From 5840783e4477018196e03d616271eeebed93530d Mon Sep 17 00:00:00 2001 From: tegwick Date: Fri, 29 May 2026 02:11:01 +0200 Subject: [PATCH] Close Railiance OpenBao workplan --- ...P-0002-openbao-platform-secrets-service.md | 34 ++++++++++++++++--- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md b/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md index cb6c558..e0a6113 100644 --- a/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md +++ b/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md @@ -4,13 +4,13 @@ type: workplan title: "OpenBao Platform Secrets Service" domain: railiance repo: railiance-platform -status: active +status: finished owner: codex topic_slug: railiance planning_priority: high planning_order: 2 created: "2026-05-17" -updated: "2026-05-26" +updated: "2026-05-29" depends_on: - RAIL-PL-WP-0001 state_hub_workstream_id: "fd1c045a-01d4-43be-980f-acbda6c64e6c" @@ -114,7 +114,7 @@ ceremony. ```task id: RAIL-PL-WP-0002-T03 -status: in_progress +status: done priority: high state_hub_task_id: "509ccfd4-1775-4be4-b8e4-8d5bcf17f91e" ``` @@ -153,6 +153,14 @@ durable audit shipping, OIDC-backed admin login verification, residual taint response, and cleanup before live application secrets move in. These remaining operator-facing gates are consolidated in `NET-WP-0017`. +**2026-05-29:** Railiance-owned bootstrap and break-glass scope is complete: +`make openbao-status` and `make openbao-verify-post-unseal` pass against the +live Railiance01 OpenBao pod, which is initialized, unsealed, and active with +Bound data/audit PVCs. The production-trust gates that remain before ordinary +user onboarding or live application secrets move into OpenBao are now explicitly +owned by `NET-WP-0017`: declarative/durable audit closeout, OIDC-backed admin +login evidence, residual taint cleanup, and hardening. + ### T04 - Auth Methods And Workload Integration ```task @@ -180,7 +188,7 @@ OpenBao injector remains disabled. ```task id: RAIL-PL-WP-0002-T05 -status: in_progress +status: done priority: medium state_hub_task_id: "0d717bdd-76bc-41b4-b633-ba07214b4095" ``` @@ -201,6 +209,14 @@ delivery, while `artifact-store` owns S3 backend behavior and credential refresh decisions. NetKingdom remains the default owner for OIDC identity if object storage adopts `AssumeRoleWithWebIdentity`. +**2026-05-29:** Initial secret-engine scope is complete for this workplan: +OpenBao has the `platform/` KV path and Kubernetes auth configured through the +initial configuration helper, with `platform-admin` and `platform-readonly` +policies present. Database dynamic credentials, PKI, SSH, and object-storage +STS vending remain future integration work owned by their downstream service +workplans and `ARTIFACT-STORE-WP-0007`; they are not blockers for the platform +secrets service closeout. + ### T06 - Backup, Audit, Monitoring, And Verification ```task @@ -232,7 +248,7 @@ production-readiness closeout. ```task id: RAIL-PL-WP-0002-T07 -status: in_progress +status: done priority: medium state_hub_task_id: "89149b60-562b-4a5b-978d-0f9136ffa114" ``` @@ -262,6 +278,14 @@ Credential Vending` instead of creating duplicate S3 backend work in `ARTIFACT-STORE-WP-0007-T004` and follow-up routing in `ARTIFACT-STORE-WP-0007-T005`. +**2026-05-29:** Cross-repo transition ownership is explicit enough for +Railiance closeout. NetKingdom owns the remaining identity, OIDC admin login, +operator UX, hardening, and onboarding-readiness gates through `NET-WP-0017`. +Artifact-store owns S3-compatible backend and credential-vending decisions +through `ARTIFACT-STORE-WP-0007`. Future application-specific OpenBao adoption +belongs with the relevant S5/application workplans once user onboarding is +unblocked. + ## Acceptance Criteria - Railiance has an explicit decision on OpenBao versus HashiCorp Vault