Clarify OpenBao rotation flow

2026-05-26 00:09:19 +02:00
parent 8520ae8d7d
commit d0c7ff9f3b
2 changed files with 15 additions and 2 deletions
--- a/tools/security-bootstrap-console/security_bootstrap_console.py
+++ b/tools/security-bootstrap-console/security_bootstrap_console.py
@@ -1506,6 +1506,7 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
    rotate_init_command = interactive_token_command(
        "bao operator rotate-keys -init -key-shares=3 -key-threshold=2"
    )
+    rotate_status_command = interactive_token_command("bao operator rotate-keys -status")
    rotate_submit_command = interactive_token_command(
        'bao operator rotate-keys -nonce="$ROTATION_NONCE"',
        prompt_nonce=True,
@@ -1593,13 +1594,19 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
        ),
        action(
            "Start unseal-key rotation",
-            "Generate a new 3-share, threshold-2 Shamir split. Requires an OpenBao token with root or sudo capability.",
+            "Run once to start a new 3-share, threshold-2 rotation. If rotation is already in progress, do not rerun init; check status and submit existing shares.",
            rotate_init_command,
            compromise_taint,
        ),
+        action(
+            "Check unseal-key rotation status",
+            "Inspect the active rotation without submitting a share. Use after init or when OpenBao says rotation is already in progress.",
+            rotate_status_command,
+            compromise_taint,
+        ),
        action(
            "Submit current shares for rotation",
-            "Repeat by prompt until the required threshold completes. Enter the nonce from rotation init, then the token and share prompts.",
+            "Enter the nonce from rotation init, then token and existing unseal-share prompts. Repeat with distinct current shares until progress reaches the threshold.",
            rotate_submit_command,
            compromise_taint,
        ),
--- a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
+++ b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
@@ -290,6 +290,12 @@ open an interactive pod TTY, prompt there for a root/sudo-capable OpenBao
 token, keep the token out of the local command line, and then run rotate init,
 share submission, or cancel.

+**2026-05-26:** Added an explicit rotation-status action and clarified the
+rotation flow after the operator successfully started rotate-keys and then hit
+`rotation already in progress` by rerunning init. The UI now says init is a
+run-once step and that the next step is checking status or submitting existing
+shares with the nonce until quorum completes.
+
 **2026-05-24:** Stepped back from ad hoc secret rollout and added the
 custodian age-key bootstrap model to the control surface. The UI now records
 the custodian public age recipient, a derived fingerprint, and a non-secret