Tolerate declarative OpenBao audit setup

This commit is contained in:
2026-05-25 15:14:41 +02:00
parent 3741294b05
commit b76e9101d8
2 changed files with 70 additions and 6 deletions

View File

@@ -187,9 +187,9 @@ configuration:
make openbao-configure-initial make openbao-configure-initial
``` ```
The target prompts for a token, enables file audit, enables the `platform/` KV The target prompts for a token, enables file audit when API-managed audit is
v2 mount, enables Kubernetes auth, configures Kubernetes auth from the in-pod available, enables the `platform/` KV v2 mount, enables Kubernetes auth,
service account, and loads: configures Kubernetes auth from the in-pod service account, and loads:
- `openbao/policies/platform-admin.hcl` - `openbao/policies/platform-admin.hcl`
- `openbao/policies/platform-readonly.hcl` - `openbao/policies/platform-readonly.hcl`
@@ -198,6 +198,12 @@ It does not print or store the token. You may also set
`OPENBAO_TOKEN_FILE=/path/to/token-file` for an operator-local, uncommitted `OPENBAO_TOKEN_FILE=/path/to/token-file` for an operator-local, uncommitted
token file. token file.
Current OpenBao releases may reject API-managed audit setup with a message that
audit devices must be configured declaratively. In that case the helper exits
successfully with a warning after applying the other bootstrap configuration.
Treat declarative audit configuration in the OpenBao server config/Helm values
as mandatory before production secrets move in.
After the helper succeeds, create a non-root admin token: After the helper succeeds, create a non-root admin token:
```bash ```bash

View File

@@ -14,7 +14,7 @@ usage() {
Usage: scripts/openbao-apply-initial-config.sh [--dry-run] Usage: scripts/openbao-apply-initial-config.sh [--dry-run]
Applies the first post-unseal OpenBao configuration: Applies the first post-unseal OpenBao configuration:
- file audit device - file audit device when API-managed audit is available
- platform KV v2 mount - platform KV v2 mount
- Kubernetes auth mount and in-cluster config - Kubernetes auth mount and in-cluster config
- platform-admin and platform-readonly policies - platform-admin and platform-readonly policies
@@ -47,6 +47,12 @@ while [ "$#" -gt 0 ]; do
done done
pod="${OPENBAO_RELEASE}-0" pod="${OPENBAO_RELEASE}-0"
WARNINGS=0
warn() {
WARNINGS=$((WARNINGS + 1))
printf 'WARN: %s\n' "$*" >&2
}
read_token() { read_token() {
if [ -n "$TOKEN_FILE" ]; then if [ -n "$TOKEN_FILE" ]; then
@@ -102,6 +108,51 @@ write_policy() {
sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$name" sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$name"
} }
enable_file_audit() {
local token="$1"
local output status
if output="$(remote_bao "$token" audit enable file file_path=/openbao/audit/openbao-audit.log 2>&1)"; then
printf '%s\n' "$output"
return 0
fi
status=$?
printf '%s\n' "$output" >&2
case "$output" in
*"cannot enable audit device via API"*)
warn "OpenBao rejected API-managed audit enable. Configure audit devices declaratively in the OpenBao server config/Helm values."
return 0
;;
*"path is already in use"*)
warn "OpenBao file audit device already appears to be enabled."
return 0
;;
*)
warn "OpenBao audit enable failed with exit code $status."
return 0
;;
esac
}
show_audit_list() {
local token="$1"
local output status
if output="$(remote_bao "$token" audit list 2>&1)"; then
printf '%s\n' "$output"
return 0
fi
status=$?
printf '%s\n' "$output" >&2
if printf '%s\n' "$output" | grep -qi "No audit devices are enabled"; then
warn "No API-visible audit devices are enabled. Treat declarative audit configuration as a follow-up before production secrets."
return 0
fi
warn "OpenBao audit list failed with exit code $status."
return 0
}
token="$(read_token)" token="$(read_token)"
if [ -z "$token" ]; then if [ -z "$token" ]; then
echo "ERROR: empty token" >&2 echo "ERROR: empty token" >&2
@@ -110,7 +161,7 @@ fi
remote_bao "$token" status remote_bao "$token" status
remote_bao "$token" audit enable file file_path=/openbao/audit/openbao-audit.log || true enable_file_audit "$token"
remote_bao "$token" secrets enable -path=platform kv-v2 || true remote_bao "$token" secrets enable -path=platform kv-v2 || true
remote_bao "$token" auth enable kubernetes || true remote_bao "$token" auth enable kubernetes || true
@@ -122,7 +173,7 @@ remote_sh "$token" 'bao write auth/kubernetes/config \
write_policy "$token" platform-admin "$POLICY_DIR/platform-admin.hcl" write_policy "$token" platform-admin "$POLICY_DIR/platform-admin.hcl"
write_policy "$token" platform-readonly "$POLICY_DIR/platform-readonly.hcl" write_policy "$token" platform-readonly "$POLICY_DIR/platform-readonly.hcl"
remote_bao "$token" audit list show_audit_list "$token"
remote_bao "$token" secrets list remote_bao "$token" secrets list
remote_bao "$token" auth list remote_bao "$token" auth list
remote_bao "$token" policy list remote_bao "$token" policy list
@@ -137,3 +188,10 @@ Next manual steps:
3. Revoke or tightly escrow the initial root token. 3. Revoke or tightly escrow the initial root token.
4. Run the raft snapshot and restore drill before moving live secrets. 4. Run the raft snapshot and restore drill before moving live secrets.
NEXT NEXT
if [ "$WARNINGS" -gt 0 ]; then
cat <<NEXT
Completed with $WARNINGS warning(s). Resolve warnings before production trust.
NEXT
fi