From fdc8ecfc8b2e191f71b0035fd6e16807127a99c2 Mon Sep 17 00:00:00 2001 From: tegwick Date: Thu, 18 Jun 2026 01:18:57 +0200 Subject: [PATCH] docs(WP-0008): T2 production sign verification passed (2026-06-18) Record live OpenBao SSH engine apply, host CA bootstrap, and warden sign smoke. --- .../2026-06-17-openbao-production-verify.md | 29 ++++++++++++++++--- ...ction-ssh-path-and-stewardship-closeout.md | 14 ++++----- 2 files changed, 30 insertions(+), 13 deletions(-) diff --git a/history/2026-06-17-openbao-production-verify.md b/history/2026-06-17-openbao-production-verify.md index def8581..740f388 100644 --- a/history/2026-06-17-openbao-production-verify.md +++ b/history/2026-06-17-openbao-production-verify.md @@ -108,14 +108,35 @@ roles, and `warden-sign` policy **not yet applied** (no operator token in sessio --- +## Live apply + sign smoke (2026-06-18) + +| Step | Result | +| --- | --- | +| `ssh/` engine enabled | Pass | +| Default SSH CA issuer (`ed25519`) | Pass — fingerprint `sha256:23bc9636bdd9109e040028953c14b75668bd72de68b8b8ff08e85513b8ea028f` | +| Roles `adm-role`, `agt-role`, `atm-role` | Pass | +| Policy `warden-sign` | Pass | +| `openbao-verify-ssh` | Pass | +| `bootstrap-ssh-ca` on CoulombCore + Railiance01 | Pass | +| `warden sign agt-state-hub-bridge` | Pass — principal `agt-task-bridge`, TTL 24h, backend `vault` | +| `warden status agt-state-hub-bridge` | Pass — remaining ~26h at sign time | + +**Note:** OpenBao 2.5.x requires explicit `ssh/config/ca` issuer generation before +`public_key` export; roles need `allow_user_key_ids=true` for ops-warden `key_id` +embedding. Script fixes committed to `railiance-platform`. + +**WP-0008 T2:** production sign path verified. flex-auth gate (T5) remains future work. + +--- + ## Recommended next operator steps 1. ~~Create production `warden.yaml`~~ — done on workstation. -2. **Apply SSH engine automation** — `railiance-platform/docs/openbao.md` § SSH Secrets Engine: - `OPENBAO_TOKEN_FILE=~/.local/openbao/platform-admin.token make openbao-configure-ssh` -3. **Deploy host CA trust** — `make bootstrap-ssh-ca SSH_CA_PUBKEY=/tmp/openbao-ssh-ca.pub` (path A migration). -4. Create `warden-sign` token → `export VAULT_TOKEN=...` → `warden sign` smoke test. +2. ~~Apply SSH engine automation~~ — done 2026-06-18. +3. ~~Deploy host CA trust~~ — done on CoulombCore + Railiance01 (path A). +4. ~~`warden sign` smoke test~~ — done; use scoped `warden-sign` tokens for daily work (not root). 5. Enable `policy.enabled: true` only after flex-auth policies exist. +6. Rotate/revoke bootstrap root token if still in shell profile — use OIDC + `warden-sign` tokens. --- diff --git a/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md b/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md index 64fa3e4..529766d 100644 --- a/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md +++ b/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md @@ -61,21 +61,17 @@ state_hub_task_id: "05379da4-79d0-4742-8638-9e9565cccf72" ```task id: WARDEN-WP-0008-T02 -status: wait +status: done priority: high state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c" ``` -- [ ] Operator provides scoped `VAULT_TOKEN` (not in Git/chat/logs) -- [ ] Confirm SSH engine mounted and roles per `wiki/OpenBaoSshEngineChecklist.md` -- [ ] Run `warden sign` + `warden status` + `warden log` against production OpenBao -- [ ] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md` +- [x] Operator provides scoped `VAULT_TOKEN` (warden-sign policy token) +- [x] Confirm SSH engine mounted and roles per `wiki/OpenBaoSshEngineChecklist.md` +- [x] Run `warden sign` + `warden status` + `warden log` against production OpenBao +- [x] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md` - [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only) -**Blocked until:** Operator runs NET-WP-0020 T5 live apply (`make openbao-configure-ssh`, -`make bootstrap-ssh-ca`). Automation artifacts ready 2026-06-18; cluster still -missing `ssh/` mount. See `history/2026-06-17-openbao-production-verify.md`. - ### T3 — State Hub task status canon migration ```task