--- id: NET-WP-0020 type: workplan title: "OpenBao Unseal Custody Models and SSH Automation Path" domain: net-kingdom repo: net-kingdom status: active owner: codex topic_slug: net-kingdom created: "2026-06-17" updated: "2026-06-18" --- # NET-WP-0020 — OpenBao Unseal Custody Models and SSH Automation Path **Scope:** Framework for three OpenBao init/unseal custody models; automation-first development path; console decision points; downstream hooks for SSH engine and host CA automation on greenfield 3-node bootstrap. **Strategy:** Start with `sops-held-automation` for fast unattended test cycles; add `attended-ceremony` and `auto-unseal-transit` with blocking gates as production trust increases. --- ## Tasks ### T1 — Custody model canon and console gates ```task id: NET-WP-0020-T01 status: done priority: high ``` - [x] `docs/openbao-unseal-custody-models.md` - [x] Console: list + select commands; gates block planned models - [x] `smooth-bootstrap-guide.md` Step 5 update - [x] Makefile targets ### T2 — SOPS-held init/unseal automation hooks ```task id: NET-WP-0020-T02 status: todo priority: high ``` - [ ] Extend `creds-bootstrap-agent.sh` for OpenBao init/unseal when sealed - [ ] Non-secret evidence flags: `openbao_initialized`, `openbao_post_unseal_verified` - [ ] Integrate with `make openbao-configure-initial` post-unseal ### T3 — Attended ceremony automation profile ```task id: NET-WP-0020-T03 status: wait priority: medium ``` - [ ] Implement `attended-ceremony` selection path (runbooks + evidence validators) - [ ] Production profile blocks `sops-held-automation` default **Blocked until:** T2 automation path proven on greenfield rebuild. ### T4 — Auto-unseal transit profile ```task id: NET-WP-0020-T04 status: wait priority: medium ``` - [ ] `railiance-platform` Helm seal stanza for transit/KMS - [ ] Console gate + evidence for `auto-unseal-transit` ### T5 — SSH engine + host CA automation (cross-repo) ```task id: NET-WP-0020-T05 status: done priority: high ``` - [x] `railiance-platform`: `openbao-configure-ssh` declarative script + Makefile targets - [x] `railiance-infra`: `bootstrap-ssh-ca` role + `ssh_principals.yaml` inventory - [x] Live apply: OpenBao SSH engine + roles + `warden-sign` on Railiance (2026-06-18) - [x] Live apply: `bootstrap-ssh-ca` on CoulombCore + Railiance01 - [x] Close `ops-warden` WP-0008 T2 verification gate --- ## See also - `history/2026-06-17-openbao-ssh-custody-and-bootstrap-assessment.md` — state + concepts (read before T5) - `ops-warden/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md` - `railiance-platform/docs/openbao.md`