T2: greenfield live proof against a fresh uninitialized OpenBao 2.5.5 — caught and fixed 'bao operator unseal -' not reading stdin (now 'bao write sys/unseal key=-'); init and reseal-replay paths proven. T3: attended-ceremony selectable — runbook, non-secret ceremony-record template + validator, and a lab/production deployment profile that blocks sops-held-automation in console selection, gates, and the init script. T4: console gate + evidence flags for auto-unseal-transit (Helm seal stanza prepared in railiance-platform). Also: SCOPE.md refreshed to current repo state; adhoc fix for the broken check-secrets Make target (unescaped $). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
5.8 KiB
id, type, title, domain, repo, status, owner, topic_slug, created, updated, state_hub_workstream_id
| id | type | title | domain | repo | status | owner | topic_slug | created | updated | state_hub_workstream_id |
|---|---|---|---|---|---|---|---|---|---|---|
| NET-WP-0020 | workplan | OpenBao Unseal Custody Models and SSH Automation Path | infotech | net-kingdom | finished | codex | net-kingdom | 2026-06-17 | 2026-07-02 | d6338ac9-797d-4009-8203-4b8dd39010af |
NET-WP-0020 — OpenBao Unseal Custody Models and SSH Automation Path
Scope: Framework for three OpenBao init/unseal custody models; automation-first development path; console decision points; downstream hooks for SSH engine and host CA automation on greenfield 3-node bootstrap.
Strategy: Start with sops-held-automation for fast unattended test cycles;
add attended-ceremony and auto-unseal-transit with blocking gates as
production trust increases.
Tasks
T1 — Custody model canon and console gates
id: NET-WP-0020-T01
status: done
priority: high
state_hub_task_id: "7040f347-d54a-42ba-a14f-5b0a7e691786"
docs/openbao-unseal-custody-models.md- Console: list + select commands; gates block planned models
smooth-bootstrap-guide.mdStep 5 update- Makefile targets
T2 — SOPS-held init/unseal automation hooks
id: NET-WP-0020-T02
status: done
priority: high
state_hub_task_id: "65407eb1-9d89-4158-aed5-4987badd83fc"
- SOPS-held init/unseal automation:
sso-mfa/bootstrap/openbao-init-unseal.sh(make openbao-init-unseal/openbao-init-unseal-dry-run) - Non-secret evidence flags:
openbao_initialized,openbao_post_unseal_verified(emitted on the script'sEVIDENCEJSON line) - Integrate with
make openbao-configure-initialpost-unseal (OPENBAO_RUN_CONFIGURE_INITIAL=1chains it; default prints the handoff hint) - Wire the helper as an optional phase inside
creds-bootstrap-agent.sh(Phase 7b, reviewed and approved by Bernd 2026-07-02: runs only when theopenbaonamespace exists, skips when already verified, sets the twocreds-state.yamlflags, encrypts + commits new init material, and a custody-gate refusal warns without aborting the SSO/MFA bootstrap — dry-run/skip/refusal paths harness-tested) - Greenfield live proof: full init→unseal→verify path proven 2026-07-02
against a genuinely uninitialized local OpenBao 2.5.5 (kubectl-exec shim,
script logic unmodified) — see
history/2026-07-02-openbao-greenfield-init-unseal-proof.md. The proof caught and fixed a real bug:bao operator unseal -does not read stdin; nowbao write sys/unseal key=-(shares still never in argv/logs). Restart/ reseal replay path proven too. The first 3-node rebuild slate re-runs the same script via Phase 7b.
2026-07-02 (later): Bernd reviewed the helper design (five safety
properties incl. the root-token-in-bundle caveat of the sops-held model) and
approved the Phase 7b wiring as proposed. Applied, bash -n clean, all three
conditional paths verified by harness. Pre-existing note: the agent's Phase 0
cannot dry-run on machines without the age key — unrelated to this change.
Remaining T02 item is only the greenfield live proof.
2026-07-02: Helper implemented and smoke-tested: dry-run against the live
cluster passed the custody gate (sops-held-automation selected) and read
initialized=true sealed=false; negative tests proved refusal for unselected
and attended-ceremony models. Init material is written only into
secrets/openbao/ for age custody; unseal shares travel stdin-to-stdin and
never appear in argv or logs.
T3 — Attended ceremony automation profile
id: NET-WP-0020-T03
status: done
priority: medium
state_hub_task_id: "34f3d979-a040-49ca-bfcb-35cf17473a06"
- Implement
attended-ceremonyselection path (runbooks + evidence validators) - Production profile blocks
sops-held-automationdefault
2026-07-02: Model selectable in the console; runbook at
docs/openbao-attended-ceremony-runbook.md; non-secret ceremony record
template + validate-openbao-ceremony-record validator (refuses secret
markers/placeholders). New deployment_profile metadata (lab/production,
select-deployment-profile): production blocks sops-held-automation in
selection, status gates, and openbao-init-unseal.sh. Console refuse-live-init
boundary unchanged. Covered by console test suite (14 passing) + CLI smoke.
T4 — Auto-unseal transit profile
id: NET-WP-0020-T04
status: done
priority: medium
state_hub_task_id: "54ab6505-c13b-4f63-8c94-07dd202de90a"
railiance-platformHelm seal stanza for transit/KMS- Console gate + evidence for
auto-unseal-transit
2026-07-02: Commented-out seal "transit" stanza (disabled by default;
token via extraSecretEnvironmentVars, never Git) in
railiance-platform/helm/openbao-values.yaml plus an "Auto-Unseal via Transit
Seal" section in railiance-platform/docs/openbao.md (enable → -migrate →
pod-restart proof). Console: model selectable; init gate stays blocked until
openbao_transit_seal_configured and openbao_auto_unseal_verified are set.
Live transit/KMS provisioning is future ops work on the HA rebuild, gated by
that evidence.
T5 — SSH engine + host CA automation (cross-repo)
id: NET-WP-0020-T05
status: done
priority: high
state_hub_task_id: "399e82ca-6551-4020-8db5-c78076e75cfc"
railiance-platform:openbao-configure-sshdeclarative script + Makefile targetsrailiance-infra:bootstrap-ssh-carole +ssh_principals.yamlinventory- Live apply: OpenBao SSH engine + roles +
warden-signon Railiance (2026-06-18) - Live apply:
bootstrap-ssh-caon CoulombCore + Railiance01 - Close
ops-wardenWP-0008 T2 verification gate
See also
history/2026-06-17-openbao-ssh-custody-and-bootstrap-assessment.md— state + concepts (read before T5)ops-warden/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.mdrailiance-platform/docs/openbao.md