Platform secret setup

scripts/openbao-apply-initial-config.sh

@@ -0,0 +1,139 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
+OPENBAO_RELEASE="${OPENBAO_RELEASE:-openbao}"
+KUBECTL="${KUBECTL:-kubectl}"
+TOKEN_FILE="${OPENBAO_TOKEN_FILE:-}"
+REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+POLICY_DIR="${POLICY_DIR:-$REPO_DIR/openbao/policies}"
+DRY_RUN=0
+
+usage() {
+  cat <<'USAGE'
+Usage: scripts/openbao-apply-initial-config.sh [--dry-run]
+
+Applies the first post-unseal OpenBao configuration:
+  - file audit device
+  - platform KV v2 mount
+  - Kubernetes auth mount and in-cluster config
+  - platform-admin and platform-readonly policies
+
+This script must run only after the bootstrap ceremony initializes and unseals
+OpenBao. It reads the bootstrap/root or platform-admin token from:
+  1. OPENBAO_TOKEN_FILE, when set
+  2. an interactive hidden prompt
+
+It does not print the token and does not store it.
+USAGE
+}
+
+while [ "$#" -gt 0 ]; do
+  case "$1" in
+    --dry-run)
+      DRY_RUN=1
+      shift
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "ERROR: unknown argument: $1" >&2
+      usage >&2
+      exit 2
+      ;;
+  esac
+done
+
+pod="${OPENBAO_RELEASE}-0"
+
+read_token() {
+  if [ -n "$TOKEN_FILE" ]; then
+    if [ ! -f "$TOKEN_FILE" ]; then
+      echo "ERROR: OPENBAO_TOKEN_FILE does not exist: $TOKEN_FILE" >&2
+      exit 1
+    fi
+    head -n 1 "$TOKEN_FILE"
+    return
+  fi
+
+  local token
+  read -r -s -p "OpenBao token: " token
+  printf '\n' >&2
+  printf '%s\n' "$token"
+}
+
+remote_bao() {
+  local token="$1"
+  shift
+  if [ "$DRY_RUN" -eq 1 ]; then
+    printf 'DRY-RUN: bao %s\n' "$*"
+    return 0
+  fi
+  printf '%s\n' "$token" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
+    sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; exec bao "$@"' sh "$@"
+}
+
+remote_sh() {
+  local token="$1"
+  local script="$2"
+  if [ "$DRY_RUN" -eq 1 ]; then
+    printf 'DRY-RUN: remote shell: %s\n' "$script"
+    return 0
+  fi
+  printf '%s\n%s\n' "$token" "$script" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
+    sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; sh'
+}
+
+write_policy() {
+  local token="$1"
+  local name="$2"
+  local file="$3"
+  if [ ! -f "$file" ]; then
+    echo "ERROR: missing policy file: $file" >&2
+    exit 1
+  fi
+  if [ "$DRY_RUN" -eq 1 ]; then
+    printf 'DRY-RUN: bao policy write %s %s\n' "$name" "$file"
+    return 0
+  fi
+  { printf '%s\n' "$token"; cat "$file"; } | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
+    sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$name"
+}
+
+token="$(read_token)"
+if [ -z "$token" ]; then
+  echo "ERROR: empty token" >&2
+  exit 1
+fi
+
+remote_bao "$token" status
+
+remote_bao "$token" audit enable file file_path=/openbao/audit/openbao-audit.log || true
+remote_bao "$token" secrets enable -path=platform kv-v2 || true
+remote_bao "$token" auth enable kubernetes || true
+
+remote_sh "$token" 'bao write auth/kubernetes/config \
+  kubernetes_host="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \
+  token_reviewer_jwt=@/var/run/secrets/kubernetes.io/serviceaccount/token \
+  kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
+
+write_policy "$token" platform-admin "$POLICY_DIR/platform-admin.hcl"
+write_policy "$token" platform-readonly "$POLICY_DIR/platform-readonly.hcl"
+
+remote_bao "$token" audit list
+remote_bao "$token" secrets list
+remote_bao "$token" auth list
+remote_bao "$token" policy list
+
+cat <<'NEXT'
+
+Initial OpenBao configuration applied.
+
+Next manual steps:
+  1. Create a non-root platform-admin token with a short TTL or renewable period.
+  2. Store that token through the approved human/operator secret path.
+  3. Revoke or tightly escrow the initial root token.
+  4. Run the raft snapshot and restore drill before moving live secrets.
+NEXT

