Added openbao secrets management and phaseout of bitnami for CloudNative PG
This commit is contained in:
@@ -4,7 +4,7 @@ type: workplan
|
||||
title: "OpenBao Platform Secrets Service"
|
||||
domain: railiance
|
||||
repo: railiance-platform
|
||||
status: proposed
|
||||
status: active
|
||||
owner: codex
|
||||
topic_slug: railiance
|
||||
planning_priority: high
|
||||
@@ -74,7 +74,7 @@ Out of scope:
|
||||
|
||||
```task
|
||||
id: RAIL-PL-WP-0002-T01
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "e997ffe0-6b61-4242-b585-f271e9b75e99"
|
||||
```
|
||||
@@ -84,11 +84,16 @@ ops-warden, Railiance, and application runbooks. Decide whether
|
||||
Railiance standardizes on OpenBao, keeps Vault-compatible abstraction
|
||||
language, or supports both for a transition period.
|
||||
|
||||
**2026-05-17:** Decision recorded in State Hub:
|
||||
`a0df816c-3749-4418-9c8b-28eb428be953`. Railiance S3 standardizes on
|
||||
OpenBao as the runtime platform secrets service. SOPS/age remains the
|
||||
Git-at-rest bootstrap mechanism.
|
||||
|
||||
### T02 - Kubernetes Deployment Design
|
||||
|
||||
```task
|
||||
id: RAIL-PL-WP-0002-T02
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "fb6ac85d-e77f-400d-8342-70a0ec6e82ef"
|
||||
```
|
||||
@@ -98,11 +103,18 @@ backend, HA posture, ingress/internal service exposure, TLS, resource
|
||||
limits, PodDisruptionBudget, NetworkPolicies, and upgrade/rollback
|
||||
strategy.
|
||||
|
||||
**2026-05-17:** Implemented `helm/openbao-values.yaml`, Make targets, and
|
||||
`docs/openbao.md`. Deployed chart `openbao/openbao` `0.28.2` (app
|
||||
`v2.5.3`) to Railiance01 namespace `openbao` as internal-only,
|
||||
single-replica Raft with data/audit PVCs. Public ingress remains disabled;
|
||||
OpenBao is intentionally uninitialized and sealed until the bootstrap
|
||||
ceremony.
|
||||
|
||||
### T03 - Bootstrap, Unseal, And Break-Glass Procedure
|
||||
|
||||
```task
|
||||
id: RAIL-PL-WP-0002-T03
|
||||
status: todo
|
||||
status: in_progress
|
||||
priority: high
|
||||
state_hub_task_id: "509ccfd4-1775-4be4-b8e4-8d5bcf17f91e"
|
||||
```
|
||||
@@ -112,6 +124,10 @@ emergency access, backup escrow, and recovery drill. Ensure the design
|
||||
does not introduce an unmanaged "secret zero" worse than the current
|
||||
SOPS/age bootstrap.
|
||||
|
||||
**2026-05-17:** Initial ceremony documented in `docs/openbao.md`. Still
|
||||
needs human escrow assignment, root-token retirement details, and a
|
||||
restore/recovery drill before live secrets move into OpenBao.
|
||||
|
||||
### T04 - Auth Methods And Workload Integration
|
||||
|
||||
```task
|
||||
@@ -130,7 +146,7 @@ Operator, or sidecars/controllers.
|
||||
|
||||
```task
|
||||
id: RAIL-PL-WP-0002-T05
|
||||
status: todo
|
||||
status: in_progress
|
||||
priority: medium
|
||||
state_hub_task_id: "0d717bdd-76bc-41b4-b633-ba07214b4095"
|
||||
```
|
||||
@@ -141,6 +157,16 @@ PostgreSQL, Kubernetes token generation where appropriate, PKI/SSH
|
||||
future paths, and an assessment of object-storage credential vending
|
||||
integration with NK-WP-0007.
|
||||
|
||||
**2026-05-17:** Object-storage credential vending assessment started and
|
||||
documented in `docs/openbao.md`. Existing `artifact-store` capabilities cover
|
||||
artifact package preservation, an S3-compatible backend, env/file secret refs,
|
||||
and `artifactstore storage verify --backend s3`. Railiance S3 should use
|
||||
OpenBao for bootstrap custody, policy, audit, break-glass, and workload secret
|
||||
delivery, while `artifact-store` owns S3 backend behavior and
|
||||
`ARTIFACT-STORE-WP-0007` owns MinIO/fork compatibility plus temporary
|
||||
credential refresh decisions. NetKingdom remains the default owner for OIDC
|
||||
identity if object storage adopts `AssumeRoleWithWebIdentity`.
