth/Topaz implications, Coulomb onboarding path, and a production-readiness checklist - NK-WP-0004/0005: document bootstrap-to-OpenBao handoff boundary - NK-WP-0006/0007: status -> done with implementation reviews; add recursive platform/tenant split and OpenBao broker/audit role for object-storage STS vending - NK-WP-0008: status -> done; repoint corpus to infospace-bench - new ADR-0007 (orchestration boundary), ADR-0008 (STS vending boundary), and the object-storage STS credential-vending architecture Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -1,14 +1,16 @@
|
||||
# Credential Management Standard — net-kingdom
|
||||
**Version:** 0.2 **Status:** current **Supersedes:** v0.1 (retired with NK-WP-0004)
|
||||
**Version:** 0.2 **Status:** current with OpenBao runtime refinement **Supersedes:** v0.1 (retired with NK-WP-0004)
|
||||
|
||||
---
|
||||
|
||||
## 1. Purpose
|
||||
|
||||
Define how service credentials are generated, stored, rotated, and recovered
|
||||
in the net-kingdom SSO/MFA platform. This standard governs operational
|
||||
security of all secrets used by the Authelia + LLDAP + KeyCape + privacyIDEA
|
||||
stack and its PostgreSQL backend.
|
||||
Define how service credentials are generated, stored, rotated, handed off
|
||||
to runtime secret authority, and recovered in the net-kingdom SSO/MFA
|
||||
platform. This standard governs operational security of all secrets used
|
||||
by the Authelia + LLDAP + KeyCape + privacyIDEA stack, its PostgreSQL
|
||||
backend, and the OpenBao runtime secret authority used by the platform
|
||||
control plane.
|
||||
|
||||
---
|
||||
|
||||
@@ -24,17 +26,24 @@ break-glass passwords ────────► direct service access if clu
|
||||
│
|
||||
└──► stored in human's personal password manager
|
||||
|
||||
K8s Secrets ──────────────────► live credential store for running services
|
||||
K8s Secrets ──────────────────► bootstrap/delivery state for running services
|
||||
│
|
||||
└──► created by create-secrets.sh scripts; sourced from secrets.enc/
|
||||
└──► bootstrap/delivery mechanism; created by create-secrets.sh scripts
|
||||
|
||||
OpenBao runtime authority ─────► scoped workload secrets and dynamic credentials
|
||||
│
|
||||
├──► leases, revocation, and audit records
|
||||
└──► direct client, External Secrets Operator, or CSI delivery
|
||||
```
|
||||
|
||||
**KeePassXC is NOT in the operational path.** If you choose to import the
|
||||
emergency bundle into KeePassXC for personal use, that is your business — it
|
||||
is not required or assumed by any tooling in this repo.
|
||||
|
||||
The age private key and SOPS/age-encrypted git files are the credential store.
|
||||
The ops bundle is the backup. The emergency bundle is the human's key ring.
|
||||
The age private key and SOPS/age-encrypted git files are the bootstrap
|
||||
credential store. The ops bundle is the bootstrap backup. The emergency
|
||||
bundle is the human's break-glass key ring. OpenBao is the runtime secret
|
||||
authority once the platform control plane is alive.
|
||||
|
||||
---
|
||||
|
||||
@@ -55,10 +64,12 @@ This single command runs the full bootstrap end-to-end:
|
||||
6. Verifies all K8s Secrets exist
|
||||
7. Waits for privacyIDEA to be Ready, then runs enckey bootstrap + admin creation
|
||||
8. Applies KeyCape secrets (requires pi-admin)
|
||||
9. Creates the ops bundle (age-encrypted snapshot)
|
||||
10. Delivers the emergency bundle to the terminal for human storage
|
||||
9. Hands off runtime secret authority to OpenBao when the Railiance
|
||||
platform layer is present and verified
|
||||
10. Creates the ops bundle (age-encrypted snapshot)
|
||||
11. Delivers the emergency bundle to the terminal for human storage
|
||||
← **only human touchpoint**
|
||||
11. Shreds all plaintext and marks `bootstrap_complete: true`
|
||||
12. Shreds all plaintext and marks `bootstrap_complete: true`
|
||||
|
||||
The script resumes from where it left off if interrupted — each phase is
|
||||
tracked in `creds-state.yaml`.
|
||||
@@ -67,7 +78,13 @@ tracked in `creds-state.yaml`.
|
||||
|
||||
No human credential management is needed after bootstrap. All secrets live in:
|
||||
- `secrets.enc/` — encrypted in git (decrypt with age key)
|
||||
- K8s Secrets — live cluster state (updated by `creds-apply.sh`)
|
||||
- K8s Secrets — bootstrap or delivery state (updated by `creds-apply.sh`,
|
||||
External Secrets Operator, CSI, or other approved delivery paths)
|
||||
- OpenBao — runtime secret authority for platform services, workload
|
||||
secrets, dynamic credentials, leases, revocation, and audit
|
||||
|
||||
Once OpenBao is ready, new long-lived workload secret authority should be
|
||||
introduced there rather than by expanding the bootstrap SOPS/age surface.
|
||||
|
||||
### Phase 2 — Rotation
|
||||
|
||||
@@ -77,7 +94,7 @@ SECRET=<name> bash sso-mfa/bootstrap/creds-rotate.sh --non-interactive # agent
|
||||
```
|
||||
|
||||
Rotation is handled per-secret with appropriate atomicity guarantees.
