generated from coulomb/repo-seed
docs(WP-0008): T2 production sign verification passed (2026-06-18)
Record live OpenBao SSH engine apply, host CA bootstrap, and warden sign smoke.
This commit is contained in:
@@ -108,14 +108,35 @@ roles, and `warden-sign` policy **not yet applied** (no operator token in sessio
|
||||
|
||||
---
|
||||
|
||||
## Live apply + sign smoke (2026-06-18)
|
||||
|
||||
| Step | Result |
|
||||
| --- | --- |
|
||||
| `ssh/` engine enabled | Pass |
|
||||
| Default SSH CA issuer (`ed25519`) | Pass — fingerprint `sha256:23bc9636bdd9109e040028953c14b75668bd72de68b8b8ff08e85513b8ea028f` |
|
||||
| Roles `adm-role`, `agt-role`, `atm-role` | Pass |
|
||||
| Policy `warden-sign` | Pass |
|
||||
| `openbao-verify-ssh` | Pass |
|
||||
| `bootstrap-ssh-ca` on CoulombCore + Railiance01 | Pass |
|
||||
| `warden sign agt-state-hub-bridge` | Pass — principal `agt-task-bridge`, TTL 24h, backend `vault` |
|
||||
| `warden status agt-state-hub-bridge` | Pass — remaining ~26h at sign time |
|
||||
|
||||
**Note:** OpenBao 2.5.x requires explicit `ssh/config/ca` issuer generation before
|
||||
`public_key` export; roles need `allow_user_key_ids=true` for ops-warden `key_id`
|
||||
embedding. Script fixes committed to `railiance-platform`.
|
||||
|
||||
**WP-0008 T2:** production sign path verified. flex-auth gate (T5) remains future work.
|
||||
|
||||
---
|
||||
|
||||
## Recommended next operator steps
|
||||
|
||||
1. ~~Create production `warden.yaml`~~ — done on workstation.
|
||||
2. **Apply SSH engine automation** — `railiance-platform/docs/openbao.md` § SSH Secrets Engine:
|
||||
`OPENBAO_TOKEN_FILE=~/.local/openbao/platform-admin.token make openbao-configure-ssh`
|
||||
3. **Deploy host CA trust** — `make bootstrap-ssh-ca SSH_CA_PUBKEY=/tmp/openbao-ssh-ca.pub` (path A migration).
|
||||
4. Create `warden-sign` token → `export VAULT_TOKEN=...` → `warden sign` smoke test.
|
||||
2. ~~Apply SSH engine automation~~ — done 2026-06-18.
|
||||
3. ~~Deploy host CA trust~~ — done on CoulombCore + Railiance01 (path A).
|
||||
4. ~~`warden sign` smoke test~~ — done; use scoped `warden-sign` tokens for daily work (not root).
|
||||
5. Enable `policy.enabled: true` only after flex-auth policies exist.
|
||||
6. Rotate/revoke bootstrap root token if still in shell profile — use OIDC + `warden-sign` tokens.
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user