Added openbao secrets management and phaseout of bitnami for CloudNative PG

This commit is contained in:
2026-05-18 11:53:59 +02:00
parent fc0a6c280b
commit 980947894e
8 changed files with 493 additions and 16 deletions

View File

@@ -4,7 +4,7 @@ type: workplan
title: "OpenBao Platform Secrets Service"
domain: railiance
repo: railiance-platform
status: proposed
status: active
owner: codex
topic_slug: railiance
planning_priority: high
@@ -74,7 +74,7 @@ Out of scope:
```task
id: RAIL-PL-WP-0002-T01
status: todo
status: done
priority: high
state_hub_task_id: "e997ffe0-6b61-4242-b585-f271e9b75e99"
```
@@ -84,11 +84,16 @@ ops-warden, Railiance, and application runbooks. Decide whether
Railiance standardizes on OpenBao, keeps Vault-compatible abstraction
language, or supports both for a transition period.
**2026-05-17:** Decision recorded in State Hub:
`a0df816c-3749-4418-9c8b-28eb428be953`. Railiance S3 standardizes on
OpenBao as the runtime platform secrets service. SOPS/age remains the
Git-at-rest bootstrap mechanism.
### T02 - Kubernetes Deployment Design
```task
id: RAIL-PL-WP-0002-T02
status: todo
status: done
priority: high
state_hub_task_id: "fb6ac85d-e77f-400d-8342-70a0ec6e82ef"
```
@@ -98,11 +103,18 @@ backend, HA posture, ingress/internal service exposure, TLS, resource
limits, PodDisruptionBudget, NetworkPolicies, and upgrade/rollback
strategy.
**2026-05-17:** Implemented `helm/openbao-values.yaml`, Make targets, and
`docs/openbao.md`. Deployed chart `openbao/openbao` `0.28.2` (app
`v2.5.3`) to Railiance01 namespace `openbao` as internal-only,
single-replica Raft with data/audit PVCs. Public ingress remains disabled;
OpenBao is intentionally uninitialized and sealed until the bootstrap
ceremony.
### T03 - Bootstrap, Unseal, And Break-Glass Procedure
```task
id: RAIL-PL-WP-0002-T03
status: todo
status: in_progress
priority: high
state_hub_task_id: "509ccfd4-1775-4be4-b8e4-8d5bcf17f91e"
```
@@ -112,6 +124,10 @@ emergency access, backup escrow, and recovery drill. Ensure the design
does not introduce an unmanaged "secret zero" worse than the current
SOPS/age bootstrap.
**2026-05-17:** Initial ceremony documented in `docs/openbao.md`. Still
needs human escrow assignment, root-token retirement details, and a
restore/recovery drill before live secrets move into OpenBao.
### T04 - Auth Methods And Workload Integration
```task
@@ -130,7 +146,7 @@ Operator, or sidecars/controllers.
```task
id: RAIL-PL-WP-0002-T05
status: todo
status: in_progress
priority: medium
state_hub_task_id: "0d717bdd-76bc-41b4-b633-ba07214b4095"
```
@@ -141,6 +157,16 @@ PostgreSQL, Kubernetes token generation where appropriate, PKI/SSH
future paths, and an assessment of object-storage credential vending
integration with NK-WP-0007.
**2026-05-17:** Object-storage credential vending assessment started and
documented in `docs/openbao.md`. Existing `artifact-store` capabilities cover
artifact package preservation, an S3-compatible backend, env/file secret refs,
and `artifactstore storage verify --backend s3`. Railiance S3 should use
OpenBao for bootstrap custody, policy, audit, break-glass, and workload secret
delivery, while `artifact-store` owns S3 backend behavior and
`ARTIFACT-STORE-WP-0007` owns MinIO/fork compatibility plus temporary
credential refresh decisions. NetKingdom remains the default owner for OIDC
identity if object storage adopts `AssumeRoleWithWebIdentity`.
### T06 - Backup, Audit, Monitoring, And Verification
```task
@@ -158,7 +184,7 @@ developer/operator verification script for the deployed service.
```task
id: RAIL-PL-WP-0002-T07
status: todo
status: in_progress
priority: medium
state_hub_task_id: "89149b60-562b-4a5b-978d-0f9136ffa114"
```
@@ -168,6 +194,21 @@ artifact-store, and S5 applications where documentation or integration
must move from HashiCorp Vault-specific assumptions to OpenBao-first
or Vault-compatible abstraction language.
**2026-05-17:** Started cross-repo transition by updating
`net-kingdom/docs/platform-identity-security-architecture.md` and
`net-kingdom/SCOPE.md` so NetKingdom treats OpenBao as the runtime
platform secrets authority while SOPS/age remains bootstrap/Git-at-rest
protection. Still needs ops-warden, ops-bridge, artifact-store, S5 app,
and stale HashiCorp Vault wording follow-ups.
**2026-05-17:** Linked the artifact-store transition to
`ARTIFACT-STORE-WP-0007 - MinIO Compatibility, MaxIO Fork Assessment, And STS
Credential Vending` instead of creating duplicate S3 backend work in
`railiance-platform`. The OpenBao side of the handoff is now documented in
`docs/openbao.md`; remaining artifact-store work belongs in
`ARTIFACT-STORE-WP-0007-T004` and follow-up routing in
`ARTIFACT-STORE-WP-0007-T005`.
## Acceptance Criteria
- Railiance has an explicit decision on OpenBao versus HashiCorp Vault

View File

@@ -10,7 +10,7 @@ topic_slug: railiance
state_hub_workstream_id: "e4ec133c-7cb9-43c6-95f0-50d6591f13d7"
superseded_by: RAIL-HO-WP-0004
created: "2026-03-11"
updated: "2026-03-26"
updated: "2026-05-17"
---
# S3 Platform Services Baseline
@@ -59,7 +59,7 @@ depend on.
```task
id: RAIL-PL-WP-0001-T01
state_hub_task_id: f5af95bf-3d2d-458a-b695-666d4dc2dc99
status: todo
status: cancelled
priority: high
```
@@ -111,7 +111,7 @@ Running in the `platform` namespace; `make smoke` still passes.
```task
id: RAIL-PL-WP-0001-T02
state_hub_task_id: c1073011-935a-4c1a-9a9f-dc4db1fc3e88
status: todo
status: cancelled
priority: high
```
@@ -149,7 +149,7 @@ all data intact.
```task
id: RAIL-PL-WP-0001-T03
state_hub_task_id: a820cd02-0f30-4488-abf1-897120f1fbc1
status: todo
status: cancelled
priority: medium
```
@@ -188,7 +188,7 @@ still operational; tombstone in place.
```task
id: RAIL-PL-WP-0001-T04
state_hub_task_id: 8df4774c-5251-4c85-be57-61b903be82ee
status: todo
status: cancelled
priority: high
```
@@ -212,7 +212,7 @@ remains available within the recovery window.
```task
id: RAIL-PL-WP-0001-T05
state_hub_task_id: 231f6f8a-97a0-4aa0-8318-8e4361af67a3
status: todo
status: cancelled
priority: medium
```
@@ -254,7 +254,7 @@ railiance-cluster backup still covers etcd/kubeconfig; no duplication.
```task
id: RAIL-PL-WP-0001-T06
state_hub_task_id: 20899c81-2b24-4d70-ad02-f6a1383b6811
status: todo
status: cancelled
priority: low
```