diff --git a/docs/D-068-openbao-assessment-DRAFT.md b/docs/D-068-openbao-assessment-DRAFT.md new file mode 100644 index 0000000..e442f32 --- /dev/null +++ b/docs/D-068-openbao-assessment-DRAFT.md @@ -0,0 +1,94 @@ +# D-068 item 1 -- OpenBao / off-EOL-vault assessment (RESEARCH DRAFT) + +Status: RESEARCH INPUT ONLY (2026-07-06, jumphost stream, web research). The D-068 +off-EOL path decision remains OPEN and operator-ruled; this draft exists so the B2 +discussion starts from verified facts. Items that could not be confirmed are marked +UNVERIFIED. Companion: docs/D-068-vault-1.8-vs-1.16-analysis.md (the 1.16 ruling). + +## Summary + +- OpenBao is healthy upstream (Linux Foundation, MPL-2.0; latest stable 2.5.5, + 2026-06-17) and API-compatible for our surfaces (kv v1/v2, AppRole, PKI). BUT: + **no Juju charm for OpenBao exists anywhere** (Charmhub API search empty, + 2026-07-06), and **OpenBao REMOVED the MySQL storage backend** (raft/postgres + only; upstream issue #651). An OpenBao path today = bespoke charm development + we would own + a storage migration -- it cannot serve our 18 V0 `certificates` + relations. +- **No plan exists to bring tls-certificates V1 to the legacy/reactive OpenStack + charms.** Canonical's V1 world is Sunbeam ("Canonical OpenStack", 2024.1 LTS, + up-to-12-year support): vault + manual-tls-certificates + traefik on V1. The + charm-guide still documents legacy TLS via the V0 vault relation. Practical + read: V1 will likely NEVER come to the reactive set; "wait for V1" is risk + acceptance without a deadline. (Absence-of-evidence finding -- flagged as such.) +- The operator-lineage vault charm moved on (tracks to 1.19 + a new 2.0 track, + 2026-07-02, tracking IBM Vault 2.0 GA 2026-04-14) -- same disqualifiers as the + ruled-out 1.16 (V1-only, Raft-only, BUSL). The reactive 1.8/stable charm is in + steady-state maintenance and still being rebuilt (Charmhub revision 2026-07-03). +- CVE posture of 1.8.8: no known unauthenticated remote-compromise CVE applies to + an internal-only, AppRole-driven, TLS-issuing deployment. Notable but gated: + CVE-2021-45042 (PKI wildcard issuance to AUTHORIZED users, medium, in-range); + CVE-2024-2048 (cert-auth bypass, 9.8 -- only if the cert auth method is enabled, + ours is not); Aug-2025 "Vault Fault" set incl. CVE-2025-6000 RCE (requires + privileged plugin-catalog access; per-CVE 1.8.8 applicability UNVERIFIED). + Honest characterization: **manageable today, unauditable tomorrow** -- nobody + assesses 1.8.8 anymore; each future disclosure needs our own analysis with no + patch option. Supports deadline-bound acceptance, not indefinite stay. + +## Candidate paths compared + +1. **Wait-for-V1 in legacy charms** -- no published plan; strong signal V1 + investment goes to Sunbeam only. Equivalent to acceptance WITHOUT a deadline. + Reject as a plan; it is the null hypothesis. +2. **OpenBao now** -- right long-term horse upstream, but requires (a) a charm + that does not exist (bespoke, we own it), (b) storage migration off MySQL, + (c) an aggressive support cadence (only latest cycle maintained). Not viable + as a like-for-like swap; keep on the WATCH list (an OpenBao charm appearing, + or any Canonical position on OpenBao, changes this materially). +3. **Risk-acceptance with a hard deadline (research recommendation)** -- stay on + 1.8/stable (Canonical still rebuilds it; commercially supported under + Pro/PCB). Compensating controls: mgmt-plane-only API exposure, audit logging + shipped, minimal policies, confirm userpass/cert auth methods and plugin + registration absent, unseal/root discipline (already the norm -- D-069). + Hard re-decision deadline proposed: 2027-04. Two measured follow-ups (log + only, do not execute): (a) whether the reactive charm's vault