Add OpenBao runtime secret authority; complete NK-WP-0006/0007/0008

Refine the recursive platform security architecture to make OpenBao the
canonical runtime secret authority, with SOPS/age, K8s Secrets, and the
emergency bundle reframed as bootstrap/delivery/break-glass mechanisms.

- credential-management standard v0.2: add OpenBao runtime authority
  section, rotation rules, and prohibited patterns (OpenBao-as-PDP,
  tenant platform-root)
- platform-identity-security-architecture: mark implemented; add
  flex-auth/Topaz implications, Coulomb onboarding path, and a
  production-readiness checklist
- NK-WP-0004/0005: document bootstrap-to-OpenBao handoff boundary
- NK-WP-0006/0007: status -> done with implementation reviews; add
  recursive platform/tenant split and OpenBao broker/audit role for
  object-storage STS vending
- NK-WP-0008: status -> done; repoint corpus to infospace-bench
- new ADR-0007 (orchestration boundary), ADR-0008 (STS vending
  boundary), and the object-storage STS credential-vending architecture

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
2026-05-20 22:51:20 +02:00
parent b49631acef
commit 7b211acd57
10 changed files with 1150 additions and 69 deletions

View File

@@ -1,14 +1,16 @@
# Credential Management Standard — net-kingdom
**Version:** 0.2 **Status:** current **Supersedes:** v0.1 (retired with NK-WP-0004)
**Version:** 0.2 **Status:** current with OpenBao runtime refinement **Supersedes:** v0.1 (retired with NK-WP-0004)
---
## 1. Purpose
Define how service credentials are generated, stored, rotated, and recovered
in the net-kingdom SSO/MFA platform. This standard governs operational
security of all secrets used by the Authelia + LLDAP + KeyCape + privacyIDEA
stack and its PostgreSQL backend.
Define how service credentials are generated, stored, rotated, handed off
to runtime secret authority, and recovered in the net-kingdom SSO/MFA
platform. This standard governs operational security of all secrets used
by the Authelia + LLDAP + KeyCape + privacyIDEA stack, its PostgreSQL
backend, and the OpenBao runtime secret authority used by the platform
control plane.
---
@@ -24,17 +26,24 @@ break-glass passwords ────────► direct service access if clu
└──► stored in human's personal password manager
K8s Secrets ──────────────────► live credential store for running services
K8s Secrets ──────────────────► bootstrap/delivery state for running services
└──► created by create-secrets.sh scripts; sourced from secrets.enc/
└──► bootstrap/delivery mechanism; created by create-secrets.sh scripts
OpenBao runtime authority ─────► scoped workload secrets and dynamic credentials
├──► leases, revocation, and audit records
└──► direct client, External Secrets Operator, or CSI delivery
```
**KeePassXC is NOT in the operational path.** If you choose to import the
emergency bundle into KeePassXC for personal use, that is your business — it
is not required or assumed by any tooling in this repo.
The age private key and SOPS/age-encrypted git files are the credential store.
The ops bundle is the backup. The emergency bundle is the human's key ring.
The age private key and SOPS/age-encrypted git files are the bootstrap
credential store. The ops bundle is the bootstrap backup. The emergency
bundle is the human's break-glass key ring. OpenBao is the runtime secret
authority once the platform control plane is alive.
---
@@ -55,10 +64,12 @@ This single command runs the full bootstrap end-to-end:
6. Verifies all K8s Secrets exist
7. Waits for privacyIDEA to be Ready, then runs enckey bootstrap + admin creation
8. Applies KeyCape secrets (requires pi-admin)
9. Creates the ops bundle (age-encrypted snapshot)
10. Delivers the emergency bundle to the terminal for human storage
9. Hands off runtime secret authority to OpenBao when the Railiance
platform layer is present and verified
10. Creates the ops bundle (age-encrypted snapshot)
11. Delivers the emergency bundle to the terminal for human storage
**only human touchpoint**
11. Shreds all plaintext and marks `bootstrap_complete: true`
12. Shreds all plaintext and marks `bootstrap_complete: true`
The script resumes from where it left off if interrupted — each phase is
tracked in `creds-state.yaml`.
@@ -67,7 +78,13 @@ tracked in `creds-state.yaml`.
No human credential management is needed after bootstrap. All secrets live in:
- `secrets.enc/` — encrypted in git (decrypt with age key)
- K8s Secrets — live cluster state (updated by `creds-apply.sh`)
- K8s Secrets — bootstrap or delivery state (updated by `creds-apply.sh`,
