generated from coulomb/repo-seed
feat: OpenBao unseal custody models — automation-first with blocked alternatives
Document three init/unseal custody paths; default sops-held-automation for fast rebuild cycles. Security bootstrap console lists models, blocks planned attended-ceremony and auto-unseal-transit with hints, and gates init ceremony on implemented selection. NET-WP-0020 tracks downstream SSH automation.
This commit is contained in:
9
Makefile
9
Makefile
@@ -296,6 +296,15 @@ security-bootstrap-openbao-preflight: ## Show safe OpenBao preflight commands
|
||||
python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-preflight \
|
||||
--railiance-path ../railiance-platform
|
||||
|
||||
security-bootstrap-openbao-unseal-custody-models: ## List OpenBao unseal custody models and implementation status
|
||||
python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-unseal-custody-models
|
||||
|
||||
security-bootstrap-select-openbao-unseal-custody-model: security-bootstrap-metadata-init ## Select implemented unseal model (blocks planned): make ... MODEL=sops-held-automation
|
||||
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
|
||||
--metadata "$(SECURITY_BOOTSTRAP_METADATA)" \
|
||||
select-openbao-unseal-custody-model \
|
||||
--model "$(if $(MODEL),$(MODEL),sops-held-automation)"
|
||||
|
||||
security-bootstrap-metadata-init: ## Create durable local non-secret bootstrap metadata if missing
|
||||
@mkdir -p "$$(dirname "$(SECURITY_BOOTSTRAP_METADATA)")"
|
||||
@if [[ -f "$(SECURITY_BOOTSTRAP_METADATA)" ]]; then \
|
||||
|
||||
Reference in New Issue
Block a user