Add OpenBao authenticated readiness verifier
This commit is contained in:
@@ -265,6 +265,17 @@ pin the live OpenBao image tag to `2.5.4`; Helm release revision 3 has the same
|
||||
explicit tag and the pod remained ready, so future chart upgrades do not
|
||||
implicitly change the runtime version while applying unrelated configuration.
|
||||
|
||||
**2026-06-01:** Added `make openbao-verify-authenticated` as a non-mutating
|
||||
operator proof for the remaining OpenBao readiness checks that require an
|
||||
approved token. The helper prompts for the token without echoing it, verifies
|
||||
`file/` audit visibility, `platform/` secrets, `kubernetes/` and `keycape/`
|
||||
auth methods, and confirms the audit log file is non-empty. It can also use an
|
||||
already-valid pod token helper via
|
||||
`OPENBAO_VERIFY_AUTH_ARGS=--use-token-helper` so the token does not move
|
||||
through the local shell at all. Durable audit shipping beyond the audit PVC
|
||||
remains intentionally open until a tested sink is selected; State Hub notes and
|
||||
hashes are evidence, not retained audit custody.
|
||||
|
||||
### T07 - Cross-Repo Transition Tasks
|
||||
|
||||
```task
|
||||
|
||||
Reference in New Issue
Block a user