From f1336d5bccb41d2bfb29a74ed5116c4fc84c04e1 Mon Sep 17 00:00:00 2001 From: tegwick Date: Mon, 1 Jun 2026 22:30:35 +0200 Subject: [PATCH] Record OpenBao audit rollout evidence --- helm/openbao-values.yaml | 1 + ...RAIL-PL-WP-0002-openbao-platform-secrets-service.md | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/helm/openbao-values.yaml b/helm/openbao-values.yaml index fb1c95f..c17e81b 100644 --- a/helm/openbao-values.yaml +++ b/helm/openbao-values.yaml @@ -19,6 +19,7 @@ server: image: registry: quay.io repository: openbao/openbao + tag: "2.5.4" pullPolicy: IfNotPresent resources: diff --git a/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md b/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md index e4df3d4..a6a893b 100644 --- a/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md +++ b/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md @@ -255,6 +255,16 @@ Live verification still reports the pod unsealed and healthy, but also reports the audit log file missing because this Helm change has not yet been rolled out. Roll out only in an attended window with unseal shares available. +**2026-06-01:** Rolled out the declarative audit configuration to the live +Railiance01 OpenBao release in an attended window. Because the StatefulSet uses +`OnDelete`, the pod was explicitly recycled after the Helm values upgrade and +then unsealed by the operator. Post-unseal verification now reports OpenBao +`2.5.4`, `Sealed: false`, the audit directory present, and +`/openbao/audit/openbao-audit.log` present and non-empty. The source values now +pin the live OpenBao image tag to `2.5.4`; Helm release revision 3 has the same +explicit tag and the pod remained ready, so future chart upgrades do not +implicitly change the runtime version while applying unrelated configuration. + ### T07 - Cross-Repo Transition Tasks ```task