coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3764ea03ed2bc9eb644cdee8de9aaf22ea7f41bf
net-kingdom/docs/openbao-unseal-custody-models.md
tegwick f625dd0681 feat: OpenBao unseal custody models — automation-first with blocked alternatives 
Document three init/unseal custody paths; default sops-held-automation for
fast rebuild cycles. Security bootstrap console lists models, blocks planned
attended-ceremony and auto-unseal-transit with hints, and gates init ceremony
on implemented selection. NET-WP-0020 tracks downstream SSH automation.
2026-06-18 00:51:48 +02:00

105 lines
4.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# OpenBao Unseal Custody Models
Date: 2026-06-17
Status: framework — automation path active; production paths planned
NetKingdom bootstrap must support **three** OpenBao init/unseal custody models.
Development starts with **maximum automation** for fast test cycles, then adds
human custody gates as production trust increases.
This is separate from **king custody mode** (`temporary-single-king`,
`two-of-three-planned`, `two-of-three-ready`) which governs who holds platform
recovery authority. Unseal custody models govern **how init/unseal executes**
during bootstrap and rebuild.
---
## Models
| Model ID | Label | Custody strength | Automation | Status |
| --- | --- | --- | --- | --- |
| `sops-held-automation` | SOPS-held unseal | Lab / fast iteration | High | **Implemented** (console + creds agent path) |
| `attended-ceremony` | Attended ceremony | Production | Low | Planned |
| `auto-unseal-transit` | Auto-unseal (transit/KMS) | Production HA | High | Planned |
### `sops-held-automation` (default for greenfield dev)
- Init/unseal material lives in **SOPS/age** custody bundle (not Git plaintext).
- Applied by `sso-mfa/bootstrap/creds-bootstrap-agent.sh` and related `creds-apply`
tooling after cluster + OpenBao pod exist.
- Enables **unattended rebuild test cycles** on a 3-node slate.
- **Not** production trust posture — use to prove S1→S3→SSH engine automation,
then graduate to stronger models.
### `attended-ceremony` (production target)
- Human-attended `bao operator init`, out-of-band unseal share escrow, root token
retirement — per `railiance-platform/docs/openbao.md`.
- Matches first successful NetKingdom bootstrap (NET-WP-00150017).
- Console keeps **refuse-live-init** boundary; ceremony runbooks only.
### `auto-unseal-transit` (production HA target)
- OpenBao seal configuration uses **transit** or cloud KMS auto-unseal.
- Pod restart without manual unseal threshold ceremony.
- Requires `railiance-platform` Helm seal stanza + KMS provisioning.
---
## Development strategy
```text
1. Implement automation path (sops-held-automation)
→ SSH engine, warden sign, host CA trust, 3-node rebuild loops
2. Add attended-ceremony gates (block automation defaults in production profile)
3. Add auto-unseal-transit for HA ThreePhoenix rebuilds
```
Each model is selectable in the **security bootstrap console**. Unimplemented
models are **blocked** with a hint pointing to the active automation path.
---
## Console integration
```bash
# List models and implementation status
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
openbao-unseal-custody-models
# Select active model (only implemented models succeed)
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
select-openbao-unseal-custody-model \
--model sops-held-automation \
--metadata .local/security-bootstrap.json
# Status shows gate: "OpenBao unseal custody model"
make security-bootstrap-console # or: ... status --metadata .local/...
```
Metadata field: `openbao_unseal_custody_model`
---
## Automation chain (after model selected)
| Step | Owner | Target |
| --- | --- | --- |
| S1 OS baseline | railiance-infra | 3 nodes |
| S2 k3s HA | railiance-cluster | ThreePhoenix |
| S3 OpenBao deploy | railiance-platform | `make openbao-deploy` |
| Init/unseal apply | net-kingdom | `creds-bootstrap-agent.sh` (sops-held) |
| Platform config | railiance-platform | `openbao-configure-initial` |
| SSH engine | railiance-platform | `openbao-configure-ssh` (planned) |
| Host CA trust | railiance-infra | `bootstrap-ssh-ca` (planned) |
| Sign smoke | ops-warden | `warden sign` (WP-0008 T2) |
---
## Related docs
- `docs/smooth-bootstrap-guide.md` — Step 5 (OpenBao init/unseal)
- `docs/platform-root-custody.md` — king / quorum custody
- `railiance-platform/docs/openbao.md` — deploy and ceremony
- `ops-warden/wiki/OpenBaoSshEngineChecklist.md` — SSH engine verify
- `ops-warden/history/2026-06-17-openbao-production-verify.md` — current blockers
Reference in New Issue View Git Blame Copy Permalink