Document audit-core mock sink handoff
This commit is contained in:
@@ -272,7 +272,8 @@ Before any live application secrets move into OpenBao:
|
||||
custody. The drill must prove that a fresh OpenBao instance can restore the
|
||||
snapshot, unseal, and read a test secret.
|
||||
5. Decide where audit logs are shipped durably. The audit PVC alone is not a
|
||||
durable audit sink.
|
||||
durable audit sink. The interim `audit-core` mock file backend can prove API
|
||||
and setup wiring, but it writes to `/tmp` and is not production retention.
|
||||
6. Run:
|
||||
|
||||
```bash
|
||||
@@ -306,6 +307,12 @@ such as an encrypted platform backup/export path or the future centralized
|
||||
logging stack. Do not treat non-secret hashes, screenshots, or State Hub notes
|
||||
as substitutes for retained audit log custody.
|
||||
|
||||
Interim integration status: `/home/worsch/audit-core` provides a mock
|
||||
Audit Core backend that writes JSONL records under
|
||||
`/tmp/audit-core/audit-YYYYMMDDTHH.jsonl` and deletes files older than seven
|
||||
days. Use it only to wire interfaces and setup validation before the durable
|
||||
Audit Core archive exists.
|
||||
|
||||
Monitoring baseline:
|
||||
|
||||
- pod readiness and liveness from Kubernetes probes
|
||||
|
||||
Reference in New Issue
Block a user