diff --git a/history/2026-06-17-openbao-production-verify.md b/history/2026-06-17-openbao-production-verify.md index 6768ecc..a3ca12c 100644 --- a/history/2026-06-17-openbao-production-verify.md +++ b/history/2026-06-17-openbao-production-verify.md @@ -47,24 +47,54 @@ See `wiki/OpenBaoSshEngineChecklist.md` for the step-by-step checklist. --- +## Operator session (2026-06-17) — WP-0008 T2 + +| Check | Result | +| --- | --- | +| `warden.yaml` + `inventory.yaml` on workstation | Done (operator) | +| Test keypair `agt-state-hub-bridge_ed25519` | Done (operator) | +| OpenBao UI login | `netkingdom` / `platform-admin` — OK | +| **`ssh/` secrets engine** | **Not enabled** — confirmed by operator | +| Legacy SSH | Predates OpenBao and ops-warden (file/static-key era) | + +**Conclusion:** T2 cannot complete until the OpenBao SSH engine is bootstrapped +and host trust is planned (see migration paths below). Token and warden config +are not the blocker. + +--- + ## Blockers for end-to-end `warden sign` -| Blocker | Owner | Notes | +| Blocker | Owner | Status | | --- | --- | --- | -| No `~/.config/warden/warden.yaml` on dev workstation | Operator | Point `vault.addr` at `https://bao.coulomb.social` | -| No scoped `VAULT_TOKEN` in session | Operator | OIDC login via KeyCape / `bao login` | -| SSH engine roles may not be provisioned | `railiance-platform` | Run checklist in `wiki/OpenBaoSshEngineChecklist.md` | -| flex-auth policy package for `ssh-certificate` | `flex-auth` | Out of scope for WP-0007; gate is opt-in | +| SSH secrets engine not mounted | `railiance-platform` / operator | **Confirmed missing** | +| Host `TrustedUserCAKeys` for OpenBao SSH CA | `railiance-infra` | Not started (legacy CA on hosts today) | +| Workstation `warden.yaml` | Operator | Done | +| Scoped `VAULT_TOKEN` in shell | Operator | UI login OK; CLI `bao login` still needed for `warden` | +| flex-auth `ssh-certificate` policies | `flex-auth` | Future (T5) | + +--- + +## Migration paths (legacy SSH → OpenBao SSH engine) + +| Path | When | Host impact | +| --- | --- | --- | +| **A — New OpenBao CA** | Greenfield or willing to rotate trust | OpenBao generates new CA; distribute new `.pub` via `railiance-infra` | +| **B — Dual trust** | Gradual migration | Hosts trust legacy CA **and** OpenBao SSH CA during transition | +| **C — Import legacy CA** | Keep same host trust file | Import existing CA private key into SSH engine (custody ceremony) | +| **D — Defer** | Prove warden only | `backend: local` + legacy `ca_key` until platform ready | + +ops-warden signs either way; **hosts only accept certs from CAs they trust**. --- ## Recommended next operator steps -1. Create production `warden.yaml` with `backend: vault` and `vault.addr`. -2. Export short-lived `VAULT_TOKEN` after OIDC login. -3. Run `wiki/OpenBaoSshEngineChecklist.md` items 1–6. -4. Test: `warden sign --pubkey ` against a known inventory actor. -5. Enable `policy.enabled: true` only after flex-auth `ssh-certificate` policies exist. +1. ~~Create production `warden.yaml`~~ — done on workstation. +2. **Enable OpenBao SSH engine** + roles (`wiki/OpenBaoSshEngineChecklist.md`). +3. **Decide migration path** (A/B/C above) with `railiance-infra`. +4. `bao login` in WSL → `export VAULT_TOKEN=...` → `warden sign` smoke test. +5. Enable `policy.enabled: true` only after flex-auth policies exist. --- diff --git a/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md b/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md index 178e243..ca1e696 100644 --- a/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md +++ b/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md @@ -72,7 +72,9 @@ state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c" - [ ] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md` - [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only) -**Blocked until:** scoped token + SSH roles on Railiance OpenBao. Operator guide in session notes. +**Blocked until:** OpenBao `ssh/` secrets engine enabled + host CA trust plan. +Operator confirmed (2026-06-17): no SSH engine yet; legacy SSH predates OpenBao. +Token/UI login not the blocker. See `history/2026-06-17-openbao-production-verify.md`. ### T3 — State Hub task status canon migration