NET-WP-0020 T4: prepared transit auto-unseal seal stanza (disabled by default)
Commented seal "transit" stanza in the OpenBao server config plus an 'Auto-Unseal via Transit Seal' doc section covering provisioning, seal migration, pod-restart proof, and the net-kingdom console evidence flags. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -104,6 +104,22 @@ server:
|
||||
path = "/openbao/data"
|
||||
}
|
||||
|
||||
# auto-unseal-transit custody model (net-kingdom NET-WP-0020 T4).
|
||||
# Disabled by default: shamir seal + manual/SOPS-held unseal applies.
|
||||
# To enable: provision an external transit OpenBao (or cloud KMS),
|
||||
# create the unseal key, put the transit token in a k8s secret exposed
|
||||
# as BAO_SEAL_TRANSIT_TOKEN via server.extraSecretEnvironmentVars
|
||||
# (token never in Git), uncomment, upgrade the release, then run the
|
||||
# seal migration: bao operator unseal -migrate (threshold shares).
|
||||
# Select `auto-unseal-transit` in the net-kingdom bootstrap console and
|
||||
# set openbao_transit_seal_configured / openbao_auto_unseal_verified
|
||||
# after a pod-restart unseal proof.
|
||||
# seal "transit" {
|
||||
# address = "https://<transit-openbao-host>:8200"
|
||||
# key_name = "railiance-openbao-unseal"
|
||||
# mount_path = "transit/"
|
||||
# }
|
||||
|
||||
audit "file" "file" {
|
||||
description = "Default file audit device on the OpenBao audit PVC."
|
||||
|
||||
|
||||
Reference in New Issue
Block a user