openbao king credential bootstrapping
This commit is contained in:
@@ -88,6 +88,27 @@ That state is intentional until the bootstrap ceremony is completed.
|
|||||||
Do not initialize OpenBao in a casual shell session. Initialization emits the
|
Do not initialize OpenBao in a casual shell session. Initialization emits the
|
||||||
unseal keys and initial root token. Treat this as a break-glass event.
|
unseal keys and initial root token. Treat this as a break-glass event.
|
||||||
|
|
||||||
|
### Setup Operator And King Credential
|
||||||
|
|
||||||
|
The initial accountable setup operator/contact is `tegwick`
|
||||||
|
(`bernd.worsch@gmail.com`), with Gitea identity `tegwick`. This identity can
|
||||||
|
assemble early infrastructure, receive notifications, and operate day-to-day
|
||||||
|
Git/Gitea workflows, but it is not the desired long-term platform root of
|
||||||
|
trust.
|
||||||
|
|
||||||
|
The actual platform-root target is a separate king credential created through
|
||||||
|
the NetKingdom bootstrap path before OpenBao becomes live secret custody. Email
|
||||||
|
may receive notifications, but Gitea, Git, State Hub, chat, tickets, shell
|
||||||
|
history, and email must not store or transfer OpenBao unseal keys, root tokens,
|
||||||
|
private keys, OTP seeds, recovery codes, or screenshots of secret output.
|
||||||
|
|
||||||
|
The canonical custody policy is in
|
||||||
|
`net-kingdom/docs/platform-root-custody.md`. The preferred production posture
|
||||||
|
is independent two-of-three custody. Temporary single-operator king custody is
|
||||||
|
feasible for pre-production bootstrap only when second-factor protection,
|
||||||
|
offline recovery storage, and a low-friction upgrade path to additional
|
||||||
|
custodians are in place.
|
||||||
|
|
||||||
Pre-flight checks:
|
Pre-flight checks:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
@@ -102,12 +123,16 @@ Proceed only when:
|
|||||||
- `bao status` reports `Initialized: false` and `Sealed: true`.
|
- `bao status` reports `Initialized: false` and `Sealed: true`.
|
||||||
- Railiance01 host/cluster backup posture is understood for this maintenance
|
- Railiance01 host/cluster backup posture is understood for this maintenance
|
||||||
window.
|
window.
|
||||||
- three human escrow recipients are named before the command is run.
|
- the guided NetKingdom bootstrap path exists for creating or importing the
|
||||||
|
king credential.
|
||||||
|
- the OpenBao custody mode is recorded: preferred independent custody, or an
|
||||||
|
explicit temporary single-custodian king bootstrap exception.
|
||||||
|
|
||||||
Recommended ceremony:
|
Recommended ceremony:
|
||||||
|
|
||||||
1. Confirm the Railiance01 backup posture first.
|
1. Confirm the Railiance01 backup posture first.
|
||||||
2. Prepare three human escrow recipients for unseal shares.
|
2. Prepare the king credential and approved escrow holders or offline
|
||||||
|
single-custody locations.
|
||||||
3. Run initialization once:
|
3. Run initialization once:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
@@ -115,7 +140,8 @@ Recommended ceremony:
|
|||||||
bao operator init -key-shares=3 -key-threshold=2
|
bao operator init -key-shares=3 -key-threshold=2
|
||||||
```
|
```
|
||||||
|
|
||||||
4. Give each unseal share to its escrow owner through an out-of-band channel.
|
4. Give each unseal share to its escrow owner or approved king-custody location
|
||||||
|
through an out-of-band channel.