|
||||
|
||||
### T06 - Backup, Audit, Monitoring, And Verification
|
||||
|
||||
```task
|
||||
@@ -158,7 +184,7 @@ developer/operator verification script for the deployed service.
|
||||
|
||||
```task
|
||||
id: RAIL-PL-WP-0002-T07
|
||||
status: todo
|
||||
status: in_progress
|
||||
priority: medium
|
||||
state_hub_task_id: "89149b60-562b-4a5b-978d-0f9136ffa114"
|
||||
```
|
||||
@@ -168,6 +194,21 @@ artifact-store, and S5 applications where documentation or integration
|
||||
must move from HashiCorp Vault-specific assumptions to OpenBao-first
|
||||
or Vault-compatible abstraction language.
|
||||
|
||||
**2026-05-17:** Started cross-repo transition by updating
|
||||
`net-kingdom/docs/platform-identity-security-architecture.md` and
|
||||
`net-kingdom/SCOPE.md` so NetKingdom treats OpenBao as the runtime
|
||||
platform secrets authority while SOPS/age remains bootstrap/Git-at-rest
|
||||
protection. Still needs ops-warden, ops-bridge, artifact-store, S5 app,
|
||||
and stale HashiCorp Vault wording follow-ups.
|
||||
|
||||
**2026-05-17:** Linked the artifact-store transition to
|
||||
`ARTIFACT-STORE-WP-0007 - MinIO Compatibility, MaxIO Fork Assessment, And STS
|
||||
Credential Vending` instead of creating duplicate S3 backend work in
|
||||
`railiance-platform`. The OpenBao side of the handoff is now documented in
|
||||
`docs/openbao.md`; remaining artifact-store work belongs in
|
||||
`ARTIFACT-STORE-WP-0007-T004` and follow-up routing in
|
||||
`ARTIFACT-STORE-WP-0007-T005`.
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
- Railiance has an explicit decision on OpenBao versus HashiCorp Vault
|
||||
|
||||
@@ -10,7 +10,7 @@ topic_slug: railiance
|
||||
state_hub_workstream_id: "e4ec133c-7cb9-43c6-95f0-50d6591f13d7"
|
||||
superseded_by: RAIL-HO-WP-0004
|
||||
created: "2026-03-11"
|
||||
updated: "2026-03-26"
|
||||
updated: "2026-05-17"
|
||||
---
|
||||
|
||||
# S3 Platform Services Baseline
|
||||
@@ -59,7 +59,7 @@ depend on.
|
||||
```task
|
||||
id: RAIL-PL-WP-0001-T01
|
||||
state_hub_task_id: f5af95bf-3d2d-458a-b695-666d4dc2dc99
|
||||
status: todo
|
||||
status: cancelled
|
||||
priority: high
|
||||
```
|
||||
|
||||
@@ -111,7 +111,7 @@ Running in the `platform` namespace; `make smoke` still passes.
|
||||
```task
|
||||
id: RAIL-PL-WP-0001-T02
|
||||
state_hub_task_id: c1073011-935a-4c1a-9a9f-dc4db1fc3e88
|
||||
status: todo
|
||||
status: cancelled
|
||||
priority: high
|
||||
```
|
||||
|
||||
@@ -149,7 +149,7 @@ all data intact.
|
||||
```task
|
||||
id: RAIL-PL-WP-0001-T03
|
||||
state_hub_task_id: a820cd02-0f30-4488-abf1-897120f1fbc1
|
||||
status: todo
|
||||
status: cancelled
|
||||
priority: medium
|
||||
```
|
||||
|
||||
@@ -188,7 +188,7 @@ still operational; tombstone in place.
|
||||
```task
|
||||
id: RAIL-PL-WP-0001-T04
|
||||
state_hub_task_id: 8df4774c-5251-4c85-be57-61b903be82ee
|
||||
status: todo
|
||||
status: cancelled
|
||||
priority: high
|
||||
```
|
||||
|
||||
@@ -212,7 +212,7 @@ remains available within the recovery window.
|
||||
```task
|
||||
id: RAIL-PL-WP-0001-T05
|
||||
state_hub_task_id: 231f6f8a-97a0-4aa0-8318-8e4361af67a3
|
||||
status: todo
|
||||
status: cancelled
|
||||
priority: medium
|
||||
```
|
||||
|
||||
@@ -254,7 +254,7 @@ railiance-cluster backup still covers etcd/kubeconfig; no duplication.
|
||||
```task
|
||||
id: RAIL-PL-WP-0001-T06
|
||||
state_hub_task_id: 20899c81-2b24-4d70-ad02-f6a1383b6811
|
||||
status: todo
|
||||
status: cancelled
|
||||
priority: low
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user