coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: OpenBao unseal custody models — automation-first with blocked alternatives

Browse Source 
Document three init/unseal custody paths; default sops-held-automation for
fast rebuild cycles. Security bootstrap console lists models, blocks planned
attended-ceremony and auto-unseal-transit with hints, and gates init ceremony
on implemented selection. NET-WP-0020 tracks downstream SSH automation.
This commit is contained in:
Bernd Worsch
2026-06-18 00:51:48 +02:00
parent da9debf431
commit f625dd0681
6 changed files with 460 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
workplans/NET-WP-0020-openbao-unseal-custody-and-ssh-automation.md Normal file
View File

@@ -0,0 +1,94 @@
---
id: NET-WP-0020
type: workplan
title: "OpenBao Unseal Custody Models and SSH Automation Path"
domain: net-kingdom
repo: net-kingdom
status: active
owner: codex
topic_slug: net-kingdom
created: "2026-06-17"
updated: "2026-06-17"
---
# NET-WP-0020 — OpenBao Unseal Custody Models and SSH Automation Path
**Scope:** Framework for three OpenBao init/unseal custody models; automation-first
development path; console decision points; downstream hooks for SSH engine and
host CA automation on greenfield 3-node bootstrap.
**Strategy:** Start with `sops-held-automation` for fast unattended test cycles;
add `attended-ceremony` and `auto-unseal-transit` with blocking gates as
production trust increases.
---
## Tasks
### T1 — Custody model canon and console gates
```task
id: NET-WP-0020-T01
status: done
priority: high
```
- [x] `docs/openbao-unseal-custody-models.md`
- [x] Console: list + select commands; gates block planned models
- [x] `smooth-bootstrap-guide.md` Step 5 update
- [x] Makefile targets
### T2 — SOPS-held init/unseal automation hooks
```task
id: NET-WP-0020-T02
status: todo
priority: high
```
- [ ] Extend `creds-bootstrap-agent.sh` for OpenBao init/unseal when sealed
- [ ] Non-secret evidence flags: `openbao_initialized`, `openbao_post_unseal_verified`
- [ ] Integrate with `make openbao-configure-initial` post-unseal
### T3 — Attended ceremony automation profile
```task
id: NET-WP-0020-T03
status: wait
priority: medium
```
- [ ] Implement `attended-ceremony` selection path (runbooks + evidence validators)
- [ ] Production profile blocks `sops-held-automation` default
**Blocked until:** T2 automation path proven on greenfield rebuild.
### T4 — Auto-unseal transit profile
```task
id: NET-WP-0020-T04
status: wait
priority: medium
```
- [ ] `railiance-platform` Helm seal stanza for transit/KMS
- [ ] Console gate + evidence for `auto-unseal-transit`
### T5 — SSH engine + host CA automation (cross-repo)
```task
id: NET-WP-0020-T05
status: todo
priority: high
```
- [ ] `railiance-platform`: `openbao-configure-ssh` declarative script
- [ ] `railiance-infra`: `bootstrap-ssh-ca` role + inventory sync
- [ ] Close `ops-warden` WP-0008 T2 verification gate
---
## See also
- `ops-warden/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md`
- `railiance-platform/docs/openbao.md`