feat(openbao): add SSH engine automation for ops-warden signing
Declarative roles, warden-sign policy, apply/verify scripts, and Makefile targets openbao-configure-ssh and openbao-verify-ssh. Document operator flow in docs/openbao.md for NET-WP-0020 T5 / WP-0008 T2.
This commit is contained in:
27
openbao/ssh/roles-spec.yaml
Normal file
27
openbao/ssh/roles-spec.yaml
Normal file
@@ -0,0 +1,27 @@
|
||||
# Declarative SSH CA roles for ops-warden ActorType policy.
|
||||
# TTL max: adm 48h, agt 24h, atm 8h — wiki/OpsWardenConfig.md (ops-warden)
|
||||
|
||||
mount: ssh
|
||||
|
||||
roles:
|
||||
adm-role:
|
||||
key_type: ca
|
||||
allowed_users: "*"
|
||||
allow_user_certificates: true
|
||||
default_user: adm
|
||||
ttl: 48h
|
||||
max_ttl: 48h
|
||||
agt-role:
|
||||
key_type: ca
|
||||
allowed_users: "*"
|
||||
allow_user_certificates: true
|
||||
default_user: agt
|
||||
ttl: 24h
|
||||
max_ttl: 24h
|
||||
atm-role:
|
||||
key_type: ca
|
||||
allowed_users: "*"
|
||||
allow_user_certificates: true
|
||||
default_user: atm
|
||||
ttl: 8h
|
||||
max_ttl: 8h
|
||||
Reference in New Issue
Block a user