generated from coulomb/repo-seed
feat: opt-in flex-auth policy gate and OpenBao verify (WP-0007)
Add policy.py client that calls flex-auth /v1/check before sign/issue when policy.enabled is true. Record policy_decision_id in signatures.log. Default off preserves existing inventory-only behavior. Document production OpenBao health probe and update config/wiki references.
This commit is contained in:
75
history/2026-06-17-openbao-production-verify.md
Normal file
75
history/2026-06-17-openbao-production-verify.md
Normal file
@@ -0,0 +1,75 @@
|
||||
# OpenBao Production Verification — 2026-06-17
|
||||
|
||||
**Workplan:** WARDEN-WP-0007-T01
|
||||
**Endpoint:** `https://bao.coulomb.social`
|
||||
**Operator:** codex (automated probe, no secrets recorded)
|
||||
|
||||
---
|
||||
|
||||
## Health probe
|
||||
|
||||
```bash
|
||||
curl -s "https://bao.coulomb.social/v1/sys/health" | python3 -m json.tool
|
||||
```
|
||||
|
||||
**Result (2026-06-17):**
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| `initialized` | `true` |
|
||||
| `sealed` | `false` |
|
||||
| `standby` | `false` |
|
||||
| `version` | `2.5.4` |
|
||||
| `cluster_name` | `vault-cluster-ebe7da39` |
|
||||
| `replication_performance_mode` | `primary` |
|
||||
|
||||
OpenBao is **reachable, initialized, and unsealed**. Suitable as the production
|
||||
platform secrets endpoint for ops-warden `backend: vault`.
|
||||
|
||||
---
|
||||
|
||||
## Authenticated API (blocked without token)
|
||||
|
||||
```bash
|
||||
curl -s -o /dev/null -w "%{http_code}" "https://bao.coulomb.social/v1/sys/mounts"
|
||||
```
|
||||
|
||||
**Result:** HTTP `403` (expected without `X-Vault-Token`).
|
||||
|
||||
Full SSH engine verification (`bao secrets list`, role TTL alignment, live
|
||||
`warden sign`) requires a **scoped operator token** with permission to:
|
||||
|
||||
1. List mounts and confirm `ssh/` engine is enabled
|
||||
2. Read `ssh/roles/{adm,agt,atm}-role` TTL limits
|
||||
3. Call `POST /v1/ssh/sign/<role>` for each actor type
|
||||
|
||||
See `wiki/OpenBaoSshEngineChecklist.md` for the step-by-step checklist.
|
||||
|
||||
---
|
||||
|
||||
## Blockers for end-to-end `warden sign`
|
||||
|
||||
| Blocker | Owner | Notes |
|
||||
| --- | --- | --- |
|
||||
| No `~/.config/warden/warden.yaml` on dev workstation | Operator | Point `vault.addr` at `https://bao.coulomb.social` |
|
||||
| No scoped `VAULT_TOKEN` in session | Operator | OIDC login via KeyCape / `bao login` |
|
||||
| SSH engine roles may not be provisioned | `railiance-platform` | Run checklist in `wiki/OpenBaoSshEngineChecklist.md` |
|
||||
| flex-auth policy package for `ssh-certificate` | `flex-auth` | Out of scope for WP-0007; gate is opt-in |
|
||||
|
||||
---
|
||||
|
||||
## Recommended next operator steps
|
||||
|
||||
1. Create production `warden.yaml` with `backend: vault` and `vault.addr`.
|
||||
2. Export short-lived `VAULT_TOKEN` after OIDC login.
|
||||
3. Run `wiki/OpenBaoSshEngineChecklist.md` items 1–6.
|
||||
4. Test: `warden sign <actor> --pubkey <path>` against a known inventory actor.
|
||||
5. Enable `policy.enabled: true` only after flex-auth `ssh-certificate` policies exist.
|
||||
|
||||
---
|
||||
|
||||
## See also
|
||||
|
||||
- `wiki/OpsWardenConfig.md` — production config examples
|
||||
- `wiki/OpenBaoSshEngineChecklist.md` — SSH engine validation
|
||||
- `wiki/PolicyGatedSigning.md` — opt-in flex-auth gate (implemented WP-0007)
|
||||
Reference in New Issue
Block a user