generated from coulomb/repo-seed
docs: add interhub bootstrap access lane
This commit is contained in:
3
SCOPE.md
3
SCOPE.md
@@ -57,6 +57,8 @@ backend is in use.
|
|||||||
- `ops-bridge` needs a `cert_command` to be defined for a tunnel
|
- `ops-bridge` needs a `cert_command` to be defined for a tunnel
|
||||||
- Adding a new actor to the principals inventory
|
- Adding a new actor to the principals inventory
|
||||||
- Bootstrapping the CA for a new environment
|
- Bootstrapping the CA for a new environment
|
||||||
|
- Reaching a trusted execution host for attended Inter-Hub bootstrap work with
|
||||||
|
a short-lived agent certificate
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@@ -123,6 +125,7 @@ keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, vault]
|
|||||||
- Start with: `SCOPE.md` (this file), then `wiki/AccessManagementDirective.md`
|
- Start with: `SCOPE.md` (this file), then `wiki/AccessManagementDirective.md`
|
||||||
- Config reference: `wiki/OpsWardenConfig.md`
|
- Config reference: `wiki/OpsWardenConfig.md`
|
||||||
- cert_command contract: `wiki/CertCommandInterface.md`
|
- cert_command contract: `wiki/CertCommandInterface.md`
|
||||||
|
- Inter-Hub bootstrap access lane: `wiki/InterHubBootstrapAccessLane.md`
|
||||||
- Config files: `~/.config/warden/warden.yaml`, `~/.config/warden/inventory.yaml`
|
- Config files: `~/.config/warden/warden.yaml`, `~/.config/warden/inventory.yaml`
|
||||||
- State: `~/.local/state/warden/` (certs, generated keypairs)
|
- State: `~/.local/state/warden/` (certs, generated keypairs)
|
||||||
- Entry point: `warden --help`
|
- Entry point: `warden --help`
|
||||||
|
|||||||
126
wiki/InterHubBootstrapAccessLane.md
Normal file
126
wiki/InterHubBootstrapAccessLane.md
Normal file
@@ -0,0 +1,126 @@
|
|||||||
|
# Inter-Hub Bootstrap Access Lane
|
||||||
|
|
||||||
|
Date: 2026-06-17
|
||||||
|
|
||||||
|
## Purpose
|
||||||
|
|
||||||
|
This runbook describes how ops-warden participates in authenticated Inter-Hub
|
||||||
|
bootstrap tasks, especially the ops-hub production activation lane tracked by
|
||||||
|
`CUST-WP-0049`.
|
||||||
|
|
||||||
|
ops-warden does not store Inter-Hub API keys. Its role is to issue short-lived
|
||||||
|
SSH certificates for a narrow actor so an operator or agent can reach a trusted
|
||||||
|
execution host without introducing static SSH keys into the workflow.
|
||||||
|
|
||||||
|
## Boundary
|
||||||
|
|
||||||
|
ops-warden owns:
|
||||||
|
|
||||||
|
- actor registration
|
||||||
|
- short-lived certificate issuance
|
||||||
|
- TTL and principal policy
|
||||||
|
- `ops-ssh-wrapper` usage
|
||||||
|
|
||||||
|
ops-warden does not own:
|
||||||
|
|
||||||
|
- Inter-Hub operator key storage
|
||||||
|
- OpenBao policy or secret paths
|
||||||
|
- host-side `/etc/ssh/auth_principals/` deployment
|
||||||
|
- force-command wrappers
|
||||||
|
- database migrations or Kubernetes access
|
||||||
|
|
||||||
|
Those host-side controls belong to `railiance-infra` or the relevant
|
||||||
|
deployment repo. Long-lived secret custody belongs in OpenBao or the approved
|
||||||
|
operator secret store.
|
||||||
|
|
||||||
|
## Actor Pattern
|
||||||
|
|
||||||
|
Use a dedicated `agt` actor for Codex-assisted bootstrap work:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
warden inventory add agt-codex-interhub-bootstrap \
|
||||||
|
--type agt \
|
||||||
|
--principal agt-interhub-bootstrap \
|
||||||
|
--ttl 2 \
|
||||||
|
--description "Short-lived agent access for attended Inter-Hub bootstrap execution"
|
||||||
|
```
|
||||||
|
|
||||||
|
Guidance:
|
||||||
|
|
||||||
|
- Prefer a 1-2 hour TTL for attended bootstrap.
