Update OpenBao onboarding readiness handoff

This commit is contained in:
2026-05-29 02:11:02 +02:00
parent cac59a37c1
commit e04603779c

View File

@@ -8,7 +8,7 @@ status: active
owner: codex owner: codex
topic_slug: netkingdom topic_slug: netkingdom
created: "2026-05-26" created: "2026-05-26"
updated: "2026-05-26" updated: "2026-05-29"
depends_on: depends_on:
- NET-WP-0015 - NET-WP-0015
- NET-WP-0016 - NET-WP-0016
@@ -38,9 +38,10 @@ first non-root onboarding dry run must prove the lifecycle model.
exist. exist.
- The initial OpenBao root token is recorded as revoked. - The initial OpenBao root token is recorded as revoked.
- Trial unseal shares were rotated. - Trial unseal shares were rotated.
- The KeyCape `openbao-admin` client is live and verified. - The KeyCape `openbao-admin` client is live and verified, including the public
- OpenBao OIDC auth configuration and MFA-backed OpenBao admin login are still `https://kc.coulomb.social` route and certificate.
pending. - OpenBao OIDC auth configuration is applied; MFA-backed OpenBao admin login is
still pending.
- Declarative/durable audit handling, residual taint closeout, cleanup/rotation, - Declarative/durable audit handling, residual taint closeout, cleanup/rotation,
and the first ordinary-user onboarding dry run are still pending. and the first ordinary-user onboarding dry run are still pending.
@@ -66,6 +67,13 @@ The verification must prove the resulting OpenBao token has the intended
`platform-admin` policy without relying on the initial root token or a manually `platform-admin` policy without relying on the initial root token or a manually
minted temporary operator token. minted temporary operator token.
**2026-05-29:** DNS and ACME issuance for `kc.coulomb.social` are healthy:
cert-manager issued `kc-tls`, and `sso-mfa/k8s/keycape/verify-openbao-client.sh`
passes against the live KeyCape route. `configure-openbao-oidc.sh` has applied
the OpenBao `auth/keycape` OIDC configuration and `platform-admin` role. The
remaining T01 gate is the human browser login with MFA and a token lookup that
shows the expected OpenBao `platform-admin` policy.
### T02 - Close OpenBao Audit And Recovery Production Gates ### T02 - Close OpenBao Audit And Recovery Production Gates
```task ```task