fix(openbao): complete SSH apply script for OpenBao 2.5.x issuers

Generate default CA via ssh/config/ca, split composite KUBECTL for role writes,
read pubkey from config/ca, allow warden key_id in roles, prefer production kubeconfig.
This commit is contained in:
2026-06-18 01:18:56 +02:00
parent c24956fb5a
commit 7838df6069
3 changed files with 48 additions and 8 deletions

View File

@@ -8,6 +8,7 @@ roles:
key_type: ca
allowed_users: "*"
allow_user_certificates: true
allow_user_key_ids: true
default_user: adm
ttl: 48h
max_ttl: 48h
@@ -15,6 +16,7 @@ roles:
key_type: ca
allowed_users: "*"
allow_user_certificates: true
allow_user_key_ids: true
default_user: agt
ttl: 24h
max_ttl: 24h
@@ -22,6 +24,7 @@ roles:
key_type: ca
allowed_users: "*"
allow_user_certificates: true
allow_user_key_ids: true
default_user: atm
ttl: 8h
max_ttl: 8h