openbao king credential bootstrapping
This commit is contained in:
@@ -88,6 +88,27 @@ That state is intentional until the bootstrap ceremony is completed.
|
||||
Do not initialize OpenBao in a casual shell session. Initialization emits the
|
||||
unseal keys and initial root token. Treat this as a break-glass event.
|
||||
|
||||
### Setup Operator And King Credential
|
||||
|
||||
The initial accountable setup operator/contact is `tegwick`
|
||||
(`bernd.worsch@gmail.com`), with Gitea identity `tegwick`. This identity can
|
||||
assemble early infrastructure, receive notifications, and operate day-to-day
|
||||
Git/Gitea workflows, but it is not the desired long-term platform root of
|
||||
trust.
|
||||
|
||||
The actual platform-root target is a separate king credential created through
|
||||
the NetKingdom bootstrap path before OpenBao becomes live secret custody. Email
|
||||
may receive notifications, but Gitea, Git, State Hub, chat, tickets, shell
|
||||
history, and email must not store or transfer OpenBao unseal keys, root tokens,
|
||||
private keys, OTP seeds, recovery codes, or screenshots of secret output.
|
||||
|
||||
The canonical custody policy is in
|
||||
`net-kingdom/docs/platform-root-custody.md`. The preferred production posture
|
||||
is independent two-of-three custody. Temporary single-operator king custody is
|
||||
feasible for pre-production bootstrap only when second-factor protection,
|
||||
offline recovery storage, and a low-friction upgrade path to additional
|
||||
custodians are in place.
|
||||
|
||||
Pre-flight checks:
|
||||
|
||||
```bash
|
||||
@@ -102,12 +123,16 @@ Proceed only when:
|
||||
- `bao status` reports `Initialized: false` and `Sealed: true`.
|
||||
- Railiance01 host/cluster backup posture is understood for this maintenance
|
||||
window.
|
||||
- three human escrow recipients are named before the command is run.
|
||||
- the guided NetKingdom bootstrap path exists for creating or importing the
|
||||
king credential.
|
||||
- the OpenBao custody mode is recorded: preferred independent custody, or an
|
||||
explicit temporary single-custodian king bootstrap exception.
|
||||
|
||||
Recommended ceremony:
|
||||
|
||||
1. Confirm the Railiance01 backup posture first.
|
||||
2. Prepare three human escrow recipients for unseal shares.
|
||||
2. Prepare the king credential and approved escrow holders or offline
|
||||
single-custody locations.
|
||||
3. Run initialization once:
|
||||
|
||||
```bash
|
||||
@@ -115,7 +140,8 @@ Recommended ceremony:
|
||||
bao operator init -key-shares=3 -key-threshold=2
|
||||
```
|
||||
|
||||
4. Give each unseal share to its escrow owner through an out-of-band channel.
|
||||
4. Give each unseal share to its escrow owner or approved king-custody location
|
||||
through an out-of-band channel.
|
||||
5. Unseal with two shares:
|
||||
|
||||
```bash
|
||||
@@ -187,6 +213,8 @@ Initial auth model:
|
||||
|
||||
| Actor | Method | Notes |
|
||||
|-------|--------|-------|
|
||||
| Setup operator/contact | Gitea `tegwick` / `bernd.worsch@gmail.com` | low-trust assembly and notifications; not platform root of trust |
|
||||
| King credential | NetKingdom custody record for dedicated platform-root identity | accountable bootstrap/recovery authority; not a Git or email secret store |
|
||||
| Bootstrap operator | one-time root token | only for initial audit, mounts, auth, policies, and non-root token creation |
|
||||
| Platform operator | token with `platform-admin` | temporary until NetKingdom OIDC/admin integration is ready |
|
||||
| Read-only reviewer | token with `platform-readonly` | metadata and health visibility, no secret reads |
|
||||
|
||||
@@ -10,7 +10,7 @@ topic_slug: railiance
|
||||
planning_priority: high
|
||||
planning_order: 2
|
||||
created: "2026-05-17"
|
||||
updated: "2026-05-23"
|
||||
updated: "2026-05-24"
|
||||
depends_on:
|
||||
- RAIL-PL-WP-0001
|
||||
state_hub_workstream_id: "fd1c045a-01d4-43be-980f-acbda6c64e6c"
|
||||
@@ -137,6 +137,14 @@ post-unseal initial configuration path. The actual initialization/unseal
|
||||
ceremony remains gated on named human escrow recipients and must not happen in
|
||||
a casual agent shell.
|
||||
|
||||
**2026-05-24:** Revised the custody model: `tegwick`
|
||||
(`bernd.worsch@gmail.com`, Gitea `tegwick`) is the setup operator/contact, not
|
||||
the long-term platform root of trust. The OpenBao ceremony is now gated on a
|
||||
separate NetKingdom king credential and guided bootstrap path. T03 remains
|
||||
`in_progress`: the live OpenBao init/unseal ceremony is still gated on king
|
||||
credential creation, custody mode approval, root-token disposition,
|
||||
reset/rotation, and restore-drill execution.
|
||||
|
||||
### T04 - Auth Methods And Workload Integration
|
||||
|
||||
```task
|
||||
@@ -226,6 +234,11 @@ platform secrets authority while SOPS/age remains bootstrap/Git-at-rest
|
||||
protection. Still needs ops-warden, ops-bridge, artifact-store, S5 app,
|
||||
and stale HashiCorp Vault wording follow-ups.
|
||||
|
||||
**2026-05-24:** Updated NetKingdom custody linkage:
|
||||
`net-kingdom/docs/platform-root-custody.md`, `NET-WP-0015`, and `NET-WP-0016`
|
||||
now define `tegwick` as setup operator/contact and a separate king credential
|
||||
as the platform-root custody target for OpenBao.
|
||||
|
||||
**2026-05-17:** Linked the artifact-store transition to
|
||||
`ARTIFACT-STORE-WP-0007 - MinIO Compatibility, MaxIO Fork Assessment, And STS
|
||||
Credential Vending` instead of creating duplicate S3 backend work in
|
||||
|
||||
Reference in New Issue
Block a user