SNAP CHANNEL + can be raised above 1.8 toward 1.14.x, the last MPL payload -- would de-EOL + the payload WITHOUT touching relation topology; Canonical support for this + UNVERIFIED; needs on-host measurement (charm config + snap tracks), a + read-only look; (b) track Sunbeam feature parity -- the durable exit from + the V0 certificates world is a PLATFORM decision, not a vault swap. + +## Decision hooks for the operator (nothing ruled yet) + +- Adopt path 3 with deadline? (Composes with keeping path 2 on watch.) +- Authorize the read-only snap-channel headroom measurement (follow-up a)? +- Fold "Sunbeam parity watch" into the Roosevelt planning inputs? +- D-068 items 2 (listener TLS) and 3 (AppRole TTL audit) are unaffected by this + and proceed on their own track. + +## Sources (accessed 2026-07-05/06; full trail) + +- openbao.org: release-notes 2.6.0-beta (2026-06-22); blog/roadmap-2.0 (LF + governance); docs/configuration/storage; docs/guides/migration +- endoflife.date/openbao (2.5.5 latest stable, 2026-06-17; latest-cycle-only support) +- github.com/openbao/openbao issue #651 (MySQL backend removed/requested) +- api.charmhub.io/v2/charms/find?q=openbao (EMPTY, 2026-07-06); charmhub.io/openbao (404) +- charmhub.io/vault (tracks 1.5-1.19 + 2.0 candidate/beta/edge; 1.8/stable rev 2026-07-03) +- canonical-vault-charms.readthedocs-hosted.com (2.0 upgrade docs; 1.8-vs-1.15 differences) +- opendev.org/openstack/charm-vault commits (steady-state; last commit 2025-10-29) +- docs.openstack.org/charm-guide latest: admin/security/tls (V0 model current) +- canonical-openstack.readthedocs-hosted.com: vault feature, service-endpoint-encryption, + release-cycle (Sunbeam 2024.1 LTS, 12-year support) +- infoq.com 2026/04 vault-2-0-ibm-identity + IBM support-lifecycle addendum + (Vault 2.0 GA 2026-04-14; 1.21->2.0 renumbering) +- nvd.nist.gov CVE-2024-2048 (9.8 NIST / 8.1 vendor; <=1.14.9; cert auth only) +- cyata.ai vault-fault (Aug-2025 nine zero-days incl. CVE-2025-6000 RCE) +- stack.watch + cvedetails (historic ranges; NOTE conflicting aggregator text for + CVE-2021-45042 / CVE-2021-43998 -- re-check NVD before quoting in a decision record) +- stackhpc-kayobe-config readthedocs stackhpc-2025.1 configuration/openbao + (non-Juju OpenStack distro already uses OpenBao for internal PKI) +- duokey.com BUSL-change/OpenBao-migration backgrounder (2023-08-10 BUSL date) + +NOT confirmed despite searching: any Canonical statement on OpenBao; any V1 plan +for legacy charms; exact Vault 1.8.x EOL date/final point release; per-CVE +applicability of the 2025 Cyata set to 1.8.8; reactive-charm snap-channel +headroom (needs on-host measurement, not web research). diff --git a/docs/handoff-20260705-open-items.md b/docs/handoff-20260705-open-items.md index 28513c6..995881d 100644 --- a/docs/handoff-20260705-open-items.md +++ b/docs/handoff-20260705-open-items.md @@ -34,6 +34,10 @@ - DOCFIX candidate: sweep the repo for other `-f json ... 2>&1` stderr-merge hazards (DOCFIX-085 class). - `host_href=None` barbican observation (exercised fine in stage 6; probably closeable after a look). +**Window runbook (2026-07-06):** the whole batch-3 + foil + D-073-apply sequence is +scripted as ONE do-document: `runbooks/d011-batch3-window-DRAFT.md` (DOCFIX-093). +B2/D-068 discussion input ready: `docs/D-068-openbao-assessment-DRAFT.md`. + ## 2. Verify-live queue (read-only/gated CHECKs; run on the real cloud before trusting) - **d011-04** `amphora_headroom()` field parsing (`server show` .flavor; `hypervisor list --long` @@ -90,7 +94,8 @@ the ruled meaning of "confirm tenant SSH access into their domain" (A1.4 confirmed). DELIVERED addendum 23 as stage7 (explicit-only); live validation pending (foil). - H4 `keystone-policy-drift.sh` (script backlog item 6) wired