#!/usr/bin/env bash set -euo pipefail OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}" OPENBAO_RELEASE="${OPENBAO_RELEASE:-openbao}" KUBECTL="${KUBECTL:-kubectl}" TOKEN_FILE="${OPENBAO_TOKEN_FILE:-}" REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" POLICY_DIR="${POLICY_DIR:-$REPO_DIR/openbao/policies}" DRY_RUN=0 usage() { cat <<'USAGE' Usage: scripts/openbao-apply-initial-config.sh [--dry-run] Applies the first post-unseal OpenBao configuration: - declarative file audit visibility check - platform KV v2 mount - Kubernetes auth mount and in-cluster config - platform-admin and platform-readonly policies This script must run only after the bootstrap ceremony initializes and unseals OpenBao. It reads the bootstrap/root or platform-admin token from: 1. OPENBAO_TOKEN_FILE, when set 2. an interactive hidden prompt It does not print the token and does not store it. USAGE } while [ "$#" -gt 0 ]; do case "$1" in --dry-run) DRY_RUN=1 shift ;; -h|--help) usage exit 0 ;; *) echo "ERROR: unknown argument: $1" >&2 usage >&2 exit 2 ;; esac done pod="${OPENBAO_RELEASE}-0" WARNINGS=0 warn() { WARNINGS=$((WARNINGS + 1)) printf 'WARN: %s\n' "$*" >&2 } read_token() { if [ -n "$TOKEN_FILE" ]; then if [ ! -f "$TOKEN_FILE" ]; then echo "ERROR: OPENBAO_TOKEN_FILE does not exist: $TOKEN_FILE" >&2 exit 1 fi head -n 1 "$TOKEN_FILE" return fi local token read -r -s -p "OpenBao token: " token printf '\n' >&2 printf '%s\n' "$token" } remote_bao() { local token="$1" shift if [ "$DRY_RUN" -eq 1 ]; then printf 'DRY-RUN: bao %s\n' "$*" return 0 fi printf '%s\n' "$token" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \ sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; exec bao "$@"' sh "$@" } remote_sh() { local token="$1" local script="$2" if [ "$DRY_RUN" -eq 1 ]; then printf 'DRY-RUN: remote shell: %s\n' "$script" return 0 fi printf '%s\n%s\n' "$token" "$script" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \ sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; sh' } write_policy() { local token="$1" local name="$2" local file="$3" if [ ! -f "$file" ]; then echo "ERROR: missing policy file: $file" >&2 exit 1 fi if [ "$DRY_RUN" -eq 1 ]; then printf 'DRY-RUN: bao policy write %s %s\n' "$name" "$file" return 0 fi { printf '%s\n' "$token"; cat "$file"; } | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \ sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$name" } verify_file_audit() { local token="$1" local output status if [ "$DRY_RUN" -eq 1 ]; then printf 'DRY-RUN: verify declarative OpenBao file audit device is visible with bao audit list\n' return 0 fi if output="$(remote_bao "$token" audit list 2>&1)"; then printf '%s\n' "$output" if printf '%s\n' "$output" | grep -Eq '(^|[[:space:]])file/'; then printf 'OK: OpenBao file audit device is configured.\n' else warn "OpenBao audit list did not show file/. Check declarative audit configuration before production trust." fi return 0 fi status=$? printf '%s\n' "$output" >&2 warn "OpenBao audit list failed with exit code $status. Check declarative audit configuration before production trust." return 0 } enable_optional() { local token="$1" local already_message="$2" shift 2 local output status if output="$(remote_bao "$token" "$@" 2>&1)"; then printf '%s\n' "$output" return 0 fi status=$? case "$output" in *"path is already in use"*) printf 'OK: %s\n' "$already_message" return 0 ;; *) printf '%s\n' "$output" >&2 warn "OpenBao command failed with exit code $status: bao $*" return 0 ;; esac } show_audit_list() { local token="$1" local output status if output="$(remote_bao "$token" audit list 2>&1)"; then printf '%s\n' "$output" return 0 fi status=$? if printf '%s\n' "$output" | grep -qi "No audit devices are enabled"; then warn "No API-visible audit devices are enabled. Check declarative audit configuration before production secrets." return 0 fi printf '%s\n' "$output" >&2 warn "OpenBao audit list failed with exit code $status." return 0 } token="$(read_token)" if [ -z "$token" ]; then echo "ERROR: empty token" >&2 exit 1 fi remote_bao "$token" status verify_file_audit "$token" enable_optional "$token" "platform/ KV secrets engine is already enabled." secrets enable -path=platform kv-v2 enable_optional "$token" "kubernetes/ auth method is already enabled." auth enable kubernetes remote_sh "$token" 'bao write auth/kubernetes/config \ kubernetes_host="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \ token_reviewer_jwt=@/var/run/secrets/kubernetes.io/serviceaccount/token \ kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' write_policy "$token" platform-admin "$POLICY_DIR/platform-admin.hcl" write_policy "$token" platform-readonly "$POLICY_DIR/platform-readonly.hcl" show_audit_list "$token" remote_bao "$token" secrets list remote_bao "$token" auth list remote_bao "$token" policy list cat <<'NEXT' Initial OpenBao configuration applied. Next manual steps: 1. Create a non-root platform-admin token with a short TTL or renewable period. 2. Store that token through the approved human/operator secret path. 3. Revoke or tightly escrow the initial root token. 4. Run the raft snapshot and restore drill before moving live secrets. NEXT if [ "$WARNINGS" -gt 0 ]; then cat <