Record OpenBao audit rollout evidence

2026-06-01 22:30:35 +02:00
parent 087bb91b86
commit f1336d5bcc
2 changed files with 11 additions and 0 deletions
--- a/helm/openbao-values.yaml
+++ b/helm/openbao-values.yaml
@@ -19,6 +19,7 @@ server:
  image:
    registry: quay.io
    repository: openbao/openbao
+    tag: "2.5.4"
    pullPolicy: IfNotPresent

  resources:
--- a/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md
+++ b/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md
@@ -255,6 +255,16 @@ Live verification still reports the pod unsealed and healthy, but also reports
 the audit log file missing because this Helm change has not yet been rolled
 out. Roll out only in an attended window with unseal shares available.

+**2026-06-01:** Rolled out the declarative audit configuration to the live
+Railiance01 OpenBao release in an attended window. Because the StatefulSet uses
+`OnDelete`, the pod was explicitly recycled after the Helm values upgrade and
+then unsealed by the operator. Post-unseal verification now reports OpenBao
+`2.5.4`, `Sealed: false`, the audit directory present, and
+`/openbao/audit/openbao-audit.log` present and non-empty. The source values now
+pin the live OpenBao image tag to `2.5.4`; Helm release revision 3 has the same
+explicit tag and the pod remained ready, so future chart upgrades do not
+implicitly change the runtime version while applying unrelated configuration.
+
 ### T07 - Cross-Repo Transition Tasks

 ```task