coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Clean up OpenBao config rerun output

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-25 15:57:24 +02:00
parent b76e9101d8
commit 3a5f9f58e9
2 changed files with 32 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/openbao.md
View File

@@ -204,6 +204,9 @@ successfully with a warning after applying the other bootstrap configuration.
Treat declarative audit configuration in the OpenBao server config/Helm values Treat declarative audit configuration in the OpenBao server config/Helm values
as mandatory before production secrets move in. as mandatory before production secrets move in.
The helper is idempotent. Re-running it should report existing `platform/` and
`kubernetes/` paths as already enabled instead of failing the ceremony.
After the helper succeeds, create a non-root admin token: After the helper succeeds, create a non-root admin token:
```bash ```bash

34
scripts/openbao-apply-initial-config.sh
View File

@@ -117,23 +117,47 @@ enable_file_audit() {
fi fi
status=$? status=$?
printf '%s\n' "$output" >&2
case "$output" in case "$output" in
*"cannot enable audit device via API"*) *"cannot enable audit device via API"*)
warn "OpenBao rejected API-managed audit enable. Configure audit devices declaratively in the OpenBao server config/Helm values." warn "OpenBao rejected API-managed audit enable. Configure audit devices declaratively in the OpenBao server config/Helm values."
return 0 return 0
;; ;;
*"path is already in use"*) *"path is already in use"*)
warn "OpenBao file audit device already appears to be enabled." printf 'OK: OpenBao file audit device already appears to be enabled.\n'
return 0 return 0
;; ;;
*) *)
printf '%s\n' "$output" >&2
warn "OpenBao audit enable failed with exit code $status." warn "OpenBao audit enable failed with exit code $status."
return 0 return 0
;; ;;
esac esac
} }
enable_optional() {
local token="$1"
local already_message="$2"
shift 2
local output status
if output="$(remote_bao "$token" "$@" 2>&1)"; then
printf '%s\n' "$output"
return 0
fi
status=$?
case "$output" in
*"path is already in use"*)
printf 'OK: %s\n' "$already_message"
return 0
;;
*)
printf '%s\n' "$output" >&2
warn "OpenBao command failed with exit code $status: bao $*"
return 0
;;
esac
}
show_audit_list() { show_audit_list() {
local token="$1" local token="$1"
local output status local output status
@@ -143,12 +167,12 @@ show_audit_list() {
fi fi
status=$? status=$?
printf '%s\n' "$output" >&2
if printf '%s\n' "$output" | grep -qi "No audit devices are enabled"; then if printf '%s\n' "$output" | grep -qi "No audit devices are enabled"; then
warn "No API-visible audit devices are enabled. Treat declarative audit configuration as a follow-up before production secrets." warn "No API-visible audit devices are enabled. Treat declarative audit configuration as a follow-up before production secrets."
return 0 return 0
fi fi
printf '%s\n' "$output" >&2
warn "OpenBao audit list failed with exit code $status." warn "OpenBao audit list failed with exit code $status."
return 0 return 0
} }
@@ -162,8 +186,8 @@ fi
remote_bao "$token" status remote_bao "$token" status
enable_file_audit "$token" enable_file_audit "$token"
remote_bao "$token" secrets enable -path=platform kv-v2 || true enable_optional "$token" "platform/ KV secrets engine is already enabled." secrets enable -path=platform kv-v2
remote_bao "$token" auth enable kubernetes || true enable_optional "$token" "kubernetes/ auth method is already enabled." auth enable kubernetes
remote_sh "$token" 'bao write auth/kubernetes/config \ remote_sh "$token" 'bao write auth/kubernetes/config \
kubernetes_host="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \ kubernetes_host="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \