Use this lane to rehearse hardened ACME issuance locally without swapping in public internet dependencies.
This local baseline keeps the hardened posture, keeps the unseal root external, and keeps OpenBao as the TLS endpoint while an internal ACME CA proves certificate issuance through a user-managed passthrough edge.
This lane proves
- a Hardened cluster can bootstrap locally while keeping the seal dependency outside the tenant namespace
- OpenBao-managed ACME issuance works when the validator reaches the passthrough edge with the expected hostname
- Transit auto-unseal and ACME trust material can coexist in one shared trust-services dependency
- local rehearsal can cover ACME readiness and probe behavior before you move to a public cloud baseline
Local reference architecture. k3d is not the production target, but this lane is the preferred local analogue for hardened deployments that keep TLS passthrough in OpenBao and use a private ACME trust chain.
Decision matrix
Lane summary
| Surface | Choice | Why it matters |
|---|---|---|
| Profile | spec.profile: Hardened | The lane only matters if the operator enforces the hardened policy surface while ACME and Transit are both active. |
| Seal path | Shared external OpenBao Transit provider | The seal root stays outside the cluster, which keeps the lane aligned with a real external dependency model. |
| TLS model | spec.tls.mode: ACME with an internal ACME CA | OpenBao remains the TLS endpoint while the lane avoids dependence on public ACME during local validation. |
| Edge model | User-managed Traefik TCP passthrough | TLS must reach OpenBao untouched for ACME, so the edge must pass traffic through instead of terminating it. |
| Validation scope | Local ACME lifecycle coverage plus hardened bootstrap | The lane is valuable because it proves ACME readiness, trust material, and bootstrap behavior together. |
Diagram
Validated lane topology
The same external trust-services dependency supplies both Transit auto-unseal and the private ACME directory, while the ingress layer remains pure passthrough.
Why this lane exists
Reference table
Key design choices
| Choice | What it protects | Why it stays in the lane |
|---|---|---|
| Private ACME issuer | The lane can prove ACME behavior without assuming public DNS and internet reachability. | Local hardened rehearsal should prove OpenBao-managed issuance, not public CA operations. |
| Hostname resolves back to the passthrough edge | The validator actually reaches the endpoint OpenBao serves for tls-alpn-01. | Successful name resolution is the invariant; the local CoreDNS rewrite is only one implementation of it. |
| Shared trust-services dependency | Transit and ACME both depend on the same external trust boundary. | This keeps the local lane close to the production-style trust split without requiring cloud services. |
| Passthrough stays user-managed | OpenBao remains the TLS endpoint. | The lane intentionally avoids making shared terminating ingress behavior part of the hardened ACME contract. |
Stay on the validated path
- keep
spec.profile: Hardenedand keep the trust-services endpoint reachable for both Transit and ACME - keep the ACME hostname resolving back to the passthrough edge from the validating environment
- keep the passthrough route targeting the dedicated
-acmeService on port443 - mount both the Transit CA bundle and the ACME issuer CA bundle in the Secret expected by the lane
- disable AppArmor only when the local runtime forces it and treat that as a local node concession
The validated local lane exercised hardened bootstrap with self-init, Transit auto-unseal through shared trust services, OpenBao-managed ACME issuance from a private CA, human admin JWT login, and external access over user-managed passthrough.
This is not proof that public ACME will work, not a substitute for a cloud ingress baseline, and not a generic passthrough recommendation. It is a local rehearsal lane for the hardened ACME control path.
Use the lane
You are reading the unreleased main docs. Use the version menu for the newest published release, or check the release notes for what is already out.
Was this page helpful?
Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.