Operator confirmed legacy SSH predates OpenBao; ssh/ mount not enabled. Document migration paths and update workplan wait condition.
3.6 KiB
OpenBao Production Verification — 2026-06-17
Workplan: WARDEN-WP-0007-T01
Endpoint: https://bao.coulomb.social
Operator: codex (automated probe, no secrets recorded)
Health probe
curl -s "https://bao.coulomb.social/v1/sys/health" | python3 -m json.tool
Result (2026-06-17):
| Field | Value |
|---|---|
initialized |
true |
sealed |
false |
standby |
false |
version |
2.5.4 |
cluster_name |
vault-cluster-ebe7da39 |
replication_performance_mode |
primary |
OpenBao is reachable, initialized, and unsealed. Suitable as the production
platform secrets endpoint for ops-warden backend: vault.
Authenticated API (blocked without token)
curl -s -o /dev/null -w "%{http_code}" "https://bao.coulomb.social/v1/sys/mounts"
Result: HTTP 403 (expected without X-Vault-Token).
Full SSH engine verification (bao secrets list, role TTL alignment, live
warden sign) requires a scoped operator token with permission to:
- List mounts and confirm
ssh/engine is enabled - Read
ssh/roles/{adm,agt,atm}-roleTTL limits - Call
POST /v1/ssh/sign/<role>for each actor type
See wiki/OpenBaoSshEngineChecklist.md for the step-by-step checklist.
Operator session (2026-06-17) — WP-0008 T2
| Check | Result |
|---|---|
warden.yaml + inventory.yaml on workstation |
Done (operator) |
Test keypair agt-state-hub-bridge_ed25519 |
Done (operator) |
| OpenBao UI login | netkingdom / platform-admin — OK |
ssh/ secrets engine |
Not enabled — confirmed by operator |
| Legacy SSH | Predates OpenBao and ops-warden (file/static-key era) |
Conclusion: T2 cannot complete until the OpenBao SSH engine is bootstrapped and host trust is planned (see migration paths below). Token and warden config are not the blocker.
Blockers for end-to-end warden sign
| Blocker | Owner | Status |
|---|---|---|
| SSH secrets engine not mounted | railiance-platform / operator |
Confirmed missing |
Host TrustedUserCAKeys for OpenBao SSH CA |
railiance-infra |
Not started (legacy CA on hosts today) |
Workstation warden.yaml |
Operator | Done |
Scoped VAULT_TOKEN in shell |
Operator | UI login OK; CLI bao login still needed for warden |
flex-auth ssh-certificate policies |
flex-auth |
Future (T5) |
Migration paths (legacy SSH → OpenBao SSH engine)
| Path | When | Host impact |
|---|---|---|
| A — New OpenBao CA | Greenfield or willing to rotate trust | OpenBao generates new CA; distribute new .pub via railiance-infra |
| B — Dual trust | Gradual migration | Hosts trust legacy CA and OpenBao SSH CA during transition |
| C — Import legacy CA | Keep same host trust file | Import existing CA private key into SSH engine (custody ceremony) |
| D — Defer | Prove warden only | backend: local + legacy ca_key until platform ready |
ops-warden signs either way; hosts only accept certs from CAs they trust.
Recommended next operator steps
Create production— done on workstation.warden.yaml- Enable OpenBao SSH engine + roles (
wiki/OpenBaoSshEngineChecklist.md). - Decide migration path (A/B/C above) with
railiance-infra. bao loginin WSL →export VAULT_TOKEN=...→warden signsmoke test.- Enable
policy.enabled: trueonly after flex-auth policies exist.
See also
wiki/OpsWardenConfig.md— production config exampleswiki/OpenBaoSshEngineChecklist.md— SSH engine validationwiki/PolicyGatedSigning.md— opt-in flex-auth gate (implemented WP-0007)