This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
ops-warden/history/2026-06-17-openbao-production-verify.md
tegwick 8e9383a33a feat: opt-in flex-auth policy gate and OpenBao verify (WP-0007)
Add policy.py client that calls flex-auth /v1/check before sign/issue when
policy.enabled is true. Record policy_decision_id in signatures.log. Default
off preserves existing inventory-only behavior. Document production OpenBao
health probe and update config/wiki references.
2026-06-17 08:37:14 +02:00

2.4 KiB
Raw Blame History

OpenBao Production Verification — 2026-06-17

Workplan: WARDEN-WP-0007-T01
Endpoint: https://bao.coulomb.social
Operator: codex (automated probe, no secrets recorded)


Health probe

curl -s "https://bao.coulomb.social/v1/sys/health" | python3 -m json.tool

Result (2026-06-17):

Field Value
initialized true
sealed false
standby false
version 2.5.4
cluster_name vault-cluster-ebe7da39
replication_performance_mode primary

OpenBao is reachable, initialized, and unsealed. Suitable as the production platform secrets endpoint for ops-warden backend: vault.


Authenticated API (blocked without token)

curl -s -o /dev/null -w "%{http_code}" "https://bao.coulomb.social/v1/sys/mounts"

Result: HTTP 403 (expected without X-Vault-Token).

Full SSH engine verification (bao secrets list, role TTL alignment, live warden sign) requires a scoped operator token with permission to:

  1. List mounts and confirm ssh/ engine is enabled
  2. Read ssh/roles/{adm,agt,atm}-role TTL limits
  3. Call POST /v1/ssh/sign/<role> for each actor type

See wiki/OpenBaoSshEngineChecklist.md for the step-by-step checklist.


Blockers for end-to-end warden sign

Blocker Owner Notes
No ~/.config/warden/warden.yaml on dev workstation Operator Point vault.addr at https://bao.coulomb.social
No scoped VAULT_TOKEN in session Operator OIDC login via KeyCape / bao login
SSH engine roles may not be provisioned railiance-platform Run checklist in wiki/OpenBaoSshEngineChecklist.md
flex-auth policy package for ssh-certificate flex-auth Out of scope for WP-0007; gate is opt-in

  1. Create production warden.yaml with backend: vault and vault.addr.
  2. Export short-lived VAULT_TOKEN after OIDC login.
  3. Run wiki/OpenBaoSshEngineChecklist.md items 16.
  4. Test: warden sign <actor> --pubkey <path> against a known inventory actor.
  5. Enable policy.enabled: true only after flex-auth ssh-certificate policies exist.

See also

  • wiki/OpsWardenConfig.md — production config examples
  • wiki/OpenBaoSshEngineChecklist.md — SSH engine validation
  • wiki/PolicyGatedSigning.md — opt-in flex-auth gate (implemented WP-0007)