Add OpenBao restore evidence validator

This commit is contained in:
2026-06-01 23:57:00 +02:00
parent c0d4ec9037
commit 123b9aafce
5 changed files with 156 additions and 1 deletions

View File

@@ -0,0 +1,22 @@
{
"drill_date": "2026-06-01",
"operator": "platform-root",
"source_cluster": "railiance01",
"source_namespace": "openbao",
"source_pod": "openbao-0",
"snapshot_created": true,
"snapshot_sha256": "sha256:0000000000000000000000000000000000000000000000000000000000000000",
"snapshot_encrypted": true,
"encrypted_snapshot_sha256": "sha256:1111111111111111111111111111111111111111111111111111111111111111",
"encrypted_snapshot_location": "operator-local encrypted restore drill workspace or approved encrypted custody location",
"isolated_environment": "disposable cluster, VM, or namespace reference",
"isolated_restore_completed": true,
"unseal_verified_in_isolation": true,
"test_secret_read_verified": true,
"post_restore_status_verified": true,
"post_restore_verification": "bao status, mount/auth/policy checks, and a non-production test secret read succeeded in the isolated environment",
"isolated_environment_destroyed": true,
"destroyed_environment_evidence": "operator note, VM deletion id, namespace deletion timestamp, or equivalent non-secret proof",
"no_secret_material_recorded": true,
"notes": "Do not record OpenBao tokens, root tokens, unseal shares, decrypted snapshots, private keys, passwords, OTP seeds, or recovery codes."
}

View File

@@ -271,6 +271,15 @@ Before any live application secrets move into OpenBao:
4. Run an isolated restore drill before treating OpenBao as live secret
custody. The drill must prove that a fresh OpenBao instance can restore the
snapshot, unseal, and read a test secret.
Record only non-secret evidence using
`docs/openbao-restore-drill-evidence.example.json` as a template, then
validate it with:
```bash
make openbao-validate-restore-evidence \
OPENBAO_RESTORE_EVIDENCE=/path/to/evidence.json
```
5. Decide where audit logs are shipped durably. The audit PVC alone is not a
durable audit sink. The interim `audit-core` mock file backend can prove API
and setup wiring, but it writes to `/tmp` and is not production retention.