Add credential approval workflow plan

scripts/openbao-apply-workload-kv-lanes.sh

@@ -0,0 +1,137 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
+OPENBAO_RELEASE="${OPENBAO_RELEASE:-openbao}"
+KUBECTL="${KUBECTL:-kubectl}"
+TOKEN_FILE="${OPENBAO_TOKEN_FILE:-}"
+REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+POLICY_NAME="${WORKLOAD_KV_POLICY_NAME:-workload-kv-read-whynot-design-npm-publish}"
+POLICY_FILE="${WORKLOAD_KV_POLICY_FILE:-$REPO_DIR/openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl}"
+DRY_RUN=0
+USE_TOKEN_HELPER=0
+
+usage() {
+  cat <<'USAGE'
+Usage: scripts/openbao-apply-workload-kv-lanes.sh [--dry-run] [--use-token-helper]
+
+Applies source-owned OpenBao workload KV read-lane policies.
+
+Current lane:
+  - policy: workload-kv-read-whynot-design-npm-publish
+  - path:   platform/workloads/whynot-design/whynot-design/npm-publish
+  - field:  NPM_AUTH_TOKEN
+
+The script reads an OpenBao operator token from OPENBAO_TOKEN_FILE or an
+interactive hidden prompt unless --dry-run or --use-token-helper is set. It
+never prints or stores the token.
+
+This script intentionally does not create an OIDC role until the whynot-design
+KeyCape/NetKingdom bound claim is confirmed.
+USAGE
+}
+
+while [ "$#" -gt 0 ]; do
+  case "$1" in
+    --dry-run)
+      DRY_RUN=1
+      shift
+      ;;
+    --use-token-helper)
+      USE_TOKEN_HELPER=1
+      shift
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "ERROR: unknown argument: $1" >&2
+      usage >&2
+      exit 2
+      ;;
+  esac
+done
+
+pod="${OPENBAO_RELEASE}-0"
+
+read_token() {
+  if [ "$DRY_RUN" -eq 1 ] || [ "$USE_TOKEN_HELPER" -eq 1 ]; then
+    return
+  fi
+  if [ -n "$TOKEN_FILE" ]; then
+    if [ ! -f "$TOKEN_FILE" ]; then
+      echo "ERROR: OPENBAO_TOKEN_FILE does not exist: $TOKEN_FILE" >&2
+      exit 1
+    fi
+    head -n 1 "$TOKEN_FILE"
+    return
+  fi
+
+  local token
+  read -r -s -p "OpenBao token: " token
+  printf '\n' >&2
+  printf '%s\n' "$token"
+}
+
+remote_bao() {
+  local token="$1"
+  shift
+  if [ "$DRY_RUN" -eq 1 ]; then
+    printf 'DRY-RUN: bao %s\n' "$*"
+    return 0
+  fi
+  if [ "$USE_TOKEN_HELPER" -eq 1 ]; then
+    # shellcheck disable=SC2086
+    $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- bao "$@"
+    return
+  fi
+  # shellcheck disable=SC2086
+  printf '%s\n' "$token" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
+    sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; exec bao "$@"' sh "$@"
+}
+
+write_policy() {
+  local token="$1"
+  if [ ! -f "$POLICY_FILE" ]; then
+    echo "ERROR: missing policy file: $POLICY_FILE" >&2
+    exit 1
+  fi
+  if [ "$DRY_RUN" -eq 1 ]; then
+    printf 'DRY-RUN: bao policy write %s %s\n' "$POLICY_NAME" "$POLICY_FILE"
+    return 0
+  fi
+  if [ "$USE_TOKEN_HELPER" -eq 1 ]; then
+    # shellcheck disable=SC2086
+    cat "$POLICY_FILE" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
+      bao policy write "$POLICY_NAME" -
+    return
+  fi
+  # shellcheck disable=SC2086
+  { printf '%s\n' "$token"; cat "$POLICY_FILE"; } | \
+    $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
+      sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$POLICY_NAME"
+}
+
+token="$(read_token)"
+if [ "$DRY_RUN" -eq 0 ] && [ "$USE_TOKEN_HELPER" -eq 0 ] && [ -z "$token" ]; then
+  echo "ERROR: empty OpenBao token" >&2
+  exit 1
+fi
+
+remote_bao "$token" status
+write_policy "$token"
+remote_bao "$token" policy read "$POLICY_NAME"
+
+cat <<'NEXT'
+
+Workload KV read-lane policy apply path completed.
+
+Remaining live steps:
+  1. Confirm the whynot-design KeyCape/NetKingdom bound claim or service account.
+  2. Create auth/netkingdom/role/whynot-design-workload-kv-read with only the
+     workload-kv-read-whynot-design-npm-publish policy.
+  3. Provision platform/workloads/whynot-design/whynot-design/npm-publish with
+     field NPM_AUTH_TOKEN through approved OpenBao/operator custody.
+  4. Run positive and negative fetch verification without printing the token.
+NEXT