coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3764ea03ed2bc9eb644cdee8de9aaf22ea7f41bf
net-kingdom/workplans/NET-WP-0020-openbao-unseal-custody-and-ssh-automation.md

2.6 KiB
Raw Blame History

id, type, title, domain, repo, status, owner, topic_slug, created, updated
id type title domain repo status owner topic_slug created updated
NET-WP-0020 workplan OpenBao Unseal Custody Models and SSH Automation Path net-kingdom net-kingdom active codex net-kingdom 2026-06-17 2026-06-18

NET-WP-0020 — OpenBao Unseal Custody Models and SSH Automation Path

Scope: Framework for three OpenBao init/unseal custody models; automation-first development path; console decision points; downstream hooks for SSH engine and host CA automation on greenfield 3-node bootstrap.

Strategy: Start with sops-held-automation for fast unattended test cycles; add attended-ceremony and auto-unseal-transit with blocking gates as production trust increases.

Tasks

T1 — Custody model canon and console gates

id: NET-WP-0020-T01
status: done
priority: high
  • docs/openbao-unseal-custody-models.md
  • Console: list + select commands; gates block planned models
  • smooth-bootstrap-guide.md Step 5 update
  • Makefile targets

T2 — SOPS-held init/unseal automation hooks

id: NET-WP-0020-T02
status: todo
priority: high
  • Extend creds-bootstrap-agent.sh for OpenBao init/unseal when sealed
  • Non-secret evidence flags: openbao_initialized, openbao_post_unseal_verified
  • Integrate with make openbao-configure-initial post-unseal

T3 — Attended ceremony automation profile

id: NET-WP-0020-T03
status: wait
priority: medium
  • Implement attended-ceremony selection path (runbooks + evidence validators)
  • Production profile blocks sops-held-automation default

Blocked until: T2 automation path proven on greenfield rebuild.

T4 — Auto-unseal transit profile

id: NET-WP-0020-T04
status: wait
priority: medium
  • railiance-platform Helm seal stanza for transit/KMS
  • Console gate + evidence for auto-unseal-transit

T5 — SSH engine + host CA automation (cross-repo)

id: NET-WP-0020-T05
status: done
priority: high
  • railiance-platform: openbao-configure-ssh declarative script + Makefile targets
  • railiance-infra: bootstrap-ssh-ca role + ssh_principals.yaml inventory
  • Live apply: OpenBao SSH engine + roles + warden-sign on Railiance (2026-06-18)
  • Live apply: bootstrap-ssh-ca on CoulombCore + Railiance01
  • Close ops-warden WP-0008 T2 verification gate

See also

  • history/2026-06-17-openbao-ssh-custody-and-bootstrap-assessment.md — state + concepts (read before T5)
  • ops-warden/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md
  • railiance-platform/docs/openbao.md
Reference in New Issue View Git Blame Copy Permalink