coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
318f2558f5ce777c06996b0b09b073fc7d116feb
ops-warden/wiki/InterHubBootstrapAccessLane.md
tegwick f10f813d7e feat(WP-0012): add inter-hub-bootstrap-ssh catalog entry and align wiki 
Promote Inter-Hub bootstrap lane to active catalog with worker checklist,
attended/unattended branches, and flex-auth/OpenBao pointers. Mark WP-0012
T2/T3 done; ops-bridge tunnel playbook shipped in prior WP-0013 commit.
2026-06-24 12:45:23 +02:00

5.5 KiB
Raw Blame History

Inter-Hub Bootstrap Access Lane

Date: 2026-06-24 (catalog alignment)
Catalog id: inter-hub-bootstrap-sshwarden route show inter-hub-bootstrap-ssh --json

Purpose

This runbook describes how ops-warden participates in authenticated Inter-Hub bootstrap tasks, especially the ops-hub production activation lane tracked by CUST-WP-0049.

ops-warden does not store Inter-Hub API keys. Its role is to issue short-lived SSH certificates for a narrow actor so an operator or agent can reach a trusted execution host without introducing static SSH keys into the workflow.

Boundary

ops-warden owns:

  • actor registration
  • short-lived certificate issuance
  • TTL and principal policy
  • ops-ssh-wrapper usage

ops-warden does not own:

  • Inter-Hub operator key storage
  • OpenBao policy or secret paths
  • host-side /etc/ssh/auth_principals/ deployment
  • force-command wrappers
  • database migrations or Kubernetes access

Those host-side controls belong to railiance-infra or the relevant deployment repo. Long-lived secret custody belongs in OpenBao or the approved operator secret store.

Actor Pattern

Use a dedicated agt actor for Codex-assisted bootstrap work:

warden inventory add agt-codex-interhub-bootstrap \
  --type agt \
  --principal agt-interhub-bootstrap \
  --ttl 2 \
  --description "Short-lived agent access for attended Inter-Hub bootstrap execution"

Guidance:

  • Prefer a 1-2 hour TTL for attended bootstrap.
  • Keep the principal narrower than general ops access.
  • Do not reuse human adm actors for agent-assisted bootstrap runs.
  • Remove or disable the actor after the bootstrap lane is no longer needed.

Worker checklist

  1. Confirm the bootstrap run is approved (CUST-WP-0049 or equivalent workplan).
  2. Register or verify the narrow agt actor in inventory (warden inventory list).
  3. Sign a short-lived cert: warden sign agt-codex-interhub-bootstrap --pubkey <path>.
  4. Confirm host principal agt-interhub-bootstrap is deployed (railiance-infra ssh_principals.yaml; optional drift check: scripts/check_principals_drift.py).
  5. Choose attended or unattended material access (below).
  6. Run via ops-ssh-wrapper or attended SSH; collect non-secret evidence only.

For generic SSH issuance steps see catalog id ssh-cert-host-access.

Attended bootstrap

Use when host-side force-command / OpenBao read paths are not yet provisioned.

  1. Operator holds the Inter-Hub operator key in an attended 0600 temp file (IHUB_OPERATOR_KEY_FILE) — never commit or paste in chat.
  2. ops-warden signs the bootstrap actor cert (step 3 above).
  3. Operator runs the repo-owned bootstrap command on the trusted host, for example make interhub-bootstrap in ops-hub.
  4. Operator stores any generated runtime key into OpenBao immediately.
  5. Record non-secret evidence in State Hub (ids, status, key prefixes).

Example client-side wrapper use:

WARDEN_ACTOR=agt-codex-interhub-bootstrap \
SSH_PUBKEY="$HOME/.ssh/id_ed25519.pub" \
ops-ssh-wrapper ssh ops-bootstrap@<trusted-host> run-ops-hub-interhub-bootstrap

The exact remote command and host account are environment-specific and should be provisioned by the deployment repo.

Unattended bootstrap

Use only after railiance-infra ships host-side controls (principals, force-command, wrapper).

  1. ops-warden signs the bootstrap actor cert.
  2. Target host accepts only the agt-interhub-bootstrap principal.
  3. Host-side wrapper reads the Inter-Hub operator key from OpenBao (see pointers below) — ops-warden does not vend that key.
  4. Wrapper runs the approved bootstrap routine and writes the runtime key back to OpenBao.
  5. Wrapper prints non-secret evidence only.

Without force-command and OpenBao read paths, stay on the attended branch.

flex-auth and OpenBao pointers

ops-warden issues the SSH envelope only. Custody and authorization live elsewhere:

Need Route Notes
Inter-Hub operator key read/write warden route show openbao-api-key --json railiance-platform owns paths
Authorization before sensitive bootstrap warden route show flex-auth-policy-check --json flex-auth PDP when policy applies
Host principal deploy warden route show railiance-infra-principals --json Ansible ssh_principals.yaml

Do not restate OpenBao path strings here — they change in railiance-platform.

Host-Side Requirements

Before this lane can be used in production, railiance-infra or the deployment owner should provide:

  • an auth principals entry for agt-interhub-bootstrap
  • password auth disabled for the target account
  • a force-command or restricted wrapper for the bootstrap path
  • OpenBao read access for the Inter-Hub operator key, if unattended material access is approved
  • OpenBao write access for the generated ops-hub runtime key
  • non-secret execution logging

Without those controls, use only an attended local IHUB_OPERATOR_KEY_FILE run.

Non-Secret Evidence

Safe evidence to copy into State Hub:

  • workplan id and task id
  • Inter-Hub base URL
  • hub id and slug
  • manifest id and status
  • API consumer id
  • runtime key prefix
  • widget counts
  • event id and event type

Never log:

  • full operator keys
  • full runtime API keys
  • OpenBao tokens
  • kubeconfig contents
  • raw SQL output that could include secrets

Related Work

  • the-custodian/workplans/CUST-WP-0049-interhub-bootstrap-access-lane.md
  • ops-hub/docs/bootstrap-runbook.md
  • wiki/AccessManagementDirective.md
  • wiki/OpsWardenConfig.md
  • wiki/CertCommandInterface.md
Reference in New Issue View Git Blame Copy Permalink