Configure OpenBao file audit declaratively

scripts/openbao-apply-initial-config.sh

@@ -14,7 +14,7 @@ usage() {
 Usage: scripts/openbao-apply-initial-config.sh [--dry-run]
 
 Applies the first post-unseal OpenBao configuration:
-  - file audit device when API-managed audit is available
+  - declarative file audit visibility check
   - platform KV v2 mount
   - Kubernetes auth mount and in-cluster config
   - platform-admin and platform-readonly policies
@@ -108,30 +108,27 @@ write_policy() {
     sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$name"
 }
 
-enable_file_audit() {
+verify_file_audit() {
   local token="$1"
   local output status
-  if output="$(remote_bao "$token" audit enable file file_path=/openbao/audit/openbao-audit.log 2>&1)"; then
+  if [ "$DRY_RUN" -eq 1 ]; then
+    printf 'DRY-RUN: verify declarative OpenBao file audit device is visible with bao audit list\n'
+    return 0
+  fi
+  if output="$(remote_bao "$token" audit list 2>&1)"; then
     printf '%s\n' "$output"
+    if printf '%s\n' "$output" | grep -Eq '(^|[[:space:]])file/'; then
+      printf 'OK: OpenBao file audit device is configured.\n'
+    else
+      warn "OpenBao audit list did not show file/. Check declarative audit configuration before production trust."
+    fi
     return 0
   fi
 
   status=$?
-  case "$output" in
-    *"cannot enable audit device via API"*)
-      warn "OpenBao rejected API-managed audit enable. Configure audit devices declaratively in the OpenBao server config/Helm values."
-      return 0
-      ;;
-    *"path is already in use"*)
-      printf 'OK: OpenBao file audit device already appears to be enabled.\n'
-      return 0
-      ;;
-    *)
-      printf '%s\n' "$output" >&2
-      warn "OpenBao audit enable failed with exit code $status."
-      return 0
-      ;;
-  esac
+  printf '%s\n' "$output" >&2
+  warn "OpenBao audit list failed with exit code $status. Check declarative audit configuration before production trust."
+  return 0
 }
 
 enable_optional() {
@@ -168,7 +165,7 @@ show_audit_list() {
 
   status=$?
   if printf '%s\n' "$output" | grep -qi "No audit devices are enabled"; then
-    warn "No API-visible audit devices are enabled. Treat declarative audit configuration as a follow-up before production secrets."
+    warn "No API-visible audit devices are enabled. Check declarative audit configuration before production secrets."
     return 0
   fi
 
@@ -185,7 +182,7 @@ fi
 
 remote_bao "$token" status
 
-enable_file_audit "$token"
+verify_file_audit "$token"
 enable_optional "$token" "platform/ KV secrets engine is already enabled." secrets enable -path=platform kv-v2
 enable_optional "$token" "kubernetes/ auth method is already enabled." auth enable kubernetes
 

scripts/openbao-verify.sh

@@ -106,13 +106,19 @@ if [ "$MODE" = "basic" ]; then
 fi
 
 step "Post-unseal unauthenticated checks"
-if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- sh -c 'test -d /openbao/audit'; then
+if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- sh -c 'test -d /openbao/audit' >/dev/null 2>&1; then
   ok "audit directory exists"
 else
   warn "audit directory missing or inaccessible"
 fi
 
-if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- sh -c 'test -d /openbao/data'; then
+if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- sh -c 'test -s /openbao/audit/openbao-audit.log' >/dev/null 2>&1; then
+  ok "audit log file exists and is non-empty"
+else
+  warn "audit log file missing or empty; declarative file audit is not verified"
+fi
+
+if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- sh -c 'test -d /openbao/data' >/dev/null 2>&1; then
   ok "raft data directory exists"
 else
   warn "raft data directory missing or inaccessible"