Add OpenBao restore evidence validator
This commit is contained in:
@@ -271,6 +271,15 @@ Before any live application secrets move into OpenBao:
|
||||
4. Run an isolated restore drill before treating OpenBao as live secret
|
||||
custody. The drill must prove that a fresh OpenBao instance can restore the
|
||||
snapshot, unseal, and read a test secret.
|
||||
Record only non-secret evidence using
|
||||
`docs/openbao-restore-drill-evidence.example.json` as a template, then
|
||||
validate it with:
|
||||
|
||||
```bash
|
||||
make openbao-validate-restore-evidence \
|
||||
OPENBAO_RESTORE_EVIDENCE=/path/to/evidence.json
|
||||
```
|
||||
|
||||
5. Decide where audit logs are shipped durably. The audit PVC alone is not a
|
||||
durable audit sink. The interim `audit-core` mock file backend can prove API
|
||||
and setup wiring, but it writes to `/tmp` and is not production retention.
|
||||
|
||||
Reference in New Issue
Block a user