Add OpenBao restore evidence validator

This commit is contained in:
2026-06-01 23:57:00 +02:00
parent c0d4ec9037
commit 123b9aafce
5 changed files with 156 additions and 1 deletions

View File

@@ -271,6 +271,15 @@ Before any live application secrets move into OpenBao:
4. Run an isolated restore drill before treating OpenBao as live secret
custody. The drill must prove that a fresh OpenBao instance can restore the
snapshot, unseal, and read a test secret.
Record only non-secret evidence using
`docs/openbao-restore-drill-evidence.example.json` as a template, then
validate it with:
```bash
make openbao-validate-restore-evidence \
OPENBAO_RESTORE_EVIDENCE=/path/to/evidence.json
```
5. Decide where audit logs are shipped durably. The audit PVC alone is not a
durable audit sink. The interim `audit-core` mock file backend can prove API
and setup wiring, but it writes to `/tmp` and is not production retention.