coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add OpenBao runtime secret authority; complete NK-WP-0006/0007/0008

Browse Source 
Refine the recursive platform security architecture to make OpenBao the
canonical runtime secret authority, with SOPS/age, K8s Secrets, and the
emergency bundle reframed as bootstrap/delivery/break-glass mechanisms.

- credential-management standard v0.2: add OpenBao runtime authority
  section, rotation rules, and prohibited patterns (OpenBao-as-PDP,
  tenant platform-root)
- platform-identity-security-architecture: mark implemented; add
  flex-auth/Topaz implications, Coulomb onboarding path, and a
  production-readiness checklist
- NK-WP-0004/0005: document bootstrap-to-OpenBao handoff boundary
- NK-WP-0006/0007: status -> done with implementation reviews; add
  recursive platform/tenant split and OpenBao broker/audit role for
  object-storage STS vending
- NK-WP-0008: status -> done; repoint corpus to infospace-bench
- new ADR-0007 (orchestration boundary), ADR-0008 (STS vending
  boundary), and the object-storage STS credential-vending architecture

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-05-20 22:51:20 +02:00
parent b49631acef
commit 7b211acd57
10 changed files with 1150 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
workplans/NK-WP-0005-agent-driven-credential-bootstrap.md
View File

@@ -8,7 +8,7 @@ status: done
owner: custodian
topic_slug: netkingdom
created: "2026-03-21"
updated: "2026-03-21"
updated: "2026-05-18"
depends_on: NK-WP-0004
state_hub_workstream_id: "75bc472b-cc0a-48f2-afb6-62b896f7cc19"
---
@@ -59,6 +59,33 @@ Agent Human
Everything else — service secrets, rotation, re-injection — is agent work.
## NK-WP-0006 Runtime Secret Refinement
With OpenBao in the platform stack, the agent-driven bootstrap is the
handoff mechanism from bootstrap secrets to runtime secret authority.
The agent may generate, encrypt, inject, and verify initial secrets, but
OpenBao becomes the normal authority for platform and workload secret
delivery once the control plane is alive.
The bootstrap flow therefore has one additional boundary:
1. SOPS/age and the emergency bundle establish bootstrap and recovery
authority.
2. Kubernetes Secrets carry the minimum initial material needed to start
the identity, MFA, database, and OpenBao platform services.
3. OpenBao is initialized, unsealed or auto-unsealed by the approved
mechanism, audit logging is enabled, backups are verified, and
workload auth methods are configured.
4. Runtime workloads receive scoped secrets, dynamic credentials, or
synchronized Kubernetes Secrets from OpenBao. They do not consume
platform-root bootstrap material.
OpenBao root tokens, unseal keys, or recovery keys are break-glass
material. They must not be stored as ordinary tenant secrets or exposed
to tenant administrators. If they are included in an emergency bundle,
that bundle is platform-control-plane break-glass material and requires
the strongest storage and review procedure available for the deployment.
## Design
### What changes from NK-WP-0004