Configure OpenBao file audit declaratively
This commit is contained in:
parent
5840783e44
commit
087bb91b86
5 changed files with 53 additions and 36 deletions
|
|
@ -244,6 +244,17 @@ Authenticated checks for audit devices, auth methods, and mounts still require
|
|||
the OIDC-backed or temporary platform-admin path and remain part of the
|
||||
production-readiness closeout.
|
||||
|
||||
**2026-06-01:** Added the source-side declarative file-audit configuration
|
||||
required by `NET-WP-0017-T02`: `helm/openbao-values.yaml` now includes an
|
||||
OpenBao `audit "file" "file"` stanza writing to
|
||||
`/openbao/audit/openbao-audit.log`, and
|
||||
`scripts/openbao-apply-initial-config.sh` now verifies audit visibility with
|
||||
`bao audit list` instead of attempting API-managed audit creation. The
|
||||
post-unseal verifier now warns when the audit log file is missing or empty.
|
||||
Live verification still reports the pod unsealed and healthy, but also reports
|
||||
the audit log file missing because this Helm change has not yet been rolled
|
||||
out. Roll out only in an attended window with unseal shares available.
|
||||
|
||||
### T07 - Cross-Repo Transition Tasks
|
||||
|
||||
```task
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue