coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c16fa1f81cb3eb2036758b49513d6ba12d0e202b
railiance-platform/scripts/openbao-apply-initial-config.sh

219 lines
5.6 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
OPENBAO_RELEASE="${OPENBAO_RELEASE:-openbao}"
KUBECTL="${KUBECTL:-kubectl}"
TOKEN_FILE="${OPENBAO_TOKEN_FILE:-}"
REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
POLICY_DIR="${POLICY_DIR:-$REPO_DIR/openbao/policies}"
DRY_RUN=0
usage() {
cat <<'USAGE'
Usage: scripts/openbao-apply-initial-config.sh [--dry-run]
Applies the first post-unseal OpenBao configuration:
- declarative file audit visibility check
- platform KV v2 mount
- Kubernetes auth mount and in-cluster config
- platform-admin and platform-readonly policies
This script must run only after the bootstrap ceremony initializes and unseals
OpenBao. It reads the bootstrap/root or platform-admin token from:
1. OPENBAO_TOKEN_FILE, when set
2. an interactive hidden prompt
It does not print the token and does not store it.
USAGE
}
while [ "$#" -gt 0 ]; do
case "$1" in
--dry-run)
DRY_RUN=1
shift
;;
-h|--help)
usage
exit 0
;;
*)
echo "ERROR: unknown argument: $1" >&2
usage >&2
exit 2
;;
esac
done
pod="${OPENBAO_RELEASE}-0"
WARNINGS=0
warn() {
WARNINGS=$((WARNINGS + 1))
printf 'WARN: %s\n' "$*" >&2
}
read_token() {
if [ -n "$TOKEN_FILE" ]; then
if [ ! -f "$TOKEN_FILE" ]; then
echo "ERROR: OPENBAO_TOKEN_FILE does not exist: $TOKEN_FILE" >&2
exit 1
fi
head -n 1 "$TOKEN_FILE"
return
fi
local token
read -r -s -p "OpenBao token: " token
printf '\n' >&2
printf '%s\n' "$token"
}
remote_bao() {
local token="$1"
shift
if [ "$DRY_RUN" -eq 1 ]; then
printf 'DRY-RUN: bao %s\n' "$*"
return 0
fi
printf '%s\n' "$token" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; exec bao "$@"' sh "$@"
}
remote_sh() {
local token="$1"
local script="$2"
if [ "$DRY_RUN" -eq 1 ]; then
printf 'DRY-RUN: remote shell: %s\n' "$script"
return 0
fi
printf '%s\n%s\n' "$token" "$script" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; sh'
}
write_policy() {
local token="$1"
local name="$2"
local file="$3"
if [ ! -f "$file" ]; then
echo "ERROR: missing policy file: $file" >&2
exit 1
fi
if [ "$DRY_RUN" -eq 1 ]; then
printf 'DRY-RUN: bao policy write %s %s\n' "$name" "$file"
return 0
fi
{ printf '%s\n' "$token"; cat "$file"; } | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$name"
}
verify_file_audit() {
local token="$1"
local output status
if [ "$DRY_RUN" -eq 1 ]; then
printf 'DRY-RUN: verify declarative OpenBao file audit device is visible with bao audit list\n'
return 0
fi
if output="$(remote_bao "$token" audit list 2>&1)"; then
printf '%s\n' "$output"
if printf '%s\n' "$output" | grep -Eq '(^|[[:space:]])file/'; then
printf 'OK: OpenBao file audit device is configured.\n'
else
warn "OpenBao audit list did not show file/. Check declarative audit configuration before production trust."
fi
return 0
fi
status=$?
printf '%s\n' "$output" >&2
warn "OpenBao audit list failed with exit code $status. Check declarative audit configuration before production trust."
return 0
}
enable_optional() {
local token="$1"
local already_message="$2"
shift 2
local output status
if output="$(remote_bao "$token" "$@" 2>&1)"; then
printf '%s\n' "$output"
return 0
fi
status=$?
case "$output" in
*"path is already in use"*)
printf 'OK: %s\n' "$already_message"
return 0
;;
*)
printf '%s\n' "$output" >&2
warn "OpenBao command failed with exit code $status: bao $*"
return 0
;;
esac
}
show_audit_list() {
local token="$1"
local output status
if output="$(remote_bao "$token" audit list 2>&1)"; then
printf '%s\n' "$output"
return 0
fi
status=$?
if printf '%s\n' "$output" | grep -qi "No audit devices are enabled"; then
warn "No API-visible audit devices are enabled. Check declarative audit configuration before production secrets."
return 0
fi
printf '%s\n' "$output" >&2
warn "OpenBao audit list failed with exit code $status."
return 0
}
token="$(read_token)"
if [ -z "$token" ]; then
echo "ERROR: empty token" >&2
exit 1
fi
remote_bao "$token" status
verify_file_audit "$token"
enable_optional "$token" "platform/ KV secrets engine is already enabled." secrets enable -path=platform kv-v2
enable_optional "$token" "kubernetes/ auth method is already enabled." auth enable kubernetes
remote_sh "$token" 'bao write auth/kubernetes/config \
kubernetes_host="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \
token_reviewer_jwt=@/var/run/secrets/kubernetes.io/serviceaccount/token \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
write_policy "$token" platform-admin "$POLICY_DIR/platform-admin.hcl"
write_policy "$token" platform-readonly "$POLICY_DIR/platform-readonly.hcl"
show_audit_list "$token"
remote_bao "$token" secrets list
remote_bao "$token" auth list
remote_bao "$token" policy list
cat <<'NEXT'
Initial OpenBao configuration applied.
Next manual steps:
1. Create a non-root platform-admin token with a short TTL or renewable period.
2. Store that token through the approved human/operator secret path.
3. Revoke or tightly escrow the initial root token.
4. Run the raft snapshot and restore drill before moving live secrets.
NEXT
if [ "$WARNINGS" -gt 0 ]; then
cat <<NEXT
Completed with $WARNINGS warning(s). Resolve warnings before production trust.
NEXT
fi
Reference in New Issue View Git Blame Copy Permalink