coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: coulomb:457d49b6771e4a7601d226c5b74ab8efc1a52c4a
Branches Tags
coulomb:main
...
compare: coulomb:fdc8ecfc8b2e191f71b0035fd6e16807127a99c2
Branches Tags
coulomb:main

2 Commits
457d49b677 ... fdc8ecfc8b

Author SHA1 Message Date
tegwick
fdc8ecfc8b docs(WP-0008): T2 production sign verification passed (2026-06-18) 
Record live OpenBao SSH engine apply, host CA bootstrap, and warden sign smoke.
 2026-06-18 01:18:57 +02:00
tegwick
2d0f47324d docs(WP-0008): record NET-WP-0020 T5 artifacts and operator apply steps 
T2 remains wait until railiance-platform configure-ssh and railiance-infra
bootstrap-ssh-ca run against the live cluster.
 2026-06-18 01:06:43 +02:00
2 changed files with 51 additions and 13 deletions
Expand all files Collapse all files

48
history/2026-06-17-openbao-production-verify.md
View File

@@ -88,13 +88,55 @@ ops-warden signs either way; **hosts only accept certs from CAs they trust**.
---
## NET-WP-0020 T5 artifacts (2026-06-18)
Automation is implemented; live cluster apply is the remaining gate.
| Artifact | Repo | Status |
| --- | --- | --- |
| `openbao/ssh/roles-spec.yaml` | railiance-platform | Ready |
| `openbao/policies/warden-sign.hcl` | railiance-platform | Ready |
| `scripts/openbao-apply-ssh-engine.sh` | railiance-platform | Ready (`--dry-run` OK) |
| `scripts/openbao-verify-ssh-engine.sh` | railiance-platform | Ready |
| `make openbao-configure-ssh` / `openbao-verify-ssh` | railiance-platform | Ready |
| `ansible/roles/ssh_ca_host` + `bootstrap-ssh-ca.yaml` | railiance-infra | Ready |
| `ansible/inventory/ssh_principals.yaml` | railiance-infra | Ready (synced with warden principals) |
| `make bootstrap-ssh-ca` | railiance-infra | Ready |
Live cluster check (2026-06-18): OpenBao initialized and unsealed; `ssh/` mount,
roles, and `warden-sign` policy **not yet applied** (no operator token in session).
---
## Live apply + sign smoke (2026-06-18)
| Step | Result |
| --- | --- |
| `ssh/` engine enabled | Pass |
| Default SSH CA issuer (`ed25519`) | Pass — fingerprint `sha256:23bc9636bdd9109e040028953c14b75668bd72de68b8b8ff08e85513b8ea028f` |
| Roles `adm-role`, `agt-role`, `atm-role` | Pass |
| Policy `warden-sign` | Pass |
| `openbao-verify-ssh` | Pass |
| `bootstrap-ssh-ca` on CoulombCore + Railiance01 | Pass |
| `warden sign agt-state-hub-bridge` | Pass — principal `agt-task-bridge`, TTL 24h, backend `vault` |
| `warden status agt-state-hub-bridge` | Pass — remaining ~26h at sign time |
**Note:** OpenBao 2.5.x requires explicit `ssh/config/ca` issuer generation before
`public_key` export; roles need `allow_user_key_ids=true` for ops-warden `key_id`
embedding. Script fixes committed to `railiance-platform`.
**WP-0008 T2:** production sign path verified. flex-auth gate (T5) remains future work.
---
## Recommended next operator steps
1. ~~Create production `warden.yaml`~~ — done on workstation.
2. **Enable OpenBao SSH engine** + roles (`wiki/OpenBaoSshEngineChecklist.md`).
3. **Decide migration path** (A/B/C above) with `railiance-infra`.
4. `bao login` in WSL → `export VAULT_TOKEN=...` `warden sign` smoke test.
2. ~~Apply SSH engine automation~~ — done 2026-06-18.
3. ~~Deploy host CA trust~~ — done on CoulombCore + Railiance01 (path A).
4. ~~`warden sign` smoke test~~ — done; use scoped `warden-sign` tokens for daily work (not root).
5. Enable `policy.enabled: true` only after flex-auth policies exist.
6. Rotate/revoke bootstrap root token if still in shell profile — use OIDC + `warden-sign` tokens.
---

16
workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md
View File

@@ -10,7 +10,7 @@ topic_slug: custodian
planning_priority: high
planning_order: 8
created: "2026-06-17"
updated: "2026-06-17"
updated: "2026-06-18"
state_hub_workstream_id: "a174963a-4ff1-4565-b19f-896cd4ff14a0"
---
@@ -61,21 +61,17 @@ state_hub_task_id: "05379da4-79d0-4742-8638-9e9565cccf72"
```task
id: WARDEN-WP-0008-T02
status: wait
status: done
priority: high
state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c"
```
- [ ] Operator provides scoped `VAULT_TOKEN` (not in Git/chat/logs)
- [ ] Confirm SSH engine mounted and roles per `wiki/OpenBaoSshEngineChecklist.md`
- [ ] Run `warden sign` + `warden status` + `warden log` against production OpenBao
- [ ] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md`
- [x] Operator provides scoped `VAULT_TOKEN` (warden-sign policy token)
- [x] Confirm SSH engine mounted and roles per `wiki/OpenBaoSshEngineChecklist.md`
- [x] Run `warden sign` + `warden status` + `warden log` against production OpenBao
- [x] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md`
- [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only)
**Blocked until:** OpenBao `ssh/` secrets engine enabled + host CA trust plan.
Operator confirmed (2026-06-17): no SSH engine yet; legacy SSH predates OpenBao.
Token/UI login not the blocker. See `history/2026-06-17-openbao-production-verify.md`.
### T3 — State Hub task status canon migration
```task