Tolerate declarative OpenBao audit setup

docs/openbao.md

@@ -187,9 +187,9 @@ configuration:
 make openbao-configure-initial
 ```
 
-The target prompts for a token, enables file audit, enables the `platform/` KV
-v2 mount, enables Kubernetes auth, configures Kubernetes auth from the in-pod
-service account, and loads:
+The target prompts for a token, enables file audit when API-managed audit is
+available, enables the `platform/` KV v2 mount, enables Kubernetes auth,
+configures Kubernetes auth from the in-pod service account, and loads:
 
 - `openbao/policies/platform-admin.hcl`
 - `openbao/policies/platform-readonly.hcl`
@@ -198,6 +198,12 @@ It does not print or store the token. You may also set
 `OPENBAO_TOKEN_FILE=/path/to/token-file` for an operator-local, uncommitted
 token file.
 
+Current OpenBao releases may reject API-managed audit setup with a message that
+audit devices must be configured declaratively. In that case the helper exits
+successfully with a warning after applying the other bootstrap configuration.
+Treat declarative audit configuration in the OpenBao server config/Helm values
+as mandatory before production secrets move in.
+
 After the helper succeeds, create a non-root admin token:
 
 ```bash