Platform secret setup
This commit is contained in:
@@ -10,7 +10,7 @@ topic_slug: railiance
|
||||
planning_priority: high
|
||||
planning_order: 2
|
||||
created: "2026-05-17"
|
||||
updated: "2026-05-17"
|
||||
updated: "2026-05-23"
|
||||
depends_on:
|
||||
- RAIL-PL-WP-0001
|
||||
state_hub_workstream_id: "fd1c045a-01d4-43be-980f-acbda6c64e6c"
|
||||
@@ -128,11 +128,20 @@ SOPS/age bootstrap.
|
||||
needs human escrow assignment, root-token retirement details, and a
|
||||
restore/recovery drill before live secrets move into OpenBao.
|
||||
|
||||
**2026-05-23:** Added non-secret bootstrap support: `make openbao-verify`,
|
||||
`make openbao-verify-post-unseal`, `make openbao-configure-initial`,
|
||||
`scripts/openbao-verify.sh`, `scripts/openbao-apply-initial-config.sh`, and
|
||||
initial platform policies under `openbao/policies/`. `docs/openbao.md` now
|
||||
spells out pre-flight checks, escrow handling, root-token retirement, and the
|
||||
post-unseal initial configuration path. The actual initialization/unseal
|
||||
ceremony remains gated on named human escrow recipients and must not happen in
|
||||
a casual agent shell.
|
||||
|
||||
### T04 - Auth Methods And Workload Integration
|
||||
|
||||
```task
|
||||
id: RAIL-PL-WP-0002-T04
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "ca2b3ac2-b522-4445-a418-c6ec312cd5f4"
|
||||
```
|
||||
@@ -142,6 +151,15 @@ NetKingdom identity, admins, agents, and automations. Decide when
|
||||
workloads use OpenBao directly, CSI-mounted secrets, External Secrets
|
||||
Operator, or sidecars/controllers.
|
||||
|
||||
**2026-05-23:** Documented the auth and delivery model in `docs/openbao.md`.
|
||||
Bootstrap uses the one-time root token only for initial setup; platform
|
||||
operators use a non-root `platform-admin` token until NetKingdom OIDC/admin
|
||||
integration is ready; reviewers use `platform-readonly`; workloads use
|
||||
Kubernetes auth with namespace/service-account-bound policies. External
|
||||
Secrets Operator is preferred for Helm-compatible Kubernetes Secrets, CSI is
|
||||
reserved for mounted-file delivery and refresh-sensitive workloads, and the
|
||||
OpenBao injector remains disabled.
|
||||
|
||||
### T05 - Secret Engines And Dynamic Credentials
|
||||
|
||||
```task
|
||||
@@ -171,7 +189,7 @@ identity if object storage adopts `AssumeRoleWithWebIdentity`.
|
||||
|
||||
```task
|
||||
id: RAIL-PL-WP-0002-T06
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "cd61bc7d-8b9f-484f-97bd-7254c227b0ee"
|
||||
```
|
||||
@@ -180,6 +198,13 @@ Define backup/restore procedure, audit device configuration, metrics,
|
||||
logs, health checks, restore drill, and smoke tests. Include a
|
||||
developer/operator verification script for the deployed service.
|
||||
|
||||
**2026-05-23:** Documented audit, Raft snapshot, encrypted snapshot custody,
|
||||
isolated restore drill, durable audit-log shipping, and monitoring baseline in
|
||||
`docs/openbao.md`. Added `scripts/openbao-verify.sh` plus Make targets for
|
||||
basic and post-unseal verification. The restore drill still must be executed
|
||||
before any live application secrets are migrated; that remains a gate under
|
||||
T03.
|
||||
|
||||
### T07 - Cross-Repo Transition Tasks
|
||||
|
||||
```task
|
||||
|
||||
Reference in New Issue
Block a user