coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3741294b05f9a1f8d06e5c5dcd3c7b112bb3a52c
railiance-platform/scripts/openbao-apply-initial-config.sh
tegwick a7ffeb8b46 Platform secret setup
2026-05-23 13:59:58 +02:00

140 lines
3.7 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
OPENBAO_RELEASE="${OPENBAO_RELEASE:-openbao}"
KUBECTL="${KUBECTL:-kubectl}"
TOKEN_FILE="${OPENBAO_TOKEN_FILE:-}"
REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
POLICY_DIR="${POLICY_DIR:-$REPO_DIR/openbao/policies}"
DRY_RUN=0
usage() {
cat <<'USAGE'
Usage: scripts/openbao-apply-initial-config.sh [--dry-run]
Applies the first post-unseal OpenBao configuration:
- file audit device
- platform KV v2 mount
- Kubernetes auth mount and in-cluster config
- platform-admin and platform-readonly policies
This script must run only after the bootstrap ceremony initializes and unseals
OpenBao. It reads the bootstrap/root or platform-admin token from:
1. OPENBAO_TOKEN_FILE, when set
2. an interactive hidden prompt
It does not print the token and does not store it.
USAGE
}
while [ "$#" -gt 0 ]; do
case "$1" in
--dry-run)
DRY_RUN=1
shift
;;
-h|--help)
usage
exit 0
;;
*)
echo "ERROR: unknown argument: $1" >&2
usage >&2
exit 2
;;
esac
done
pod="${OPENBAO_RELEASE}-0"
read_token() {
if [ -n "$TOKEN_FILE" ]; then
if [ ! -f "$TOKEN_FILE" ]; then
echo "ERROR: OPENBAO_TOKEN_FILE does not exist: $TOKEN_FILE" >&2
exit 1
fi
head -n 1 "$TOKEN_FILE"
return
fi
local token
read -r -s -p "OpenBao token: " token
printf '\n' >&2
printf '%s\n' "$token"
}
remote_bao() {
local token="$1"
shift
if [ "$DRY_RUN" -eq 1 ]; then
printf 'DRY-RUN: bao %s\n' "$*"
return 0
fi
printf '%s\n' "$token" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; exec bao "$@"' sh "$@"
}
remote_sh() {
local token="$1"
local script="$2"
if [ "$DRY_RUN" -eq 1 ]; then
printf 'DRY-RUN: remote shell: %s\n' "$script"
return 0
fi
printf '%s\n%s\n' "$token" "$script" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; sh'
}
write_policy() {
local token="$1"
local name="$2"
local file="$3"
if [ ! -f "$file" ]; then
echo "ERROR: missing policy file: $file" >&2
exit 1
fi
if [ "$DRY_RUN" -eq 1 ]; then
printf 'DRY-RUN: bao policy write %s %s\n' "$name" "$file"
return 0
fi
{ printf '%s\n' "$token"; cat "$file"; } | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$name"
}
token="$(read_token)"
if [ -z "$token" ]; then
echo "ERROR: empty token" >&2
exit 1
fi
remote_bao "$token" status
remote_bao "$token" audit enable file file_path=/openbao/audit/openbao-audit.log || true
remote_bao "$token" secrets enable -path=platform kv-v2 || true
remote_bao "$token" auth enable kubernetes || true
remote_sh "$token" 'bao write auth/kubernetes/config \
kubernetes_host="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \
token_reviewer_jwt=@/var/run/secrets/kubernetes.io/serviceaccount/token \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
write_policy "$token" platform-admin "$POLICY_DIR/platform-admin.hcl"
write_policy "$token" platform-readonly "$POLICY_DIR/platform-readonly.hcl"
remote_bao "$token" audit list
remote_bao "$token" secrets list
remote_bao "$token" auth list
remote_bao "$token" policy list
cat <<'NEXT'
Initial OpenBao configuration applied.
Next manual steps:
1. Create a non-root platform-admin token with a short TTL or renewable period.
2. Store that token through the approved human/operator secret path.
3. Revoke or tightly escrow the initial root token.
4. Run the raft snapshot and restore drill before moving live secrets.
NEXT
Reference in New Issue View Git Blame Copy Permalink