as a periodic check. - - H5 no-ad-hoc rule embedded in the onboarding runbook. + (Only H-item not yet built; also the main-chat backlog owner -- coordinate.) + - H5 no-ad-hoc rule embedded in the onboarding runbook. DONE addendum 25. - Horizon manager-role GUI identity probe (contract section 5.3) validated live. - Client-facing draft package (intake form, welcome/engagement doc, self-service guide) -- RULED: top-level clientdocs/; drafts DELIVERED addendum 22 (living docs, sweep on diff --git a/docs/session-ledger.md b/docs/session-ledger.md index ce9ab32..b5ac555 100644 --- a/docs/session-ledger.md +++ b/docs/session-ledger.md @@ -31,8 +31,8 @@ - **OPEN security rows:** SEC-001 (rotate at v1 close, re-ruled 2026-07-06), SEC-003 (custodians + second-person unseal -- DEFERRED; keeps d011-06 MANUAL), SEC-004 (flip repo to private at v1 close -- deferral reaffirmed). -- **Next-free numbers:** D = 074, DOCFIX = 093, BUNDLEFIX = 012. - (Scan and the addendum-22 changelog next-free pointer agree.) +- **Next-free numbers:** D = 074, DOCFIX = 094, BUNDLEFIX = 012. + (Scan and the addendum-25 changelog next-free pointer agree.) --- @@ -213,6 +213,18 @@ clientdocs/ package DOCFIX-092 (README/intake/welcome/self-service drafts). Remaining in the interleave before foil onboarding: H2 idempotency guard, H3 canary stage, D-073 list_trusts zip implementation (then gated live apply). +- DELIVERED (operator-away batch, addenda 23-25): H2 re-run guards + H3 canary + stage7 (harness 12/12); D-073 implementation STAGED (39-rule zip, drift check + PASS -- live apply GATED, block in the D-073 amendment); DOCFIX-093 + runbooks/d011-batch3-window-DRAFT.md (the one-window do-doc: D-073 apply + + foil stages 0-4 + tenant-assert + canary + d011-04/05 + close-out); H5 embedded; + docs/D-068-openbao-assessment-DRAFT.md (B2 research input -- no OpenBao charm + exists, MySQL backend removed upstream, V1 goes to Sunbeam not legacy charms; + research rec: deadline-bound risk acceptance). Stderr-merge sweep DONE: + 10-site inventory logged in addendum 25 (fixes = DOCFIX candidate, not actioned). +- REPO-SIDE QUEUE now EMPTY except: H4 policy-drift script (main-chat backlog + item 6 -- coordinate before building) and the client-docs sweep-on-change rule. + EVERYTHING ELSE waits on the operator-present live window (the do-doc). diff --git a/docs/v1-redeploy-changelog.md b/docs/v1-redeploy-changelog.md index 5b58fd3..2819cf1 100644 --- a/docs/v1-redeploy-changelog.md +++ b/docs/v1-redeploy-changelog.md @@ -2160,3 +2160,31 @@ REVERT: git checkout HEAD~ -- policies/domain-manager-policy.yaml policies/overrides.zip docs/design-decisions.md docs/v1-redeploy-changelog.md Next-free after this push (per scan, keep this line unwrapped): D-074, DOCFIX-093, BUNDLEFIX-012. + +### 2026-07-06 (addendum 25, jumphost stream) -- DOCFIX-093 batch-3 window do-doc; OpenBao research draft; H5 embed; stderr-sweep inventory + +- NEW runbooks/d011-batch3-window-DRAFT.md (DOCFIX-093): one logged window covering + D-073 gated live apply (+behavioral verify +rollback), foil onboarding stages 0-4 + as the live workflow validation (tenant-assert incl. its 2 VERIFY-LIVE calls, H2 + re-run SKIP check, H3 canary, Horizon manual checks), d011-04 with the A2 + conditional pre-approval spelled out, d011-05 with VR_FOIL_APPCRED, close-out + + abort discipline. Check ids verified against validate.sh (--checks, --list). +- NEW docs/D-068-openbao-assessment-DRAFT.md: web-research input for the B2 + discussion (research only, nothing ruled). Headlines: no OpenBao charm exists + anywhere; OpenBao REMOVED the MySQL backend; no V1-certificates plan for legacy + charms (V1 investment goes to Sunbeam); reactive 1.8/stable still rebuilt + (2026-07-03); 1.8.8 CVE posture "manageable today, unauditable tomorrow"; + research recommendation = deadline-bound risk acceptance (2027-04 proposed) + + snap-channel-headroom measurement + Sunbeam parity watch. UNVERIFIED items + flagged inline. +- tenant-onboarding-v2-DRAFT.md banner point 5: H5 standing no-ad-hoc rule embedded. +- LOGGED (DOCFIX candidate, fixes NOT actioned -- handoff immediate item, sweep done): + stderr-merged structured captures ("-f json ... 