Add OpenBao emergency drill evidence validator
This commit is contained in:
parent
123b9aafce
commit
606a5f3e1e
5 changed files with 152 additions and 1 deletions
21
docs/openbao-emergency-drill-evidence.example.json
Normal file
21
docs/openbao-emergency-drill-evidence.example.json
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
{
|
||||
"drill_date": "2026-06-01",
|
||||
"operator": "platform-root",
|
||||
"source_cluster": "railiance01",
|
||||
"source_namespace": "openbao",
|
||||
"source_pod": "openbao-0",
|
||||
"seal_started_at": "2026-06-01T22:00:00Z",
|
||||
"seal_command_issued": true,
|
||||
"sealed_status_confirmed": true,
|
||||
"sealed_status_observed_at": "2026-06-01T22:00:30Z",
|
||||
"unseal_quorum_available": true,
|
||||
"unseal_started_at": "2026-06-01T22:01:00Z",
|
||||
"unseal_completed": true,
|
||||
"unseal_completed_at": "2026-06-01T22:02:30Z",
|
||||
"post_unseal_status_verified": true,
|
||||
"post_unseal_readiness_verified": true,
|
||||
"post_unseal_verification": "bao status reported Sealed false and make openbao-verify-post-unseal passed after the drill",
|
||||
"availability_window_minutes": 3,
|
||||
"no_secret_material_recorded": true,
|
||||
"notes": "Do not record OpenBao tokens, root tokens, unseal shares, private keys, passwords, OTP seeds, or recovery codes."
|
||||
}
|
||||
|
|
@ -322,6 +322,16 @@ Audit Core backend that writes JSONL records under
|
|||
days. Use it only to wire interfaces and setup validation before the durable
|
||||
Audit Core archive exists.
|
||||
|
||||
Emergency seal/unseal drills are disruptive and must only run in an attended
|
||||
window with threshold unseal shares available. Record non-secret drill evidence
|
||||
using `docs/openbao-emergency-drill-evidence.example.json` as a template, then
|
||||
validate it with:
|
||||
|
||||
```bash
|
||||
make openbao-validate-emergency-evidence \
|
||||
OPENBAO_EMERGENCY_EVIDENCE=/path/to/evidence.json
|
||||
```
|
||||
|
||||
Monitoring baseline:
|
||||
|
||||
- pod readiness and liveness from Kubernetes probes
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue