From d0c7ff9f3bcdf3bed94225051c31539c9d8f5fcc Mon Sep 17 00:00:00 2001 From: tegwick Date: Tue, 26 May 2026 00:09:19 +0200 Subject: [PATCH] Clarify OpenBao rotation flow --- .../security_bootstrap_console.py | 11 +++++++++-- ...orm-root-custody-and-openbao-identity-bootstrap.md | 6 ++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/tools/security-bootstrap-console/security_bootstrap_console.py b/tools/security-bootstrap-console/security_bootstrap_console.py index 8f86cfc..97a978e 100755 --- a/tools/security-bootstrap-console/security_bootstrap_console.py +++ b/tools/security-bootstrap-console/security_bootstrap_console.py @@ -1506,6 +1506,7 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]: rotate_init_command = interactive_token_command( "bao operator rotate-keys -init -key-shares=3 -key-threshold=2" ) + rotate_status_command = interactive_token_command("bao operator rotate-keys -status") rotate_submit_command = interactive_token_command( 'bao operator rotate-keys -nonce="$ROTATION_NONCE"', prompt_nonce=True, @@ -1593,13 +1594,19 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]: ), action( "Start unseal-key rotation", - "Generate a new 3-share, threshold-2 Shamir split. Requires an OpenBao token with root or sudo capability.", + "Run once to start a new 3-share, threshold-2 rotation. If rotation is already in progress, do not rerun init; check status and submit existing shares.", rotate_init_command, compromise_taint, ), + action( + "Check unseal-key rotation status", + "Inspect the active rotation without submitting a share. Use after init or when OpenBao says rotation is already in progress.", + rotate_status_command, + compromise_taint, + ), action( "Submit current shares for rotation", - "Repeat by prompt until the required threshold completes. Enter the nonce from rotation init, then the token and share prompts.", + "Enter the nonce from rotation init, then token and existing unseal-share prompts. Repeat with distinct current shares until progress reaches the threshold.", rotate_submit_command, compromise_taint, ), diff --git a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md index e564355..e7398bc 100644 --- a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md +++ b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md @@ -290,6 +290,12 @@ open an interactive pod TTY, prompt there for a root/sudo-capable OpenBao token, keep the token out of the local command line, and then run rotate init, share submission, or cancel. +**2026-05-26:** Added an explicit rotation-status action and clarified the +rotation flow after the operator successfully started rotate-keys and then hit +`rotation already in progress` by rerunning init. The UI now says init is a +run-once step and that the next step is checking status or submitting existing +shares with the nonce until quorum completes. + **2026-05-24:** Stepped back from ad hoc secret rollout and added the custodian age-key bootstrap model to the control surface. The UI now records the custodian public age recipient, a derived fingerprint, and a non-secret