generated from coulomb/repo-seed
Add policy.py client that calls flex-auth /v1/check before sign/issue when policy.enabled is true. Record policy_decision_id in signatures.log. Default off preserves existing inventory-only behavior. Document production OpenBao health probe and update config/wiki references.
75 lines
2.4 KiB
Markdown
75 lines
2.4 KiB
Markdown
# OpenBao Production Verification — 2026-06-17
|
||
|
||
**Workplan:** WARDEN-WP-0007-T01
|
||
**Endpoint:** `https://bao.coulomb.social`
|
||
**Operator:** codex (automated probe, no secrets recorded)
|
||
|
||
---
|
||
|
||
## Health probe
|
||
|
||
```bash
|
||
curl -s "https://bao.coulomb.social/v1/sys/health" | python3 -m json.tool
|
||
```
|
||
|
||
**Result (2026-06-17):**
|
||
|
||
| Field | Value |
|
||
| --- | --- |
|
||
| `initialized` | `true` |
|
||
| `sealed` | `false` |
|
||
| `standby` | `false` |
|
||
| `version` | `2.5.4` |
|
||
| `cluster_name` | `vault-cluster-ebe7da39` |
|
||
| `replication_performance_mode` | `primary` |
|
||
|
||
OpenBao is **reachable, initialized, and unsealed**. Suitable as the production
|
||
platform secrets endpoint for ops-warden `backend: vault`.
|
||
|
||
---
|
||
|
||
## Authenticated API (blocked without token)
|
||
|
||
```bash
|
||
curl -s -o /dev/null -w "%{http_code}" "https://bao.coulomb.social/v1/sys/mounts"
|
||
```
|
||
|
||
**Result:** HTTP `403` (expected without `X-Vault-Token`).
|
||
|
||
Full SSH engine verification (`bao secrets list`, role TTL alignment, live
|
||
`warden sign`) requires a **scoped operator token** with permission to:
|
||
|
||
1. List mounts and confirm `ssh/` engine is enabled
|
||
2. Read `ssh/roles/{adm,agt,atm}-role` TTL limits
|
||
3. Call `POST /v1/ssh/sign/<role>` for each actor type
|
||
|
||
See `wiki/OpenBaoSshEngineChecklist.md` for the step-by-step checklist.
|
||
|
||
---
|
||
|
||
## Blockers for end-to-end `warden sign`
|
||
|
||
| Blocker | Owner | Notes |
|
||
| --- | --- | --- |
|
||
| No `~/.config/warden/warden.yaml` on dev workstation | Operator | Point `vault.addr` at `https://bao.coulomb.social` |
|
||
| No scoped `VAULT_TOKEN` in session | Operator | OIDC login via KeyCape / `bao login` |
|
||
| SSH engine roles may not be provisioned | `railiance-platform` | Run checklist in `wiki/OpenBaoSshEngineChecklist.md` |
|
||
| flex-auth policy package for `ssh-certificate` | `flex-auth` | Out of scope for WP-0007; gate is opt-in |
|
||
|
||
---
|
||
|
||
## Recommended next operator steps
|
||
|
||
1. Create production `warden.yaml` with `backend: vault` and `vault.addr`.
|
||
2. Export short-lived `VAULT_TOKEN` after OIDC login.
|
||
3. Run `wiki/OpenBaoSshEngineChecklist.md` items 1–6.
|
||
4. Test: `warden sign <actor> --pubkey <path>` against a known inventory actor.
|
||
5. Enable `policy.enabled: true` only after flex-auth `ssh-certificate` policies exist.
|
||
|
||
---
|
||
|
||
## See also
|
||
|
||
- `wiki/OpsWardenConfig.md` — production config examples
|
||
- `wiki/OpenBaoSshEngineChecklist.md` — SSH engine validation
|
||
- `wiki/PolicyGatedSigning.md` — opt-in flex-auth gate (implemented WP-0007) |