coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WARDEN-WP-0005: OpenBao-first documentation alignment

Browse Source 
Document OpenBao as the platform production secrets service while keeping
the vault-compatible warden.yaml config shape. Update OpsWardenConfig,
SCOPE, and CertCommandInterface cross-references.
This commit is contained in:
Bernd Worsch
2026-06-17 07:36:13 +02:00
parent 9514ad914e
commit 15bf8cb543
4 changed files with 193 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
wiki/CertCommandInterface.md
View File

@@ -14,8 +14,9 @@ SSH certificate for a named actor. The caller passes the cert to the SSH process
the actor's private key.
This interface is intentionally tool-agnostic: the caller (`ops-bridge`, a script, a CI
pipeline) does not need to know whether the CA is a local file or HashiCorp Vault. Any
command that writes a cert to stdout and exits 0 satisfies the contract.
pipeline) does not need to know whether the CA is a local file, OpenBao, or another
Vault-compatible SSH secrets engine. Any command that writes a cert to stdout and exits 0
satisfies the contract.
---
@@ -30,7 +31,7 @@ warden sign <actor-name> --pubkey <path/to/actor.pub>
Or any equivalent shell command:
```
vault write -field=signed_key ssh/sign/agt-role public_key=@/tmp/key.pub
bao write -field=signed_key ssh/sign/agt-role public_key=@/tmp/key.pub
ssh-keygen -s /path/to/ca -I agt-test -n agt-task -V +24h /tmp/key.pub && cat /tmp/key-cert.pub
```