generated from coulomb/repo-seed
Update OpenBao onboarding readiness handoff
This commit is contained in:
@@ -8,7 +8,7 @@ status: active
|
|||||||
owner: codex
|
owner: codex
|
||||||
topic_slug: netkingdom
|
topic_slug: netkingdom
|
||||||
created: "2026-05-26"
|
created: "2026-05-26"
|
||||||
updated: "2026-05-26"
|
updated: "2026-05-29"
|
||||||
depends_on:
|
depends_on:
|
||||||
- NET-WP-0015
|
- NET-WP-0015
|
||||||
- NET-WP-0016
|
- NET-WP-0016
|
||||||
@@ -38,9 +38,10 @@ first non-root onboarding dry run must prove the lifecycle model.
|
|||||||
exist.
|
exist.
|
||||||
- The initial OpenBao root token is recorded as revoked.
|
- The initial OpenBao root token is recorded as revoked.
|
||||||
- Trial unseal shares were rotated.
|
- Trial unseal shares were rotated.
|
||||||
- The KeyCape `openbao-admin` client is live and verified.
|
- The KeyCape `openbao-admin` client is live and verified, including the public
|
||||||
- OpenBao OIDC auth configuration and MFA-backed OpenBao admin login are still
|
`https://kc.coulomb.social` route and certificate.
|
||||||
pending.
|
- OpenBao OIDC auth configuration is applied; MFA-backed OpenBao admin login is
|
||||||
|
still pending.
|
||||||
- Declarative/durable audit handling, residual taint closeout, cleanup/rotation,
|
- Declarative/durable audit handling, residual taint closeout, cleanup/rotation,
|
||||||
and the first ordinary-user onboarding dry run are still pending.
|
and the first ordinary-user onboarding dry run are still pending.
|
||||||
|
|
||||||
@@ -66,6 +67,13 @@ The verification must prove the resulting OpenBao token has the intended
|
|||||||
`platform-admin` policy without relying on the initial root token or a manually
|
`platform-admin` policy without relying on the initial root token or a manually
|
||||||
minted temporary operator token.
|
minted temporary operator token.
|
||||||
|
|
||||||
|
**2026-05-29:** DNS and ACME issuance for `kc.coulomb.social` are healthy:
|
||||||
|
cert-manager issued `kc-tls`, and `sso-mfa/k8s/keycape/verify-openbao-client.sh`
|
||||||
|
passes against the live KeyCape route. `configure-openbao-oidc.sh` has applied
|
||||||
|
the OpenBao `auth/keycape` OIDC configuration and `platform-admin` role. The
|
||||||
|
remaining T01 gate is the human browser login with MFA and a token lookup that
|
||||||
|
shows the expected OpenBao `platform-admin` policy.
|
||||||
|
|
||||||
### T02 - Close OpenBao Audit And Recovery Production Gates
|
### T02 - Close OpenBao Audit And Recovery Production Gates
|
||||||
|
|
||||||
```task
|
```task
|
||||||
|
|||||||
Reference in New Issue
Block a user