docs(WP-0008): record NET-WP-0020 T5 artifacts and operator apply steps

T2 remains wait until railiance-platform configure-ssh and railiance-infra
bootstrap-ssh-ca run against the live cluster.
This commit is contained in:
2026-06-18 01:06:43 +02:00
parent 457d49b677
commit 2d0f47324d
2 changed files with 28 additions and 7 deletions

View File

@@ -88,12 +88,33 @@ ops-warden signs either way; **hosts only accept certs from CAs they trust**.
---
## NET-WP-0020 T5 artifacts (2026-06-18)
Automation is implemented; live cluster apply is the remaining gate.
| Artifact | Repo | Status |
| --- | --- | --- |
| `openbao/ssh/roles-spec.yaml` | railiance-platform | Ready |
| `openbao/policies/warden-sign.hcl` | railiance-platform | Ready |
| `scripts/openbao-apply-ssh-engine.sh` | railiance-platform | Ready (`--dry-run` OK) |
| `scripts/openbao-verify-ssh-engine.sh` | railiance-platform | Ready |
| `make openbao-configure-ssh` / `openbao-verify-ssh` | railiance-platform | Ready |
| `ansible/roles/ssh_ca_host` + `bootstrap-ssh-ca.yaml` | railiance-infra | Ready |
| `ansible/inventory/ssh_principals.yaml` | railiance-infra | Ready (synced with warden principals) |
| `make bootstrap-ssh-ca` | railiance-infra | Ready |
Live cluster check (2026-06-18): OpenBao initialized and unsealed; `ssh/` mount,
roles, and `warden-sign` policy **not yet applied** (no operator token in session).
---
## Recommended next operator steps
1. ~~Create production `warden.yaml`~~ — done on workstation.
2. **Enable OpenBao SSH engine** + roles (`wiki/OpenBaoSshEngineChecklist.md`).
3. **Decide migration path** (A/B/C above) with `railiance-infra`.
4. `bao login` in WSL → `export VAULT_TOKEN=...``warden sign` smoke test.
2. **Apply SSH engine automation**`railiance-platform/docs/openbao.md` § SSH Secrets Engine:
`OPENBAO_TOKEN_FILE=~/.local/openbao/platform-admin.token make openbao-configure-ssh`
3. **Deploy host CA trust**`make bootstrap-ssh-ca SSH_CA_PUBKEY=/tmp/openbao-ssh-ca.pub` (path A migration).
4. Create `warden-sign` token → `export VAULT_TOKEN=...``warden sign` smoke test.
5. Enable `policy.enabled: true` only after flex-auth policies exist.
---