sjat
1042f161b6
Adds the ADR-025 integration-test profile that proves the askari mesh-hardening REDESIGN (INPUT-only default-deny, forward ACCEPT for Docker) is reboot-safe on a throwaway KVM VM before the live cut-over. Profile applies base (firewall + sshd) and offsite (docker_host + reverse_proxy). Post-reboot verify checks: input policy drop, forward policy accept, admin-addr break-glass SSH (192.168.150.1), Docker up, and a published port answered from the controller. GREEN on 2026-06-19. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
17 lines
919 B
YAML
17 lines
919 B
YAML
---
|
|
# Integration overlay (ADR-025) — the askari mesh-hardening REDESIGN (2026-06-19).
|
|
# Validates INPUT-only default-deny on a Docker host: input policy drop, forward policy
|
|
# accept (Docker-safe), SSH via the admin-addr break-glass, reboot-survivable.
|
|
integration_profile: askari_inputonly
|
|
base__firewall_apply: true
|
|
base__firewall_input_only: true
|
|
# No sshd ListenAddress change — never wt0-only in a throwaway VM.
|
|
base__ssh_listen_mesh_only: false
|
|
# Isolated VM: never touch the real mesh.
|
|
base__mesh_enabled: false
|
|
# The non-mesh SSH break-glass = the admin-addr path the real design uses. Point it at the
|
|
# VM's libvirt-NAT gateway (where the harness connects from), by source IP so it is
|
|
# interface-independent and the default-deny + reboot don't lock out the driver. This
|
|
# mirrors askari's real base__firewall_admin_addrs (ubongo's WAN) in the test topology.
|
|
base__firewall_admin_addrs:
|
|
- 192.168.150.1
|