2>&1" into a parser), full + inventory: scripts/cloud-assert.sh:120,125,130 (capture-then-parse; evaluate + whether parse guards make these fail-closed A7-class); scripts/tenant-onboard.sh:46,178 + (image resolvers; stage7 already uses the stderr-safe form); scripts/tenant-acceptance.sh:43; + scripts/tenant-offboard.sh:73; runbooks/tenant-onboarding-v2-DRAFT.md:123,130,359 + (paste blocks). Fix pattern: lib-validate.sh vr_json / stderr-to-file. +REVERT: git rm runbooks/d011-batch3-window-DRAFT.md docs/D-068-openbao-assessment-DRAFT.md; git checkout HEAD~ -- runbooks/tenant-onboarding-v2-DRAFT.md docs/handoff-20260705-open-items.md docs/session-ledger.md docs/v1-redeploy-changelog.md + +Next-free after this push (per scan, keep this line unwrapped): D-074, DOCFIX-094, BUNDLEFIX-012. diff --git a/runbooks/d011-batch3-window-DRAFT.md b/runbooks/d011-batch3-window-DRAFT.md new file mode 100644 index 0000000..003060b --- /dev/null +++ b/runbooks/d011-batch3-window-DRAFT.md @@ -0,0 +1,105 @@ +# d011 batch-3 window -- combined do-document (DRAFT, not yet executed) + +One logged operator window that closes out the D-011 batch-3 queue AND live-validates +the onboarding workflow, in the operator-ruled interleave order (2026-07-06): +D-073 live apply -> foil-tenant onboarding (= workflow validation) -> d011-04 -> +d011-05 -> close-out. Every mutation is individually gated; read-only evidence +precedes each. Standing authorizations already ruled (do not re-ask): + +- **A2 (2026-07-06):** d011-04 `--include-disruptive` is PRE-APPROVED conditional on + the live N+1 amphora headroom check passing -- same window, no second ask. +- **D-073 (adopted 2026-07-06):** list_trusts zip staged in repo (addendum 24); + live attach in this window per the amendment. + +Operator inputs needed at window open: foil client short-name (examples below use +`foil1`), a non-colliding /24 for it (stage-4 guard fails closed regardless). + +## 0. Window open (operator) + + git -C ~/openstack-caracal-ipv4 pull + bash scripts/repo-lint.sh # expect 0 fail / 1 legacy warn + bash scripts/run-tests-all.sh # ALL GREEN expected + bash scripts/run-logged.sh d011-batch3 + bash scripts/cloud-assert.sh # baseline MUST PASS before any mutation + +## 1. D-073 live apply (GATED mutation: keystone policy resource) + + # stage under $HOME -- the openstack/juju snaps cannot read /tmp + cp ~/openstack-caracal-ipv4/policies/overrides.zip ~/overrides-d073.zip + juju attach-resource -m openstack keystone policyd-override=~/overrides-d073.zip + # wait for keystone workload message to show "PO:" (NOT "PO (broken):") + juju status -m openstack keystone + +Behavioral verify (never trust "PO:" alone): + + # (a) tenant token MUST now be denied trust enumeration (403): + # use the beta tenant's -svc app cred context -> openstack trust list + # (b) admin context MUST still succeed: openstack trust list + # (c) magnum trust machinery unaffected -- implicitly re-proven by d011-05 below. + +Rollback if broken: `git show HEAD~:policies/overrides.zip > ~/overrides-prev.zip` +then re-attach that file (same command shape). HOLD the window on any (a)/(b) miss. + +## 2. Foil onboarding = live workflow validation + +Stages 0-4 (foil needs an app cred for d011-05; stage 4 L3 enables the canary): + + TENANT_CIDR= bash scripts/tenant-onboard.sh foil1 stage0 # read-only + bash