scripts/openbao-verify.sh

@@ -0,0 +1,105 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
+OPENBAO_RELEASE="${OPENBAO_RELEASE:-openbao}"
+KUBECTL="${KUBECTL:-kubectl}"
+MODE="${1:-basic}"
+
+ok() { printf '[OK] %s\n' "$*"; }
+warn() { printf '[WARN] %s\n' "$*"; }
+err() { printf '[ERR] %s\n' "$*" >&2; }
+step() { printf '\n==> %s\n' "$*"; }
+
+usage() {
+  cat <<'USAGE'
+Usage: scripts/openbao-verify.sh [basic|post-unseal]
+
+Runs non-secret OpenBao deployment checks. It never initializes, unseals, or
+prints tokens.
+
+Environment:
+  OPENBAO_NAMESPACE  Kubernetes namespace. Default: openbao
+  OPENBAO_RELEASE    Helm release / pod prefix. Default: openbao
+  KUBECTL            kubectl command, including --kubeconfig if needed.
+USAGE
+}
+
+if [ "$MODE" = "-h" ] || [ "$MODE" = "--help" ]; then
+  usage
+  exit 0
+fi
+
+if [ "$MODE" != "basic" ] && [ "$MODE" != "post-unseal" ]; then
+  err "unknown mode: $MODE"
+  usage >&2
+  exit 2
+fi
+
+pod="${OPENBAO_RELEASE}-0"
+
+check_cmd() {
+  if ! command -v "${KUBECTL%% *}" >/dev/null 2>&1; then
+    err "kubectl command not found: $KUBECTL"
+    exit 1
+  fi
+}
+
+run() {
+  # shellcheck disable=SC2086
+  $KUBECTL "$@"
+}
+
+check_cmd
+
+step "OpenBao Kubernetes objects"
+run get namespace "$OPENBAO_NAMESPACE" >/dev/null
+ok "namespace exists: $OPENBAO_NAMESPACE"
+
+run get pod "$pod" -n "$OPENBAO_NAMESPACE" >/dev/null
+ok "pod exists: $OPENBAO_NAMESPACE/$pod"
+
+phase="$(run get pod "$pod" -n "$OPENBAO_NAMESPACE" -o jsonpath='{.status.phase}')"
+ready="$(run get pod "$pod" -n "$OPENBAO_NAMESPACE" -o jsonpath='{range .status.containerStatuses[*]}{.ready}{end}')"
+printf 'Pod phase: %s\n' "$phase"
+printf 'Container ready flags: %s\n' "${ready:-none}"
+
+run get svc -n "$OPENBAO_NAMESPACE" \
+  "${OPENBAO_RELEASE}" \
+  "${OPENBAO_RELEASE}-active" \
+  "${OPENBAO_RELEASE}-internal" \
+  "${OPENBAO_RELEASE}-ui" >/dev/null
+ok "expected services exist"
+
+run get pvc -n "$OPENBAO_NAMESPACE" >/dev/null
+ok "PVC query succeeded"
+
+step "OpenBao seal/init status"
+if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- bao status; then
+  ok "bao status command succeeded"
+else
+  warn "bao status failed. Check pod logs and command availability."
+fi
+
+if [ "$MODE" = "basic" ]; then
+  exit 0
+fi
+
+step "Post-unseal unauthenticated checks"
+if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- sh -c 'test -d /openbao/audit'; then
+  ok "audit directory exists"
+else
+  warn "audit directory missing or inaccessible"
+fi
+
+if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- sh -c 'test -d /openbao/data'; then
+  ok "raft data directory exists"
+else
+  warn "raft data directory missing or inaccessible"
+fi
+
+warn "Authenticated checks are intentionally not run here."
+warn "After unseal/configuration, verify with a platform-admin token:"
+warn "  bao audit list"
+warn "  bao secrets list"
+warn "  bao auth list"