generated from coulomb/repo-seed
97 lines
2.6 KiB
Markdown
97 lines
2.6 KiB
Markdown
---
|
|
id: NET-WP-0020
|
|
type: workplan
|
|
title: "OpenBao Unseal Custody Models and SSH Automation Path"
|
|
domain: net-kingdom
|
|
repo: net-kingdom
|
|
status: active
|
|
owner: codex
|
|
topic_slug: net-kingdom
|
|
created: "2026-06-17"
|
|
updated: "2026-06-18"
|
|
---
|
|
|
|
# NET-WP-0020 — OpenBao Unseal Custody Models and SSH Automation Path
|
|
|
|
**Scope:** Framework for three OpenBao init/unseal custody models; automation-first
|
|
development path; console decision points; downstream hooks for SSH engine and
|
|
host CA automation on greenfield 3-node bootstrap.
|
|
|
|
**Strategy:** Start with `sops-held-automation` for fast unattended test cycles;
|
|
add `attended-ceremony` and `auto-unseal-transit` with blocking gates as
|
|
production trust increases.
|
|
|
|
---
|
|
|
|
## Tasks
|
|
|
|
### T1 — Custody model canon and console gates
|
|
|
|
```task
|
|
id: NET-WP-0020-T01
|
|
status: done
|
|
priority: high
|
|
```
|
|
|
|
- [x] `docs/openbao-unseal-custody-models.md`
|
|
- [x] Console: list + select commands; gates block planned models
|
|
- [x] `smooth-bootstrap-guide.md` Step 5 update
|
|
- [x] Makefile targets
|
|
|
|
### T2 — SOPS-held init/unseal automation hooks
|
|
|
|
```task
|
|
id: NET-WP-0020-T02
|
|
status: todo
|
|
priority: high
|
|
```
|
|
|
|
- [ ] Extend `creds-bootstrap-agent.sh` for OpenBao init/unseal when sealed
|
|
- [ ] Non-secret evidence flags: `openbao_initialized`, `openbao_post_unseal_verified`
|
|
- [ ] Integrate with `make openbao-configure-initial` post-unseal
|
|
|
|
### T3 — Attended ceremony automation profile
|
|
|
|
```task
|
|
id: NET-WP-0020-T03
|
|
status: wait
|
|
priority: medium
|
|
```
|
|
|
|
- [ ] Implement `attended-ceremony` selection path (runbooks + evidence validators)
|
|
- [ ] Production profile blocks `sops-held-automation` default
|
|
|
|
**Blocked until:** T2 automation path proven on greenfield rebuild.
|
|
|
|
### T4 — Auto-unseal transit profile
|
|
|
|
```task
|
|
id: NET-WP-0020-T04
|
|
status: wait
|
|
priority: medium
|
|
```
|
|
|
|
- [ ] `railiance-platform` Helm seal stanza for transit/KMS
|
|
- [ ] Console gate + evidence for `auto-unseal-transit`
|
|
|
|
### T5 — SSH engine + host CA automation (cross-repo)
|
|
|
|
```task
|
|
id: NET-WP-0020-T05
|
|
status: done
|
|
priority: high
|
|
```
|
|
|
|
- [x] `railiance-platform`: `openbao-configure-ssh` declarative script + Makefile targets
|
|
- [x] `railiance-infra`: `bootstrap-ssh-ca` role + `ssh_principals.yaml` inventory
|
|
- [x] Live apply: OpenBao SSH engine + roles + `warden-sign` on Railiance (2026-06-18)
|
|
- [x] Live apply: `bootstrap-ssh-ca` on CoulombCore + Railiance01
|
|
- [x] Close `ops-warden` WP-0008 T2 verification gate
|
|
|
|
---
|
|
|
|
## See also
|
|
|
|
- `history/2026-06-17-openbao-ssh-custody-and-bootstrap-assessment.md` — state + concepts (read before T5)
|
|
- `ops-warden/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md`
|
|
- `railiance-platform/docs/openbao.md` |