coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Configure OpenBao file audit declaratively

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-01 22:12:23 +02:00
parent 5840783e44
commit 087bb91b86
5 changed files with 53 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
docs/openbao.md
View File

@@ -162,12 +162,9 @@ break-glass material with the same handling as unseal shares.
## Initial Configuration After Unseal
Enable file audit:
```bash
kubectl exec -n openbao openbao-0 -- \
bao audit enable file file_path=/openbao/audit/openbao-audit.log
```
File audit is configured declaratively in `helm/openbao-values.yaml` with a
server config `audit "file" "file"` stanza that writes to
`/openbao/audit/openbao-audit.log` on the audit PVC.
Enable the first KV v2 mount:
@@ -187,8 +184,8 @@ configuration:
make openbao-configure-initial
```
The target prompts for a token, enables file audit when API-managed audit is
available, enables the `platform/` KV v2 mount, enables Kubernetes auth,
The target prompts for a token, verifies the declarative file audit device is
visible, enables the `platform/` KV v2 mount, enables Kubernetes auth,
configures Kubernetes auth from the in-pod service account, and loads:
- `openbao/policies/platform-admin.hcl`
@@ -198,11 +195,9 @@ It does not print or store the token. You may also set
`OPENBAO_TOKEN_FILE=/path/to/token-file` for an operator-local, uncommitted
token file.
Current OpenBao releases may reject API-managed audit setup with a message that
audit devices must be configured declaratively. In that case the helper exits
successfully with a warning after applying the other bootstrap configuration.
Treat declarative audit configuration in the OpenBao server config/Helm values
as mandatory before production secrets move in.
OpenBao audit is a production gate. If `bao audit list` does not show `file/`,
fix the declarative audit stanza or Helm rollout before moving production
secrets into OpenBao.
The helper is idempotent. Re-running it should report existing `platform/` and
`kubernetes/` paths as already enabled instead of failing the ceremony.
@@ -261,7 +256,7 @@ The template policy for workload KV reads is
Before any live application secrets move into OpenBao:
1. Enable file audit and confirm an audit file is written under
1. Confirm file audit is enabled and an audit file is written under
`/openbao/audit/openbao-audit.log`.
2. Create an OpenBao Raft snapshot from the unsealed pod: