Tolerate declarative OpenBao audit setup
This commit is contained in:
@@ -187,9 +187,9 @@ configuration:
|
|||||||
make openbao-configure-initial
|
make openbao-configure-initial
|
||||||
```
|
```
|
||||||
|
|
||||||
The target prompts for a token, enables file audit, enables the `platform/` KV
|
The target prompts for a token, enables file audit when API-managed audit is
|
||||||
v2 mount, enables Kubernetes auth, configures Kubernetes auth from the in-pod
|
available, enables the `platform/` KV v2 mount, enables Kubernetes auth,
|
||||||
service account, and loads:
|
configures Kubernetes auth from the in-pod service account, and loads:
|
||||||
|
|
||||||
- `openbao/policies/platform-admin.hcl`
|
- `openbao/policies/platform-admin.hcl`
|
||||||
- `openbao/policies/platform-readonly.hcl`
|
- `openbao/policies/platform-readonly.hcl`
|
||||||
@@ -198,6 +198,12 @@ It does not print or store the token. You may also set
|
|||||||
`OPENBAO_TOKEN_FILE=/path/to/token-file` for an operator-local, uncommitted
|
`OPENBAO_TOKEN_FILE=/path/to/token-file` for an operator-local, uncommitted
|
||||||
token file.
|
token file.
|
||||||
|
|
||||||
|
Current OpenBao releases may reject API-managed audit setup with a message that
|
||||||
|
audit devices must be configured declaratively. In that case the helper exits
|
||||||
|
successfully with a warning after applying the other bootstrap configuration.
|
||||||
|
Treat declarative audit configuration in the OpenBao server config/Helm values
|
||||||
|
as mandatory before production secrets move in.
|
||||||
|
|
||||||
After the helper succeeds, create a non-root admin token:
|
After the helper succeeds, create a non-root admin token:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
|||||||
@@ -14,7 +14,7 @@ usage() {
|
|||||||
Usage: scripts/openbao-apply-initial-config.sh [--dry-run]
|
Usage: scripts/openbao-apply-initial-config.sh [--dry-run]
|
||||||
|
|
||||||
Applies the first post-unseal OpenBao configuration:
|
Applies the first post-unseal OpenBao configuration:
|
||||||
- file audit device
|
- file audit device when API-managed audit is available
|
||||||
- platform KV v2 mount
|
- platform KV v2 mount
|
||||||
- Kubernetes auth mount and in-cluster config
|
- Kubernetes auth mount and in-cluster config
|
||||||
- platform-admin and platform-readonly policies
|
- platform-admin and platform-readonly policies
|
||||||
@@ -47,6 +47,12 @@ while [ "$#" -gt 0 ]; do
|
|||||||
done
|
done
|
||||||
|
|
||||||
pod="${OPENBAO_RELEASE}-0"
|
pod="${OPENBAO_RELEASE}-0"
|
||||||
|
WARNINGS=0
|
||||||
|
|
||||||
|
warn() {
|
||||||
|
WARNINGS=$((WARNINGS + 1))
|
||||||
|
printf 'WARN: %s\n' "$*" >&2
|
||||||
|
}
|
||||||
|
|
||||||
read_token() {
|
read_token() {
|
||||||
if [ -n "$TOKEN_FILE" ]; then
|
if [ -n "$TOKEN_FILE" ]; then
|
||||||
@@ -102,6 +108,51 @@ write_policy() {
|
|||||||
sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$name"
|
sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$name"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
enable_file_audit() {
|
||||||
|
local token="$1"
|
||||||
|
local output status
|
||||||
|
if output="$(remote_bao "$token" audit enable file file_path=/openbao/audit/openbao-audit.log 2>&1)"; then
|
||||||
|
printf '%s\n' "$output"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
status=$?
|
||||||
|
printf '%s\n' "$output" >&2
|
||||||
|
case "$output" in
|
||||||
|
*"cannot enable audit device via API"*)
|
||||||
|
warn "OpenBao rejected API-managed audit enable. Configure audit devices declaratively in the OpenBao server config/Helm values."
|
||||||
|
return 0
|
||||||
|
;;
|
||||||
|
*"path is already in use"*)
|
||||||
|
warn "OpenBao file audit device already appears to be enabled."
|
||||||
|
return 0
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
warn "OpenBao audit enable failed with exit code $status."
|
||||||
|
return 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
show_audit_list() {
|
||||||
|
local token="$1"
|
||||||
|
local output status
|
||||||
|
if output="$(remote_bao "$token" audit list 2>&1)"; then
|
||||||
|
printf '%s\n' "$output"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
status=$?
|
||||||
|
printf '%s\n' "$output" >&2
|
||||||
|
if printf '%s\n' "$output" | grep -qi "No audit devices are enabled"; then
|
||||||
|
warn "No API-visible audit devices are enabled. Treat declarative audit configuration as a follow-up before production secrets."
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
warn "OpenBao audit list failed with exit code $status."
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
token="$(read_token)"
|
token="$(read_token)"
|
||||||
if [ -z "$token" ]; then
|
if [ -z "$token" ]; then
|
||||||
echo "ERROR: empty token" >&2
|
echo "ERROR: empty token" >&2
|
||||||
@@ -110,7 +161,7 @@ fi
|
|||||||
|
|
||||||
remote_bao "$token" status
|
remote_bao "$token" status
|
||||||
|
|
||||||
remote_bao "$token" audit enable file file_path=/openbao/audit/openbao-audit.log || true
|
enable_file_audit "$token"
|
||||||
remote_bao "$token" secrets enable -path=platform kv-v2 || true
|
remote_bao "$token" secrets enable -path=platform kv-v2 || true
|
||||||
remote_bao "$token" auth enable kubernetes || true
|
remote_bao "$token" auth enable kubernetes || true
|
||||||
|
|
||||||
@@ -122,7 +173,7 @@ remote_sh "$token" 'bao write auth/kubernetes/config \
|
|||||||
write_policy "$token" platform-admin "$POLICY_DIR/platform-admin.hcl"
|
write_policy "$token" platform-admin "$POLICY_DIR/platform-admin.hcl"
|
||||||
write_policy "$token" platform-readonly "$POLICY_DIR/platform-readonly.hcl"
|
write_policy "$token" platform-readonly "$POLICY_DIR/platform-readonly.hcl"
|
||||||
|
|
||||||
remote_bao "$token" audit list
|
show_audit_list "$token"
|
||||||
remote_bao "$token" secrets list
|
remote_bao "$token" secrets list
|
||||||
remote_bao "$token" auth list
|
remote_bao "$token" auth list
|
||||||
remote_bao "$token" policy list
|
remote_bao "$token" policy list
|
||||||
@@ -137,3 +188,10 @@ Next manual steps:
|
|||||||
3. Revoke or tightly escrow the initial root token.
|
3. Revoke or tightly escrow the initial root token.
|
||||||
4. Run the raft snapshot and restore drill before moving live secrets.
|
4. Run the raft snapshot and restore drill before moving live secrets.
|
||||||
NEXT
|
NEXT
|
||||||
|
|
||||||
|
if [ "$WARNINGS" -gt 0 ]; then
|
||||||
|
cat <<NEXT
|
||||||
|
|
||||||
|
Completed with $WARNINGS warning(s). Resolve warnings before production trust.
|
||||||
|
NEXT
|
||||||
|
fi
|
||||||
|
|||||||
Reference in New Issue
Block a user