Tolerate declarative OpenBao audit setup
This commit is contained in:
@@ -14,7 +14,7 @@ usage() {
|
||||
Usage: scripts/openbao-apply-initial-config.sh [--dry-run]
|
||||
|
||||
Applies the first post-unseal OpenBao configuration:
|
||||
- file audit device
|
||||
- file audit device when API-managed audit is available
|
||||
- platform KV v2 mount
|
||||
- Kubernetes auth mount and in-cluster config
|
||||
- platform-admin and platform-readonly policies
|
||||
@@ -47,6 +47,12 @@ while [ "$#" -gt 0 ]; do
|
||||
done
|
||||
|
||||
pod="${OPENBAO_RELEASE}-0"
|
||||
WARNINGS=0
|
||||
|
||||
warn() {
|
||||
WARNINGS=$((WARNINGS + 1))
|
||||
printf 'WARN: %s\n' "$*" >&2
|
||||
}
|
||||
|
||||
read_token() {
|
||||
if [ -n "$TOKEN_FILE" ]; then
|
||||
@@ -102,6 +108,51 @@ write_policy() {
|
||||
sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$name"
|
||||
}
|
||||
|
||||
enable_file_audit() {
|
||||
local token="$1"
|
||||
local output status
|
||||
if output="$(remote_bao "$token" audit enable file file_path=/openbao/audit/openbao-audit.log 2>&1)"; then
|
||||
printf '%s\n' "$output"
|
||||
return 0
|
||||
fi
|
||||
|
||||
status=$?
|
||||
printf '%s\n' "$output" >&2
|
||||
case "$output" in
|
||||
*"cannot enable audit device via API"*)
|
||||
warn "OpenBao rejected API-managed audit enable. Configure audit devices declaratively in the OpenBao server config/Helm values."
|
||||
return 0
|
||||
;;
|
||||
*"path is already in use"*)
|
||||
warn "OpenBao file audit device already appears to be enabled."
|
||||
return 0
|
||||
;;
|
||||
*)
|
||||
warn "OpenBao audit enable failed with exit code $status."
|
||||
return 0
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
show_audit_list() {
|
||||
local token="$1"
|
||||
local output status
|
||||
if output="$(remote_bao "$token" audit list 2>&1)"; then
|
||||
printf '%s\n' "$output"
|
||||
return 0
|
||||
fi
|
||||
|
||||
status=$?
|
||||
printf '%s\n' "$output" >&2
|
||||
if printf '%s\n' "$output" | grep -qi "No audit devices are enabled"; then
|
||||
warn "No API-visible audit devices are enabled. Treat declarative audit configuration as a follow-up before production secrets."
|
||||
return 0
|
||||
fi
|
||||
|
||||
warn "OpenBao audit list failed with exit code $status."
|
||||
return 0
|
||||
}
|
||||
|
||||
token="$(read_token)"
|
||||
if [ -z "$token" ]; then
|
||||
echo "ERROR: empty token" >&2
|
||||
@@ -110,7 +161,7 @@ fi
|
||||
|
||||
remote_bao "$token" status
|
||||
|
||||
remote_bao "$token" audit enable file file_path=/openbao/audit/openbao-audit.log || true
|
||||
enable_file_audit "$token"
|
||||
remote_bao "$token" secrets enable -path=platform kv-v2 || true
|
||||
remote_bao "$token" auth enable kubernetes || true
|
||||
|
||||
@@ -122,7 +173,7 @@ remote_sh "$token" 'bao write auth/kubernetes/config \
|
||||
write_policy "$token" platform-admin "$POLICY_DIR/platform-admin.hcl"
|
||||
write_policy "$token" platform-readonly "$POLICY_DIR/platform-readonly.hcl"
|
||||
|
||||
remote_bao "$token" audit list
|
||||
show_audit_list "$token"
|
||||
remote_bao "$token" secrets list
|
||||
remote_bao "$token" auth list
|
||||
remote_bao "$token" policy list
|
||||
@@ -137,3 +188,10 @@ Next manual steps:
|
||||
3. Revoke or tightly escrow the initial root token.
|
||||
4. Run the raft snapshot and restore drill before moving live secrets.
|
||||
NEXT
|
||||
|
||||
if [ "$WARNINGS" -gt 0 ]; then
|
||||
cat <<NEXT
|
||||
|
||||
Completed with $WARNINGS warning(s). Resolve warnings before production trust.
|
||||
NEXT
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user