Add OpenBao authenticated readiness verifier

2026-06-01 22:46:14 +02:00
parent f1336d5bcc
commit 5e4040d43d
4 changed files with 290 additions and 1 deletions
--- a/docs/openbao.md
+++ b/docs/openbao.md
@@ -279,6 +279,33 @@ Before any live application secrets move into OpenBao:
   make openbao-verify-post-unseal
   ```

+Authenticated verification, after the KeyCape-backed `platform-admin` path or
+another approved operator token is available:
+
+```bash
+make openbao-verify-authenticated
+```
+
+The target prompts for the token without echoing it, never puts the token on
+the command line, and only runs non-mutating checks. It verifies that
+`bao audit list` shows `file/`, `bao secrets list` shows `platform/`,
+`bao auth list` shows both `kubernetes/` and `keycape/`, and that the file
+audit log is non-empty.
+
+If a previous attended OIDC login stored a still-valid token in the pod token
+helper, use:
+
+```bash
+make openbao-verify-authenticated OPENBAO_VERIFY_AUTH_ARGS=--use-token-helper
+```
+
+Current durable audit status: the file audit device writes to the audit PVC,
+which is necessary but not enough for production trust. Before application
+secrets move into OpenBao, choose and test a durable audit sink beyond that PVC
+such as an encrypted platform backup/export path or the future centralized
+logging stack. Do not treat non-secret hashes, screenshots, or State Hub notes
+as substitutes for retained audit log custody.
+
 Monitoring baseline:

 - pod readiness and liveness from Kubernetes probes