generated from coulomb/repo-seed
feat: opt-in flex-auth policy gate and OpenBao verify (WP-0007)
Add policy.py client that calls flex-auth /v1/check before sign/issue when policy.enabled is true. Record policy_decision_id in signatures.log. Default off preserves existing inventory-only behavior. Document production OpenBao health probe and update config/wiki references.
This commit is contained in:
@@ -35,6 +35,12 @@ ca_key: ~/.ssh/ops-ca-user
|
||||
|
||||
inventory_path: ~/.config/warden/inventory.yaml
|
||||
state_dir: ~/.local/state/warden
|
||||
|
||||
# Optional flex-auth gate (default off — see wiki/PolicyGatedSigning.md)
|
||||
policy:
|
||||
enabled: false
|
||||
flex_auth_url: http://127.0.0.1:8080
|
||||
fail_closed: true
|
||||
```
|
||||
|
||||
### Bootstrapping the local CA key
|
||||
@@ -78,6 +84,12 @@ vault:
|
||||
|
||||
inventory_path: ~/.config/warden/inventory.yaml
|
||||
state_dir: ~/.local/state/warden
|
||||
|
||||
# Enable after flex-auth ssh-certificate policies are deployed:
|
||||
# policy:
|
||||
# enabled: true
|
||||
# flex_auth_url: http://flex-auth.flex-auth.svc.cluster.local:8080
|
||||
# fail_closed: true
|
||||
```
|
||||
|
||||
### Example — in-cluster caller (pod or trusted host)
|
||||
@@ -212,12 +224,33 @@ hosts:
|
||||
|
||||
---
|
||||
|
||||
## Policy gate (flex-auth, opt-in)
|
||||
|
||||
When `policy.enabled: true`, `warden sign` and `warden issue` call flex-auth
|
||||
`POST /v1/check` before signing. Deny or unreachable (with `fail_closed: true`)
|
||||
blocks issuance. Allowed decisions store `policy_decision_id` in `signatures.log`.
|
||||
|
||||
```yaml
|
||||
policy:
|
||||
enabled: false # default — no behavior change
|
||||
flex_auth_url: http://127.0.0.1:8080
|
||||
fail_closed: true # deny when flex-auth unreachable
|
||||
tenant: tenant:platform
|
||||
subject_env: WARDEN_POLICY_SUBJECT
|
||||
system: ops-warden
|
||||
```
|
||||
|
||||
Full request shape and rollout notes: `wiki/PolicyGatedSigning.md`.
|
||||
|
||||
---
|
||||
|
||||
## Environment variables
|
||||
|
||||
| Variable | Default | Description |
|
||||
|----------|---------|-------------|
|
||||
| `WARDEN_CONFIG` | `~/.config/warden/warden.yaml` | Config file path |
|
||||
| `VAULT_TOKEN` | — | API token for `backend: vault` (OpenBao or Vault; name configurable via `vault.token_env`) |
|
||||
| `WARDEN_POLICY_SUBJECT` | — | IAM subject id for flex-auth checks (when `policy.enabled`) |
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user