coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Close Railiance OpenBao workplan

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-29 02:11:01 +02:00
parent b7290280b6
commit 5840783e44
1 changed files with 29 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md
View File

@@ -4,13 +4,13 @@ type: workplan
title: "OpenBao Platform Secrets Service"
domain: railiance
repo: railiance-platform
status: active
status: finished
owner: codex
topic_slug: railiance
planning_priority: high
planning_order: 2
created: "2026-05-17"
updated: "2026-05-26"
updated: "2026-05-29"
depends_on:
- RAIL-PL-WP-0001
state_hub_workstream_id: "fd1c045a-01d4-43be-980f-acbda6c64e6c"
@@ -114,7 +114,7 @@ ceremony.
```task
id: RAIL-PL-WP-0002-T03
status: in_progress
status: done
priority: high
state_hub_task_id: "509ccfd4-1775-4be4-b8e4-8d5bcf17f91e"
```
@@ -153,6 +153,14 @@ durable audit shipping, OIDC-backed admin login verification, residual taint
response, and cleanup before live application secrets move in. These remaining
operator-facing gates are consolidated in `NET-WP-0017`.
**2026-05-29:** Railiance-owned bootstrap and break-glass scope is complete:
`make openbao-status` and `make openbao-verify-post-unseal` pass against the
live Railiance01 OpenBao pod, which is initialized, unsealed, and active with
Bound data/audit PVCs. The production-trust gates that remain before ordinary
user onboarding or live application secrets move into OpenBao are now explicitly
owned by `NET-WP-0017`: declarative/durable audit closeout, OIDC-backed admin
login evidence, residual taint cleanup, and hardening.
### T04 - Auth Methods And Workload Integration
```task
@@ -180,7 +188,7 @@ OpenBao injector remains disabled.
```task
id: RAIL-PL-WP-0002-T05
status: in_progress
status: done
priority: medium
state_hub_task_id: "0d717bdd-76bc-41b4-b633-ba07214b4095"
```
@@ -201,6 +209,14 @@ delivery, while `artifact-store` owns S3 backend behavior and
credential refresh decisions. NetKingdom remains the default owner for OIDC
identity if object storage adopts `AssumeRoleWithWebIdentity`.
**2026-05-29:** Initial secret-engine scope is complete for this workplan:
OpenBao has the `platform/` KV path and Kubernetes auth configured through the
initial configuration helper, with `platform-admin` and `platform-readonly`
policies present. Database dynamic credentials, PKI, SSH, and object-storage
STS vending remain future integration work owned by their downstream service
workplans and `ARTIFACT-STORE-WP-0007`; they are not blockers for the platform
secrets service closeout.
### T06 - Backup, Audit, Monitoring, And Verification
```task
@@ -232,7 +248,7 @@ production-readiness closeout.
```task
id: RAIL-PL-WP-0002-T07
status: in_progress
status: done
priority: medium
state_hub_task_id: "89149b60-562b-4a5b-978d-0f9136ffa114"
```
@@ -262,6 +278,14 @@ Credential Vending` instead of creating duplicate S3 backend work in
`ARTIFACT-STORE-WP-0007-T004` and follow-up routing in
`ARTIFACT-STORE-WP-0007-T005`.
**2026-05-29:** Cross-repo transition ownership is explicit enough for
Railiance closeout. NetKingdom owns the remaining identity, OIDC admin login,
operator UX, hardening, and onboarding-readiness gates through `NET-WP-0017`.
Artifact-store owns S3-compatible backend and credential-vending decisions
through `ARTIFACT-STORE-WP-0007`. Future application-specific OpenBao adoption
belongs with the relevant S5/application workplans once user onboarding is
unblocked.
## Acceptance Criteria
- Railiance has an explicit decision on OpenBao versus HashiCorp Vault