Close Railiance OpenBao workplan
This commit is contained in:
@@ -4,13 +4,13 @@ type: workplan
|
|||||||
title: "OpenBao Platform Secrets Service"
|
title: "OpenBao Platform Secrets Service"
|
||||||
domain: railiance
|
domain: railiance
|
||||||
repo: railiance-platform
|
repo: railiance-platform
|
||||||
status: active
|
status: finished
|
||||||
owner: codex
|
owner: codex
|
||||||
topic_slug: railiance
|
topic_slug: railiance
|
||||||
planning_priority: high
|
planning_priority: high
|
||||||
planning_order: 2
|
planning_order: 2
|
||||||
created: "2026-05-17"
|
created: "2026-05-17"
|
||||||
updated: "2026-05-26"
|
updated: "2026-05-29"
|
||||||
depends_on:
|
depends_on:
|
||||||
- RAIL-PL-WP-0001
|
- RAIL-PL-WP-0001
|
||||||
state_hub_workstream_id: "fd1c045a-01d4-43be-980f-acbda6c64e6c"
|
state_hub_workstream_id: "fd1c045a-01d4-43be-980f-acbda6c64e6c"
|
||||||
@@ -114,7 +114,7 @@ ceremony.
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: RAIL-PL-WP-0002-T03
|
id: RAIL-PL-WP-0002-T03
|
||||||
status: in_progress
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
state_hub_task_id: "509ccfd4-1775-4be4-b8e4-8d5bcf17f91e"
|
state_hub_task_id: "509ccfd4-1775-4be4-b8e4-8d5bcf17f91e"
|
||||||
```
|
```
|
||||||
@@ -153,6 +153,14 @@ durable audit shipping, OIDC-backed admin login verification, residual taint
|
|||||||
response, and cleanup before live application secrets move in. These remaining
|
response, and cleanup before live application secrets move in. These remaining
|
||||||
operator-facing gates are consolidated in `NET-WP-0017`.
|
operator-facing gates are consolidated in `NET-WP-0017`.
|
||||||
|
|
||||||
|
**2026-05-29:** Railiance-owned bootstrap and break-glass scope is complete:
|
||||||
|
`make openbao-status` and `make openbao-verify-post-unseal` pass against the
|
||||||
|
live Railiance01 OpenBao pod, which is initialized, unsealed, and active with
|
||||||
|
Bound data/audit PVCs. The production-trust gates that remain before ordinary
|
||||||
|
user onboarding or live application secrets move into OpenBao are now explicitly
|
||||||
|
owned by `NET-WP-0017`: declarative/durable audit closeout, OIDC-backed admin
|
||||||
|
login evidence, residual taint cleanup, and hardening.
|
||||||
|
|
||||||
### T04 - Auth Methods And Workload Integration
|
### T04 - Auth Methods And Workload Integration
|
||||||
|
|
||||||
```task
|
```task
|
||||||
@@ -180,7 +188,7 @@ OpenBao injector remains disabled.
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: RAIL-PL-WP-0002-T05
|
id: RAIL-PL-WP-0002-T05
|
||||||
status: in_progress
|
status: done
|
||||||
priority: medium
|
priority: medium
|
||||||
state_hub_task_id: "0d717bdd-76bc-41b4-b633-ba07214b4095"
|
state_hub_task_id: "0d717bdd-76bc-41b4-b633-ba07214b4095"
|
||||||
```
|
```
|
||||||
@@ -201,6 +209,14 @@ delivery, while `artifact-store` owns S3 backend behavior and
|
|||||||
credential refresh decisions. NetKingdom remains the default owner for OIDC
|
credential refresh decisions. NetKingdom remains the default owner for OIDC
|
||||||
identity if object storage adopts `AssumeRoleWithWebIdentity`.
|
identity if object storage adopts `AssumeRoleWithWebIdentity`.
|
||||||
|
|
||||||
|
**2026-05-29:** Initial secret-engine scope is complete for this workplan:
|
||||||
|
OpenBao has the `platform/` KV path and Kubernetes auth configured through the
|
||||||
|
initial configuration helper, with `platform-admin` and `platform-readonly`
|
||||||
|
policies present. Database dynamic credentials, PKI, SSH, and object-storage
|
||||||
|
STS vending remain future integration work owned by their downstream service
|
||||||
|
workplans and `ARTIFACT-STORE-WP-0007`; they are not blockers for the platform
|
||||||
|
secrets service closeout.
|
||||||
|
|
||||||
### T06 - Backup, Audit, Monitoring, And Verification
|
### T06 - Backup, Audit, Monitoring, And Verification
|
||||||
|
|
||||||
```task
|
```task
|
||||||
@@ -232,7 +248,7 @@ production-readiness closeout.
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: RAIL-PL-WP-0002-T07
|
id: RAIL-PL-WP-0002-T07
|
||||||
status: in_progress
|
status: done
|
||||||
priority: medium
|
priority: medium
|
||||||
state_hub_task_id: "89149b60-562b-4a5b-978d-0f9136ffa114"
|
state_hub_task_id: "89149b60-562b-4a5b-978d-0f9136ffa114"
|
||||||
```
|
```
|
||||||
@@ -262,6 +278,14 @@ Credential Vending` instead of creating duplicate S3 backend work in
|
|||||||
`ARTIFACT-STORE-WP-0007-T004` and follow-up routing in
|
`ARTIFACT-STORE-WP-0007-T004` and follow-up routing in
|
||||||
`ARTIFACT-STORE-WP-0007-T005`.
|
`ARTIFACT-STORE-WP-0007-T005`.
|
||||||
|
|
||||||
|
**2026-05-29:** Cross-repo transition ownership is explicit enough for
|
||||||
|
Railiance closeout. NetKingdom owns the remaining identity, OIDC admin login,
|
||||||
|
operator UX, hardening, and onboarding-readiness gates through `NET-WP-0017`.
|
||||||
|
Artifact-store owns S3-compatible backend and credential-vending decisions
|
||||||
|
through `ARTIFACT-STORE-WP-0007`. Future application-specific OpenBao adoption
|
||||||
|
belongs with the relevant S5/application workplans once user onboarding is
|
||||||
|
unblocked.
|
||||||
|
|
||||||
## Acceptance Criteria
|
## Acceptance Criteria
|
||||||
|
|
||||||
- Railiance has an explicit decision on OpenBao versus HashiCorp Vault
|
- Railiance has an explicit decision on OpenBao versus HashiCorp Vault
|
||||||
|
|||||||
Reference in New Issue
Block a user