This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
ops-warden/history/2026-06-17-openbao-production-verify.md
tegwick 8e9383a33a feat: opt-in flex-auth policy gate and OpenBao verify (WP-0007)
Add policy.py client that calls flex-auth /v1/check before sign/issue when
policy.enabled is true. Record policy_decision_id in signatures.log. Default
off preserves existing inventory-only behavior. Document production OpenBao
health probe and update config/wiki references.
2026-06-17 08:37:14 +02:00

75 lines
2.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# OpenBao Production Verification — 2026-06-17
**Workplan:** WARDEN-WP-0007-T01
**Endpoint:** `https://bao.coulomb.social`
**Operator:** codex (automated probe, no secrets recorded)
---
## Health probe
```bash
curl -s "https://bao.coulomb.social/v1/sys/health" | python3 -m json.tool
```
**Result (2026-06-17):**
| Field | Value |
| --- | --- |
| `initialized` | `true` |
| `sealed` | `false` |
| `standby` | `false` |
| `version` | `2.5.4` |
| `cluster_name` | `vault-cluster-ebe7da39` |
| `replication_performance_mode` | `primary` |
OpenBao is **reachable, initialized, and unsealed**. Suitable as the production
platform secrets endpoint for ops-warden `backend: vault`.
---
## Authenticated API (blocked without token)
```bash
curl -s -o /dev/null -w "%{http_code}" "https://bao.coulomb.social/v1/sys/mounts"
```
**Result:** HTTP `403` (expected without `X-Vault-Token`).
Full SSH engine verification (`bao secrets list`, role TTL alignment, live
`warden sign`) requires a **scoped operator token** with permission to:
1. List mounts and confirm `ssh/` engine is enabled
2. Read `ssh/roles/{adm,agt,atm}-role` TTL limits
3. Call `POST /v1/ssh/sign/<role>` for each actor type
See `wiki/OpenBaoSshEngineChecklist.md` for the step-by-step checklist.
---
## Blockers for end-to-end `warden sign`
| Blocker | Owner | Notes |
| --- | --- | --- |
| No `~/.config/warden/warden.yaml` on dev workstation | Operator | Point `vault.addr` at `https://bao.coulomb.social` |
| No scoped `VAULT_TOKEN` in session | Operator | OIDC login via KeyCape / `bao login` |
| SSH engine roles may not be provisioned | `railiance-platform` | Run checklist in `wiki/OpenBaoSshEngineChecklist.md` |
| flex-auth policy package for `ssh-certificate` | `flex-auth` | Out of scope for WP-0007; gate is opt-in |
---
## Recommended next operator steps
1. Create production `warden.yaml` with `backend: vault` and `vault.addr`.
2. Export short-lived `VAULT_TOKEN` after OIDC login.
3. Run `wiki/OpenBaoSshEngineChecklist.md` items 16.
4. Test: `warden sign <actor> --pubkey <path>` against a known inventory actor.
5. Enable `policy.enabled: true` only after flex-auth `ssh-certificate` policies exist.
---
## See also
- `wiki/OpsWardenConfig.md` — production config examples
- `wiki/OpenBaoSshEngineChecklist.md` — SSH engine validation
- `wiki/PolicyGatedSigning.md` — opt-in flex-auth gate (implemented WP-0007)