scripts/tenant-onboard.sh foil1 stage1 # gated + bash scripts/tenant-onboard.sh foil1 stage2 # gated + bash scripts/tenant-onboard.sh foil1 stage3 # gated + TENANT_CIDR= bash scripts/tenant-onboard.sh foil1 stage4 # gated + +Then the H1 verifier -- this run ALSO clears its two VERIFY-LIVE items +(`keypair list --user`, `application credential list --user` as admin): + + bash scripts/tenant-assert.sh foil1 # expect: PASS (topology matches contract) + +H2 guard live check (read-only in effect -- re-run stage3, expect double SKIP rc0): + + bash scripts/tenant-onboard.sh foil1 stage3 + +H3 canary (gated; self-cleaning; VERIFY-LIVE: CANARY_SSH_USER vs image login user): + + bash scripts/tenant-onboard.sh foil1 stage7 # expect: CANARY PASS + teardown done + +Horizon checks (contract section 5.1/5.3; manual, browser): + - login as foil1-domain-admin (domain-scoped) -- expect success; + - GUI identity probe: create + delete a probe user via Horizon as the manager. + If the GUI path fails but the API path passed (tenant-assert), LOG it and the + contract's "CLI is the identity path" fallback stands -- not a window blocker. + +## 3. d011-04 octavia (non-disruptive first, then the pre-approved disruptive half) + + bash scripts/validate.sh --checks d011-04-octavia-lb # RR + member failover + # headroom evidence prints from amphora_headroom(); on PASS the A2 pre-approval applies: + bash scripts/validate.sh --checks d011-04-octavia-lb --include-disruptive # amphora failover + # on headroom HOLD: STOP the disruptive half entirely (the pre-approval is conditional). + +VERIFY-LIVE items this clears: amphora_headroom() field parsing OK-path; OCCM +LB-name-contains-service-name assumption; agnhost /hostname round-robin behavior. + +## 4. d011-05 magnum e2e (+ P3 isolation via the foil) + + VR_FOIL_APPCRED=~/tenant-foil1/foil1-svc-appcred.txt bash scripts/validate.sh --checks d011-05-magnum-e2e + +(Check ids per `bash scripts/validate.sh --list`; the full-d011 profile runs the +whole suite if preferred once both new checks stand individually.) + +## 5. Close-out + + bash scripts/cloud-assert.sh # MUST PASS + # evidence: keep the run-logged transcript; note headroom numbers + canary FIP + # in the ledger; mark cleared VERIFY-LIVE items in the handoff + contract 5.3. + +Repo updates at close (jumphost lane): changelog addendum (as-executed corrections to +THIS draft included -- it is a DRAFT until executed once), session-ledger jumphost +section, handoff section 2/6 item states, D-011 acceptance status. If all of d011-01 +through d011-06 now stand (06 stays MANUAL pending SEC-003), record the D-011 +batch-3 close and queue the v1-close checklist (handoff section 6). + +## Abort discipline + +Any cloud-assert FAIL, any tenant-assert HOLD on the foil, or any D-073 behavioral +miss HOLDs the window at that boundary: capture evidence, revert only the failing +step per its rollback line, close the log. No forward progress past a failed gate. diff --git a/runbooks/tenant-onboarding-v2-DRAFT.md b/runbooks/tenant-onboarding-v2-DRAFT.md index 5c48cbb..3380e68 100644 --- a/runbooks/tenant-onboarding-v2-DRAFT.md +++ b/runbooks/tenant-onboarding-v2-DRAFT.md @@ -14,6 +14,9 @@ # 4. (2026-07-06, DOCFIX-091) The operator/tenant boundary, role table (manager persona -- # NEVER admin), tenant intake list, and hardening register are now authoritative in # docs/tenant-onboarding-contract.md; this draft defers to it on all of those. +# 5. (2026-07-06, H5 -- STANDING RULE) NOTHING outside scripts/tenant-onboard.sh: onboarding +# is executed ONLY via the script's stages. Any needed deviation is a script change +# shipped with its harness, never a live improvisation. # >>> END REVISION BANNER <<< # Tenant Onboarding v2 -- multi-tenant self-service + cluster creation (DRAFT)