generated from coulomb/repo-seed
Add OpenBao authenticated proof runbook
This commit is contained in:
@@ -1849,6 +1849,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
|
|||||||
audit_list_command = token_prompt_command("bao audit list")
|
audit_list_command = token_prompt_command("bao audit list")
|
||||||
secrets_list_command = token_prompt_command("bao secrets list")
|
secrets_list_command = token_prompt_command("bao secrets list")
|
||||||
auth_list_command = token_prompt_command("bao auth list")
|
auth_list_command = token_prompt_command("bao auth list")
|
||||||
|
authenticated_readiness_command = (
|
||||||
|
"make -C ../railiance-platform openbao-verify-authenticated\n\n"
|
||||||
|
"# If a previous attended OIDC login stored a still-valid token in the pod helper, use:\n"
|
||||||
|
"make -C ../railiance-platform openbao-verify-authenticated "
|
||||||
|
"OPENBAO_VERIFY_AUTH_ARGS=--use-token-helper"
|
||||||
|
)
|
||||||
platform_admin_token_command = token_prompt_command(
|
platform_admin_token_command = token_prompt_command(
|
||||||
"bao token create -policy=platform-admin -period=24h -orphan"
|
"bao token create -policy=platform-admin -period=24h -orphan"
|
||||||
)
|
)
|
||||||
@@ -1958,6 +1964,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
|
|||||||
auth_list_command,
|
auth_list_command,
|
||||||
downstream_taint,
|
downstream_taint,
|
||||||
),
|
),
|
||||||
|
action(
|
||||||
|
"OpenBao authenticated readiness proof",
|
||||||
|
"Run the Railiance evidence-only verifier for file audit, platform secrets, Kubernetes auth, KeyCape auth, and audit-log write state. The default path prompts for a token without echoing it; the token-helper variant avoids local token movement when a valid pod helper token already exists.",
|
||||||
|
authenticated_readiness_command,
|
||||||
|
downstream_taint,
|
||||||
|
),
|
||||||
action(
|
action(
|
||||||
"Create platform-admin token",
|
"Create platform-admin token",
|
||||||
"Create a renewable 24-hour non-root OpenBao token with the platform-admin policy. The emitted token is secret; store it immediately through the approved operator secret path.",
|
"Create a renewable 24-hour non-root OpenBao token with the platform-admin policy. The emitted token is secret; store it immediately through the approved operator secret path.",
|
||||||
|
|||||||
@@ -165,6 +165,18 @@ remained ready. T02 remains open for the authenticated `bao audit list` proof,
|
|||||||
durable audit shipping beyond the audit PVC, restore-drill evidence, emergency
|
durable audit shipping beyond the audit PVC, restore-drill evidence, emergency
|
||||||
seal/unseal drill evidence, and the next independent escrow holder.
|
seal/unseal drill evidence, and the next independent escrow holder.
|
||||||
|
|
||||||
|
**2026-06-01:** Added a Railiance evidence-only helper for the authenticated
|
||||||
|
OpenBao proof: `make openbao-verify-authenticated` prompts for an approved
|
||||||
|
OpenBao token without echoing it and verifies `file/` audit visibility,
|
||||||
|
`platform/` secrets, `kubernetes/` auth, `keycape/` auth, and a non-empty audit
|
||||||
|
log without mutating OpenBao configuration. The helper can also reuse a
|
||||||
|
still-valid pod token helper with
|
||||||
|
`OPENBAO_VERIFY_AUTH_ARGS=--use-token-helper`, avoiding token movement through
|
||||||
|
the local shell. It is ready to run with the MFA-backed
|
||||||
|
`platform-root`/`platform-admin` path. Durable audit shipping remains open; the
|
||||||
|
audit PVC is not a durable sink and non-secret evidence hashes or State Hub
|
||||||
|
notes are not substitutes for retained audit log custody.
|
||||||
|
|
||||||
### T03 - Close Trial Taint And Retire Bootstrap Admin Paths
|
### T03 - Close Trial Taint And Retire Bootstrap Admin Paths
|
||||||
|
|
||||||
```task
|
```task
|
||||||
|
|||||||
Reference in New Issue
Block a user