feat(openbao): add SSH engine automation for ops-warden signing
Declarative roles, warden-sign policy, apply/verify scripts, and Makefile targets openbao-configure-ssh and openbao-verify-ssh. Document operator flow in docs/openbao.md for NET-WP-0020 T5 / WP-0008 T2.
This commit is contained in:
parent
108944cd3e
commit
c24956fb5a
6 changed files with 521 additions and 7 deletions
18
openbao/policies/warden-sign.hcl
Normal file
18
openbao/policies/warden-sign.hcl
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
# Narrow policy for ops-warden SSH signing (Vault/OpenBao SSH secrets engine).
|
||||
# Bind to dedicated tokens or Kubernetes auth roles — not platform-admin.
|
||||
|
||||
path "ssh/sign/adm-role" {
|
||||
capabilities = ["create", "update"]
|
||||
}
|
||||
|
||||
path "ssh/sign/agt-role" {
|
||||
capabilities = ["create", "update"]
|
||||
}
|
||||
|
||||
path "ssh/sign/atm-role" {
|
||||
capabilities = ["create", "update"]
|
||||
}
|
||||
|
||||
path "ssh/roles" {
|
||||
capabilities = ["list", "read"]
|
||||
}
|
||||
27
openbao/ssh/roles-spec.yaml
Normal file
27
openbao/ssh/roles-spec.yaml
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
# Declarative SSH CA roles for ops-warden ActorType policy.
|
||||
# TTL max: adm 48h, agt 24h, atm 8h — wiki/OpsWardenConfig.md (ops-warden)
|
||||
|
||||
mount: ssh
|
||||
|
||||
roles:
|
||||
adm-role:
|
||||
key_type: ca
|
||||
allowed_users: "*"
|
||||
allow_user_certificates: true
|
||||
default_user: adm
|
||||
ttl: 48h
|
||||
max_ttl: 48h
|
||||
agt-role:
|
||||
key_type: ca
|
||||
allowed_users: "*"
|
||||
allow_user_certificates: true
|
||||
default_user: agt
|
||||
ttl: 24h
|
||||
max_ttl: 24h
|
||||
atm-role:
|
||||
key_type: ca
|
||||
allowed_users: "*"
|
||||
allow_user_certificates: true
|
||||
default_user: atm
|
||||
ttl: 8h
|
||||
max_ttl: 8h
|
||||
Loading…
Add table
Add a link
Reference in a new issue