|
||||||
|
- Keep the principal narrower than general ops access.
|
||||||
|
- Do not reuse human `adm` actors for agent-assisted bootstrap runs.
|
||||||
|
- Remove or disable the actor after the bootstrap lane is no longer needed.
|
||||||
|
|
||||||
|
## Execution Shape
|
||||||
|
|
||||||
|
The intended flow is:
|
||||||
|
|
||||||
|
1. Operator approves the production bootstrap run.
|
||||||
|
2. ops-warden signs a short-lived cert for `agt-codex-interhub-bootstrap`.
|
||||||
|
3. The target host accepts only the narrow `agt-interhub-bootstrap` principal.
|
||||||
|
4. Host-side policy maps that principal to a force-command or wrapper that can
|
||||||
|
run only the Inter-Hub bootstrap routine.
|
||||||
|
5. The wrapper reads the Inter-Hub operator key from OpenBao or an attended
|
||||||
|
`0600` temp file.
|
||||||
|
6. The wrapper runs the repo-owned bootstrap command, for example
|
||||||
|
`make interhub-bootstrap` in `ops-hub`.
|
||||||
|
7. Any generated runtime key is stored back into OpenBao immediately.
|
||||||
|
8. The wrapper prints non-secret evidence only: ids, status, timestamps, and
|
||||||
|
key prefixes.
|
||||||
|
|
||||||
|
Example client-side wrapper use:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
WARDEN_ACTOR=agt-codex-interhub-bootstrap \
|
||||||
|
SSH_PUBKEY="$HOME/.ssh/id_ed25519.pub" \
|
||||||
|
ops-ssh-wrapper ssh ops-bootstrap@<trusted-host> run-ops-hub-interhub-bootstrap
|
||||||
|
```
|
||||||
|
|
||||||
|
The exact remote command and host account are environment-specific and should
|
||||||
|
be provisioned by the deployment repo.
|
||||||
|
|
||||||
|
## Host-Side Requirements
|
||||||
|
|
||||||
|
Before this lane can be used in production, railiance-infra or the deployment
|
||||||
|
owner should provide:
|
||||||
|
|
||||||
|
- an auth principals entry for `agt-interhub-bootstrap`
|
||||||
|
- password auth disabled for the target account
|
||||||
|
- a force-command or restricted wrapper for the bootstrap path
|
||||||
|
- OpenBao read access for the Inter-Hub operator key, if unattended material
|
||||||
|
access is approved
|
||||||
|
- OpenBao write access for the generated ops-hub runtime key
|
||||||
|
- non-secret execution logging
|
||||||
|
|
||||||
|
Without those controls, use only an attended local `IHUB_OPERATOR_KEY_FILE`
|
||||||
|
run.
|
||||||
|
|
||||||
|
## Non-Secret Evidence
|
||||||
|
|
||||||
|
Safe evidence to copy into State Hub:
|
||||||
|
|
||||||
|
- workplan id and task id
|
||||||
|
- Inter-Hub base URL
|
||||||
|
- hub id and slug
|
||||||
|
- manifest id and status
|
||||||
|
- API consumer id
|
||||||
|
- runtime key prefix
|
||||||
|
- widget counts
|
||||||
|
- event id and event type
|
||||||
|
|
||||||
|
Never log:
|
||||||
|
|
||||||
|
- full operator keys
|
||||||
|
- full runtime API keys
|
||||||
|
- OpenBao tokens
|
||||||
|
- kubeconfig contents
|
||||||
|
- raw SQL output that could include secrets
|
||||||
|
|
||||||
|
## Related Work
|
||||||
|
|
||||||
|
- `the-custodian/workplans/CUST-WP-0049-interhub-bootstrap-access-lane.md`
|
||||||
|
- `ops-hub/docs/bootstrap-runbook.md`
|
||||||
|
- `wiki/AccessManagementDirective.md`
|
||||||
|
- `wiki/OpsWardenConfig.md`
|
||||||
|
- `wiki/CertCommandInterface.md`
|
||||||
Reference in New Issue
Block a user