|
||||||
5. Unseal with two shares:
|
5. Unseal with two shares:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
@@ -187,6 +213,8 @@ Initial auth model:
|
|||||||
|
|
||||||
| Actor | Method | Notes |
|
| Actor | Method | Notes |
|
||||||
|-------|--------|-------|
|
|-------|--------|-------|
|
||||||
|
| Setup operator/contact | Gitea `tegwick` / `bernd.worsch@gmail.com` | low-trust assembly and notifications; not platform root of trust |
|
||||||
|
| King credential | NetKingdom custody record for dedicated platform-root identity | accountable bootstrap/recovery authority; not a Git or email secret store |
|
||||||
| Bootstrap operator | one-time root token | only for initial audit, mounts, auth, policies, and non-root token creation |
|
| Bootstrap operator | one-time root token | only for initial audit, mounts, auth, policies, and non-root token creation |
|
||||||
| Platform operator | token with `platform-admin` | temporary until NetKingdom OIDC/admin integration is ready |
|
| Platform operator | token with `platform-admin` | temporary until NetKingdom OIDC/admin integration is ready |
|
||||||
| Read-only reviewer | token with `platform-readonly` | metadata and health visibility, no secret reads |
|
| Read-only reviewer | token with `platform-readonly` | metadata and health visibility, no secret reads |
|
||||||
|
|||||||
@@ -10,7 +10,7 @@ topic_slug: railiance
|
|||||||
planning_priority: high
|
planning_priority: high
|
||||||
planning_order: 2
|
planning_order: 2
|
||||||
created: "2026-05-17"
|
created: "2026-05-17"
|
||||||
updated: "2026-05-23"
|
updated: "2026-05-24"
|
||||||
depends_on:
|
depends_on:
|
||||||
- RAIL-PL-WP-0001
|
- RAIL-PL-WP-0001
|
||||||
state_hub_workstream_id: "fd1c045a-01d4-43be-980f-acbda6c64e6c"
|
state_hub_workstream_id: "fd1c045a-01d4-43be-980f-acbda6c64e6c"
|
||||||
@@ -137,6 +137,14 @@ post-unseal initial configuration path. The actual initialization/unseal
|
|||||||
ceremony remains gated on named human escrow recipients and must not happen in
|
ceremony remains gated on named human escrow recipients and must not happen in
|
||||||
a casual agent shell.
|
a casual agent shell.
|
||||||
|
|
||||||
|
**2026-05-24:** Revised the custody model: `tegwick`
|
||||||
|
(`bernd.worsch@gmail.com`, Gitea `tegwick`) is the setup operator/contact, not
|
||||||
|
the long-term platform root of trust. The OpenBao ceremony is now gated on a
|
||||||
|
separate NetKingdom king credential and guided bootstrap path. T03 remains
|
||||||
|
`in_progress`: the live OpenBao init/unseal ceremony is still gated on king
|
||||||
|
credential creation, custody mode approval, root-token disposition,
|
||||||
|
reset/rotation, and restore-drill execution.
|
||||||
|
|
||||||
### T04 - Auth Methods And Workload Integration
|
### T04 - Auth Methods And Workload Integration
|
||||||
|
|
||||||
```task
|
```task
|
||||||
@@ -226,6 +234,11 @@ platform secrets authority while SOPS/age remains bootstrap/Git-at-rest
|
|||||||
protection. Still needs ops-warden, ops-bridge, artifact-store, S5 app,
|
protection. Still needs ops-warden, ops-bridge, artifact-store, S5 app,
|
||||||
and stale HashiCorp Vault wording follow-ups.
|
and stale HashiCorp Vault wording follow-ups.
|
||||||
|
|
||||||
|
**2026-05-24:** Updated NetKingdom custody linkage:
|
||||||
|
`net-kingdom/docs/platform-root-custody.md`, `NET-WP-0015`, and `NET-WP-0016`
|
||||||
|
now define `tegwick` as setup operator/contact and a separate king credential
|
||||||
|
as the platform-root custody target for OpenBao.
|
||||||
|
|
||||||
**2026-05-17:** Linked the artifact-store transition to
|
**2026-05-17:** Linked the artifact-store transition to
|
||||||
`ARTIFACT-STORE-WP-0007 - MinIO Compatibility, MaxIO Fork Assessment, And STS
|
`ARTIFACT-STORE-WP-0007 - MinIO Compatibility, MaxIO Fork Assessment, And STS
|
||||||
Credential Vending` instead of creating duplicate S3 backend work in
|
Credential Vending` instead of creating duplicate S3 backend work in
|
||||||
|
|||||||
Reference in New Issue
Block a user