External Secrets Operator, CSI, or other approved delivery paths)
- OpenBao — runtime secret authority for platform services, workload
secrets, dynamic credentials, leases, revocation, and audit
Once OpenBao is ready, new long-lived workload secret authority should be
introduced there rather than by expanding the bootstrap SOPS/age surface.
### Phase 2 — Rotation
@@ -77,7 +94,7 @@ SECRET=<name> bash sso-mfa/bootstrap/creds-rotate.sh --non-interactive # agent
```
Rotation is handled per-secret with appropriate atomicity guarantees.
See Section 5 for details.
See Section 6 for details.
### Phase 3 — Recovery
@@ -98,6 +115,7 @@ See Section 4 — Emergency Bundle.
| PostgreSQL root password | Direct database access |
| break-glass user password | Emergency login if Authelia/KeyCape is down |
| ops bundle location + decrypt command | Point-in-time snapshot of all secrets |
| OpenBao unseal/recovery material, if used | Platform-control-plane break-glass only |
### Delivery
@@ -138,12 +156,45 @@ The agent does not care which — it only cares that you confirm receipt.
---
## 5. Secret Rotation
## 5. OpenBao Runtime Authority
OpenBao is the canonical runtime secret authority for the platform
control plane once deployed and verified. It stores, issues, leases,
audits, and revokes runtime secret material; it does not replace identity
or authorization.
Required boundaries:
- SOPS/age remains the bootstrap and Git-at-rest protection mechanism.
- OpenBao root tokens, unseal keys, recovery keys, platform mounts, and
global auth methods are platform-root material.
- Tenant administrators may manage tenant-scoped secret paths only
through approved policies; they must not receive OpenBao platform-root
authority.
- Workloads should use scoped OpenBao auth roles, External Secrets
Operator, CSI-mounted secrets, or another approved delivery mechanism.
- flex-auth decides whether a secret or dynamic credential request is
allowed when the request is authorization-sensitive; OpenBao performs
storage, issuance, lease, revocation, and audit.
- OpenBao audit logs must be shipped to durable storage and included in
restore and break-glass drills.
OpenBao may issue dynamic credentials for databases, object storage, or
other systems where provider support and policy make that safer than
static secret distribution. Provider-native STS remains valid where it
gives better-scoped temporary credentials; OpenBao can still broker,
store, or audit the handoff where appropriate.
---
## 6. Secret Rotation
### Rotatable secrets
| Secret | Blast radius | Notes |
|--------|-------------|-------|
| OpenBao workload secret | Variable | Prefer lease expiry or dynamic regeneration |
| OpenBao auth role/policy | Variable | Requires policy review and audit check |
| `PI_SECRET_KEY` | Low — invalidates PI sessions | Safe to rotate anytime |
| `PI_DB_PASSWORD` | Medium — DB + pod | Atomic update required |
| `LLDAP_JWT_SECRET` | Low — invalidates LLDAP sessions | Safe to rotate anytime |
@@ -168,9 +219,19 @@ Rotating the age private key is a special case:
4. A **new emergency bundle must be delivered** before the old key is revoked
(see Section 4)
### OpenBao root and recovery material
OpenBao root tokens, unseal keys, and recovery keys are not routine
rotation targets. Treat them as platform-root break-glass material:
1. Prefer short-lived or revoked root tokens after initial setup.
2. Use scoped policies and auth methods for normal operations.
3. Rotate recovery or unseal material only with an explicit maintenance
window, backup verification, and post-rotation emergency-bundle update.
---
## 6. Ops Bundle
## 7. Ops Bundle
The ops bundle is an age-encrypted tar archive of all plaintext secrets at a
point in time. It is created automatically during bootstrap and can be
@@ -188,7 +249,7 @@ age -d -i ~/.config/sops/age/keys.txt ops-bundle-<date>.tar.age | tar xf -
---
## 7. Prohibited Patterns
## 8. Prohibited Patterns
The following are permanently prohibited:
@@ -209,6 +270,14 @@ The following are permanently prohibited:
5. **Storing the age private key in the repo** — the key lives outside the
repo at `~/.config/sops/age/keys.txt`
6. **Using OpenBao as a policy decision point** — OpenBao stores, leases,
audits, and revokes secret material; identity comes from the IAM
Profile and authorization decisions come from flex-auth where a
decision boundary is needed
7. **Giving tenants OpenBao platform-root authority** — tenants may only
receive scoped access paths approved for their tenant resources
---
## Appendix A — KeePassXC Group Structure (optional)