coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Tolerate declarative OpenBao audit setup

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-25 15:14:41 +02:00
parent 3741294b05
commit b76e9101d8
2 changed files with 70 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
docs/openbao.md
View File

@@ -187,9 +187,9 @@ configuration:
make openbao-configure-initial
```
The target prompts for a token, enables file audit, enables the `platform/` KV
v2 mount, enables Kubernetes auth, configures Kubernetes auth from the in-pod
service account, and loads:
The target prompts for a token, enables file audit when API-managed audit is
available, enables the `platform/` KV v2 mount, enables Kubernetes auth,
configures Kubernetes auth from the in-pod service account, and loads:
- `openbao/policies/platform-admin.hcl`
- `openbao/policies/platform-readonly.hcl`
@@ -198,6 +198,12 @@ It does not print or store the token. You may also set
`OPENBAO_TOKEN_FILE=/path/to/token-file` for an operator-local, uncommitted
token file.
Current OpenBao releases may reject API-managed audit setup with a message that
audit devices must be configured declaratively. In that case the helper exits
successfully with a warning after applying the other bootstrap configuration.
Treat declarative audit configuration in the OpenBao server config/Helm values
as mandatory before production secrets move in.
After the helper succeeds, create a non-root admin token:
```bash

64
scripts/openbao-apply-initial-config.sh
View File

@@ -14,7 +14,7 @@ usage() {
Usage: scripts/openbao-apply-initial-config.sh [--dry-run]
Applies the first post-unseal OpenBao configuration:
- file audit device
- file audit device when API-managed audit is available
- platform KV v2 mount
- Kubernetes auth mount and in-cluster config
- platform-admin and platform-readonly policies
@@ -47,6 +47,12 @@ while [ "$#" -gt 0 ]; do
done
pod="${OPENBAO_RELEASE}-0"
WARNINGS=0
warn() {
WARNINGS=$((WARNINGS + 1))
printf 'WARN: %s\n' "$*" >&2
}
read_token() {
if [ -n "$TOKEN_FILE" ]; then
@@ -102,6 +108,51 @@ write_policy() {
sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$name"
}
enable_file_audit() {
local token="$1"
local output status
if output="$(remote_bao "$token" audit enable file file_path=/openbao/audit/openbao-audit.log 2>&1)"; then
printf '%s\n' "$output"
return 0
fi
status=$?
printf '%s\n' "$output" >&2
case "$output" in
*"cannot enable audit device via API"*)
warn "OpenBao rejected API-managed audit enable. Configure audit devices declaratively in the OpenBao server config/Helm values."
return 0
;;
*"path is already in use"*)
warn "OpenBao file audit device already appears to be enabled."
return 0
;;
*)
warn "OpenBao audit enable failed with exit code $status."
return 0
;;
esac
}
show_audit_list() {
local token="$1"
local output status
if output="$(remote_bao "$token" audit list 2>&1)"; then
printf '%s\n' "$output"
return 0
fi
status=$?
printf '%s\n' "$output" >&2
if printf '%s\n' "$output" | grep -qi "No audit devices are enabled"; then
warn "No API-visible audit devices are enabled. Treat declarative audit configuration as a follow-up before production secrets."
return 0
fi
warn "OpenBao audit list failed with exit code $status."
return 0
}
token="$(read_token)"
if [ -z "$token" ]; then
echo "ERROR: empty token" >&2
@@ -110,7 +161,7 @@ fi
remote_bao "$token" status
remote_bao "$token" audit enable file file_path=/openbao/audit/openbao-audit.log || true
enable_file_audit "$token"
remote_bao "$token" secrets enable -path=platform kv-v2 || true
remote_bao "$token" auth enable kubernetes || true
@@ -122,7 +173,7 @@ remote_sh "$token" 'bao write auth/kubernetes/config \
write_policy "$token" platform-admin "$POLICY_DIR/platform-admin.hcl"
write_policy "$token" platform-readonly "$POLICY_DIR/platform-readonly.hcl"
remote_bao "$token" audit list
show_audit_list "$token"
remote_bao "$token" secrets list
remote_bao "$token" auth list
remote_bao "$token" policy list
@@ -137,3 +188,10 @@ Next manual steps:
3. Revoke or tightly escrow the initial root token.
4. Run the raft snapshot and restore drill before moving live secrets.
NEXT
if [ "$WARNINGS" -gt 0 ]; then
cat <<NEXT
Completed with $WARNINGS warning(s). Resolve warnings before production trust.
NEXT
fi