|
||||
See Section 5 for details.
|
||||
See Section 6 for details.
|
||||
|
||||
### Phase 3 — Recovery
|
||||
|
||||
@@ -98,6 +115,7 @@ See Section 4 — Emergency Bundle.
|
||||
| PostgreSQL root password | Direct database access |
|
||||
| break-glass user password | Emergency login if Authelia/KeyCape is down |
|
||||
| ops bundle location + decrypt command | Point-in-time snapshot of all secrets |
|
||||
| OpenBao unseal/recovery material, if used | Platform-control-plane break-glass only |
|
||||
|
||||
### Delivery
|
||||
|
||||
@@ -138,12 +156,45 @@ The agent does not care which — it only cares that you confirm receipt.
|
||||
|
||||
---
|
||||
|
||||
## 5. Secret Rotation
|
||||
## 5. OpenBao Runtime Authority
|
||||
|
||||
OpenBao is the canonical runtime secret authority for the platform
|
||||
control plane once deployed and verified. It stores, issues, leases,
|
||||
audits, and revokes runtime secret material; it does not replace identity
|
||||
or authorization.
|
||||
|
||||
Required boundaries:
|
||||
|
||||
- SOPS/age remains the bootstrap and Git-at-rest protection mechanism.
|
||||
- OpenBao root tokens, unseal keys, recovery keys, platform mounts, and
|
||||
global auth methods are platform-root material.
|
||||
- Tenant administrators may manage tenant-scoped secret paths only
|
||||
through approved policies; they must not receive OpenBao platform-root
|
||||
authority.
|
||||
- Workloads should use scoped OpenBao auth roles, External Secrets
|
||||
Operator, CSI-mounted secrets, or another approved delivery mechanism.
|
||||
- flex-auth decides whether a secret or dynamic credential request is
|
||||
allowed when the request is authorization-sensitive; OpenBao performs
|
||||
storage, issuance, lease, revocation, and audit.
|
||||
- OpenBao audit logs must be shipped to durable storage and included in
|
||||
restore and break-glass drills.
|
||||
|
||||
OpenBao may issue dynamic credentials for databases, object storage, or
|
||||
other systems where provider support and policy make that safer than
|
||||
static secret distribution. Provider-native STS remains valid where it
|
||||
gives better-scoped temporary credentials; OpenBao can still broker,
|
||||
store, or audit the handoff where appropriate.
|
||||
|
||||
---
|
||||
|
||||
## 6. Secret Rotation
|
||||
|
||||
### Rotatable secrets
|
||||
|
||||
| Secret | Blast radius | Notes |
|
||||
|--------|-------------|-------|
|
||||
| OpenBao workload secret | Variable | Prefer lease expiry or dynamic regeneration |
|
||||
| OpenBao auth role/policy | Variable | Requires policy review and audit check |
|
||||
| `PI_SECRET_KEY` | Low — invalidates PI sessions | Safe to rotate anytime |
|
||||
| `PI_DB_PASSWORD` | Medium — DB + pod | Atomic update required |
|
||||
| `LLDAP_JWT_SECRET` | Low — invalidates LLDAP sessions | Safe to rotate anytime |
|
||||
@@ -168,9 +219,19 @@ Rotating the age private key is a special case:
|
||||
4. A **new emergency bundle must be delivered** before the old key is revoked
|
||||
(see Section 4)
|
||||
|
||||
### OpenBao root and recovery material
|
||||
|
||||
OpenBao root tokens, unseal keys, and recovery keys are not routine
|
||||
rotation targets. Treat them as platform-root break-glass material:
|
||||
|
||||
1. Prefer short-lived or revoked root tokens after initial setup.
|
||||
2. Use scoped policies and auth methods for normal operations.
|
||||
3. Rotate recovery or unseal material only with an explicit maintenance
|
||||
window, backup verification, and post-rotation emergency-bundle update.
|
||||
|
||||
---
|
||||
|
||||
## 6. Ops Bundle
|
||||
## 7. Ops Bundle
|
||||
|
||||
The ops bundle is an age-encrypted tar archive of all plaintext secrets at a
|
||||
point in time. It is created automatically during bootstrap and can be
|
||||
@@ -188,7 +249,7 @@ age -d -i ~/.config/sops/age/keys.txt ops-bundle-<date>.tar.age | tar xf -
|
||||
|
||||
---
|
||||
|
||||
## 7. Prohibited Patterns
|
||||
## 8. Prohibited Patterns
|
||||
|
||||
The following are permanently prohibited:
|
||||
|
||||
@@ -209,6 +270,14 @@ The following are permanently prohibited:
|
||||
5. **Storing the age private key in the repo** — the key lives outside the
|
||||
repo at `~/.config/sops/age/keys.txt`
|
||||
|
||||
6. **Using OpenBao as a policy decision point** — OpenBao stores, leases,
|
||||
audits, and revokes secret material; identity comes from the IAM
|
||||
Profile and authorization decisions come from flex-auth where a
|
||||
decision boundary is needed
|
||||
|
||||
7. **Giving tenants OpenBao platform-root authority** — tenants may only
|
||||
receive scoped access paths approved for their tenant resources
|
||||
|
||||
---
|
||||
|
||||
## Appendix A — KeePassXC Group Structure (optional)
|
||||
|
||||
Reference in New Issue
Block a user