diff --git a/docs/openbao.md b/docs/openbao.md index 8977d8e..fffbe8b 100644 --- a/docs/openbao.md +++ b/docs/openbao.md @@ -187,9 +187,9 @@ configuration: make openbao-configure-initial ``` -The target prompts for a token, enables file audit, enables the `platform/` KV -v2 mount, enables Kubernetes auth, configures Kubernetes auth from the in-pod -service account, and loads: +The target prompts for a token, enables file audit when API-managed audit is +available, enables the `platform/` KV v2 mount, enables Kubernetes auth, +configures Kubernetes auth from the in-pod service account, and loads: - `openbao/policies/platform-admin.hcl` - `openbao/policies/platform-readonly.hcl` @@ -198,6 +198,12 @@ It does not print or store the token. You may also set `OPENBAO_TOKEN_FILE=/path/to/token-file` for an operator-local, uncommitted token file. +Current OpenBao releases may reject API-managed audit setup with a message that +audit devices must be configured declaratively. In that case the helper exits +successfully with a warning after applying the other bootstrap configuration. +Treat declarative audit configuration in the OpenBao server config/Helm values +as mandatory before production secrets move in. + After the helper succeeds, create a non-root admin token: ```bash diff --git a/scripts/openbao-apply-initial-config.sh b/scripts/openbao-apply-initial-config.sh index d37b166..370b7cc 100755 --- a/scripts/openbao-apply-initial-config.sh +++ b/scripts/openbao-apply-initial-config.sh @@ -14,7 +14,7 @@ usage() { Usage: scripts/openbao-apply-initial-config.sh [--dry-run] Applies the first post-unseal OpenBao configuration: - - file audit device + - file audit device when API-managed audit is available - platform KV v2 mount - Kubernetes auth mount and in-cluster config - platform-admin and platform-readonly policies @@ -47,6 +47,12 @@ while [ "$#" -gt 0 ]; do done pod="${OPENBAO_RELEASE}-0" +WARNINGS=0 + +warn() { + WARNINGS=$((WARNINGS + 1)) + printf 'WARN: %s\n' "$*" >&2 +} read_token() { if [ -n "$TOKEN_FILE" ]; then @@ -102,6 +108,51 @@ write_policy() { sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$name" } +enable_file_audit() { + local token="$1" + local output status + if output="$(remote_bao "$token" audit enable file file_path=/openbao/audit/openbao-audit.log 2>&1)"; then + printf '%s\n' "$output" + return 0 + fi + + status=$? + printf '%s\n' "$output" >&2 + case "$output" in + *"cannot enable audit device via API"*) + warn "OpenBao rejected API-managed audit enable. Configure audit devices declaratively in the OpenBao server config/Helm values." + return 0 + ;; + *"path is already in use"*) + warn "OpenBao file audit device already appears to be enabled." + return 0 + ;; + *) + warn "OpenBao audit enable failed with exit code $status." + return 0 + ;; + esac +} + +show_audit_list() { + local token="$1" + local output status + if output="$(remote_bao "$token" audit list 2>&1)"; then + printf '%s\n' "$output" + return 0 + fi + + status=$? + printf '%s\n' "$output" >&2 + if printf '%s\n' "$output" | grep -qi "No audit devices are enabled"; then + warn "No API-visible audit devices are enabled. Treat declarative audit configuration as a follow-up before production secrets." + return 0 + fi + + warn "OpenBao audit list failed with exit code $status." + return 0 +} + token="$(read_token)" if [ -z "$token" ]; then echo "ERROR: empty token" >&2 @@ -110,7 +161,7 @@ fi remote_bao "$token" status -remote_bao "$token" audit enable file file_path=/openbao/audit/openbao-audit.log || true +enable_file_audit "$token" remote_bao "$token" secrets enable -path=platform kv-v2 || true remote_bao "$token" auth enable kubernetes || true @@ -122,7 +173,7 @@ remote_sh "$token" 'bao write auth/kubernetes/config \ write_policy "$token" platform-admin "$POLICY_DIR/platform-admin.hcl" write_policy "$token" platform-readonly "$POLICY_DIR/platform-readonly.hcl" -remote_bao "$token" audit list +show_audit_list "$token" remote_bao "$token" secrets list remote_bao "$token" auth list remote_bao "$token" policy list @@ -137,3 +188,10 @@ Next manual steps: 3. Revoke or tightly escrow the initial root token. 4. Run the raft snapshot and restore drill before moving live secrets. NEXT + +if [ "$WARNINGS" -gt 0 ]; then + cat <