From 06844c2669cbe39a0752fc6fa4a4e8ab345ebc0d Mon Sep 17 00:00:00 2001 From: tegwick Date: Thu, 2 Jul 2026 22:08:47 +0200 Subject: [PATCH] NET-WP-0020 T4: prepared transit auto-unseal seal stanza (disabled by default) Commented seal "transit" stanza in the OpenBao server config plus an 'Auto-Unseal via Transit Seal' doc section covering provisioning, seal migration, pod-restart proof, and the net-kingdom console evidence flags. Co-Authored-By: Claude Fable 5 --- docs/openbao.md | 22 ++++++++++++++++++++++ helm/openbao-values.yaml | 16 ++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/docs/openbao.md b/docs/openbao.md index b2e5ad1..bedd234 100644 --- a/docs/openbao.md +++ b/docs/openbao.md @@ -182,6 +182,28 @@ escrow owner through an out-of-band channel. The initial root token is either revoked after a non-root platform-admin token exists or stored as offline break-glass material with the same handling as unseal shares. +## Auto-Unseal via Transit Seal (optional, NET-WP-0020 T4) + +`helm/openbao-values.yaml` carries a commented `seal "transit"` stanza inside +the server config. When an external transit OpenBao (or cloud KMS) is +available, enabling it lets pods unseal automatically after restart — no +manual share ceremony per restart. Shamir shares become **recovery keys** and +keep the same escrow handling as unseal shares. + +Steps: + +1. Provision the transit backend and unseal key; store the transit token in a + Kubernetes secret referenced through `server.extraSecretEnvironmentVars` + (`BAO_SEAL_TRANSIT_TOKEN`). The token never enters Git. +2. Uncomment the seal stanza, upgrade the release, and run the seal migration + from the attended ceremony posture: + `bao operator unseal -migrate` with threshold shares. +3. Prove auto-unseal: delete the pod, confirm it returns + `initialized=true sealed=false` without shares. +4. In the net-kingdom bootstrap console, select the `auto-unseal-transit` + custody model and set `openbao_transit_seal_configured` and + `openbao_auto_unseal_verified` in the non-secret metadata. + ## Initial Configuration After Unseal File audit is configured declaratively in `helm/openbao-values.yaml` with a diff --git a/helm/openbao-values.yaml b/helm/openbao-values.yaml index 88914a7..7e41f7b 100644 --- a/helm/openbao-values.yaml +++ b/helm/openbao-values.yaml @@ -104,6 +104,22 @@ server: path = "/openbao/data" } + # auto-unseal-transit custody model (net-kingdom NET-WP-0020 T4). + # Disabled by default: shamir seal + manual/SOPS-held unseal applies. + # To enable: provision an external transit OpenBao (or cloud KMS), + # create the unseal key, put the transit token in a k8s secret exposed + # as BAO_SEAL_TRANSIT_TOKEN via server.extraSecretEnvironmentVars + # (token never in Git), uncomment, upgrade the release, then run the + # seal migration: bao operator unseal -migrate (threshold shares). + # Select `auto-unseal-transit` in the net-kingdom bootstrap console and + # set openbao_transit_seal_configured / openbao_auto_unseal_verified + # after a pod-restart unseal proof. + # seal "transit" { + # address = "https://:8200" + # key_name = "railiance-openbao-unseal" + # mount_path = "transit/" + # } + audit "file" "file" { description = "Default file audit device on the OpenBao audit PVC."