Platform secret setup

scripts/openbao-apply-initial-config.sh

@@ -0,0 +1,139 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
+OPENBAO_RELEASE="${OPENBAO_RELEASE:-openbao}"
+KUBECTL="${KUBECTL:-kubectl}"
+TOKEN_FILE="${OPENBAO_TOKEN_FILE:-}"
+REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+POLICY_DIR="${POLICY_DIR:-$REPO_DIR/openbao/policies}"
+DRY_RUN=0
+
+usage() {
+  cat <<'USAGE'
+Usage: scripts/openbao-apply-initial-config.sh [--dry-run]
+
+Applies the first post-unseal OpenBao configuration:
+  - file audit device
+  - platform KV v2 mount
+  - Kubernetes auth mount and in-cluster config
+  - platform-admin and platform-readonly policies
+
+This script must run only after the bootstrap ceremony initializes and unseals
+OpenBao. It reads the bootstrap/root or platform-admin token from:
+  1. OPENBAO_TOKEN_FILE, when set
+  2. an interactive hidden prompt
+
+It does not print the token and does not store it.
+USAGE
+}
+
+while [ "$#" -gt 0 ]; do
+  case "$1" in
+    --dry-run)
+      DRY_RUN=1
+      shift
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "ERROR: unknown argument: $1" >&2
+      usage >&2
+      exit 2
+      ;;
+  esac
+done
+
+pod="${OPENBAO_RELEASE}-0"
+
+read_token() {
+  if [ -n "$TOKEN_FILE" ]; then
+    if [ ! -f "$TOKEN_FILE" ]; then
+      echo "ERROR: OPENBAO_TOKEN_FILE does not exist: $TOKEN_FILE" >&2
+      exit 1
+    fi
+    head -n 1 "$TOKEN_FILE"
+    return
+  fi
+
+  local token
+  read -r -s -p "OpenBao token: " token
+  printf '\n' >&2
+  printf '%s\n' "$token"
+}
+
+remote_bao() {
+  local token="$1"
+  shift
+  if [ "$DRY_RUN" -eq 1 ]; then
+    printf 'DRY-RUN: bao %s\n' "$*"
+    return 0
+  fi
+  printf '%s\n' "$token" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
+    sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; exec bao "$@"' sh "$@"
+}
+
+remote_sh() {
+  local token="$1"
+  local script="$2"
+  if [ "$DRY_RUN" -eq 1 ]; then
+    printf 'DRY-RUN: remote shell: %s\n' "$script"
+    return 0
+  fi
+  printf '%s\n%s\n' "$token" "$script" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
+    sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; sh'
+}
+
+write_policy() {
+  local token="$1"
+  local name="$2"
+  local file="$3"
+  if [ ! -f "$file" ]; then
+    echo "ERROR: missing policy file: $file" >&2
+    exit 1
+  fi
+  if [ "$DRY_RUN" -eq 1 ]; then
+    printf 'DRY-RUN: bao policy write %s %s\n' "$name" "$file"
+    return 0
+  fi
+  { printf '%s\n' "$token"; cat "$file"; } | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
+    sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$name"
+}
+
+token="$(read_token)"
+if [ -z "$token" ]; then
+  echo "ERROR: empty token" >&2
+  exit 1
+fi
+
+remote_bao "$token" status
+
+remote_bao "$token" audit enable file file_path=/openbao/audit/openbao-audit.log || true
+remote_bao "$token" secrets enable -path=platform kv-v2 || true
+remote_bao "$token" auth enable kubernetes || true
+
+remote_sh "$token" 'bao write auth/kubernetes/config \
+  kubernetes_host="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \
+  token_reviewer_jwt=@/var/run/secrets/kubernetes.io/serviceaccount/token \
+  kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
+
+write_policy "$token" platform-admin "$POLICY_DIR/platform-admin.hcl"
+write_policy "$token" platform-readonly "$POLICY_DIR/platform-readonly.hcl"
+
+remote_bao "$token" audit list
+remote_bao "$token" secrets list
+remote_bao "$token" auth list
+remote_bao "$token" policy list
+
+cat <<'NEXT'
+
+Initial OpenBao configuration applied.
+
+Next manual steps:
+  1. Create a non-root platform-admin token with a short TTL or renewable period.
+  2. Store that token through the approved human/operator secret path.
+  3. Revoke or tightly escrow the initial root token.
+  4. Run the raft snapshot and restore drill before moving live secrets.
+NEXT