Add OpenBao emergency drill evidence validator

2026-06-02 00:08:17 +02:00
parent 123b9aafce
commit 606a5f3e1e
5 changed files with 152 additions and 1 deletions
--- a/docs/openbao.md
+++ b/docs/openbao.md
@@ -322,6 +322,16 @@ Audit Core backend that writes JSONL records under
 days. Use it only to wire interfaces and setup validation before the durable
 Audit Core archive exists.

+Emergency seal/unseal drills are disruptive and must only run in an attended
+window with threshold unseal shares available. Record non-secret drill evidence
+using `docs/openbao-emergency-drill-evidence.example.json` as a template, then
+validate it with:
+
+```bash
+make openbao-validate-emergency-evidence \
+  OPENBAO_EMERGENCY_EVIDENCE=/path/to/evidence.json
+```
+
 Monitoring baseline:

 - pod readiness and liveness from Kubernetes probes