fix(openbao): declare file audit device in HCL (API enable is blocked)

CI on this branch was failing with:

  Error enabling audit device: Error making API request.
  URL: PUT http://openbao.openbao.svc.cluster.local:8200/v1/sys/audit/file
  Code: 400. Errors:
  * cannot enable audit device via API; use declarative, config-based
    audit device management instead

OpenBao does not allow enabling the audit device at runtime via the
sys/audit API -- it requires the device to be declared in the server's
HCL config alongside listener/storage. The vault-config Job's
'bao audit enable' call was therefore wrong by design and would never
have worked against this OpenBao build.

Fix:

1. openbao HelmRelease (standalone.config): add a declarative

     audit "file" {
       file_path = "/openbao/audit/audit.log"
     }

   stanza. /openbao/audit is the chart's auditStorage PV mount path
   (matches the /openbao/data data path). OpenBao reads this on
   startup; no API call needed. Every API request is logged to
   /openbao/audit/audit.log as one JSON record per line.

2. vault-config Job: drop the now-dead 'bao audit enable' block.
   Replace it with a comment explaining why this is declarative-only.
   Renumber the trailing 'Database secrets engine' section from
   8 -> 7 in both the body and the top-of-file step list.

The previous commit (1ade5f5) fixed the path from /vault to /openbao
based on the chart default; this commit moves the configuration to
the correct place (HCL config) so it actually takes effect.

Validation:
  $ ksail workload validate                          → 256 files validated
  $ ksail --config ksail.prod.yaml workload validate → 256 files validated

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: devantler

k8s/bases/infrastructure/controllers/openbao/helm-release.yaml

@@ -85,6 +85,19 @@ spec:
           storage "file" {
             path = "/openbao/data"
           }
+
+          # Declarative file audit device on the auditStorage PV. OpenBao
+          # blocks runtime audit enables: `bao audit enable file …`
+          # returns "cannot enable audit device via API; use declarative,
+          # config-based audit device management instead", so the device
+          # MUST be declared here in HCL. The mount path /openbao/audit
+          # is the chart's auditStorage default. Every API request is
+          # written to /openbao/audit/audit.log as one JSON record per
+          # line; tail it from the openbao pod today, ship via promtail
+          # once the observability stack lands.
+          audit "file" {
+            file_path = "/openbao/audit/audit.log"
+          }
       topologySpreadConstraints:
         - maxSkew: 1
           topologyKey: kubernetes.io/hostname

k8s/bases/infrastructure/vault-config/job.yaml

@@ -11,8 +11,11 @@
 #   4. Creates least-privilege policies
 #   5. Creates auth roles mapping ServiceAccounts to policies
 #   6. Configures OIDC auth (Dex) for human admin access
-#   7. Enables the file audit device (writes to the auditStorage PV)
-#   8. Configures the Database secrets engine for fleetdm MySQL rotation
+#   7. Configures the Database secrets engine for fleetdm MySQL rotation
+#
+# The file audit device is declared in the openbao HelmRelease config
+# (declarative-only — OpenBao rejects runtime audit enables via API),
+# so no runtime step is needed here for auditing.
 #
 # On fresh install the init containers auto-initialize the vault and create
 # the openbao-unseal Secret. On Velero restore the Secret and PVC are both
@@ -453,24 +456,17 @@ spec:
                 echo "It will be configured on the next vault-config reconciliation."
               fi
 
-              # --- 7. Audit device: file backend to the auditStorage PV ---
-              # OpenBao writes one JSON record per request to /openbao/audit/
-              # audit.log. That directory is the auditStorage PV mount path
-              # provisioned by the chart -- /openbao/audit pairs with the
-              # /openbao/data data mount (the OpenBao chart standardised on
-              # /openbao/* paths rather than the upstream HashiCorp Vault
-              # /vault/* paths). Tail this file from the openbao pod, or
-              # ship it via a sidecar / promtail when the observability
-              # stack lands. Without this device, OpenBao has zero audit
-              # trail -- any read of a Secret goes unrecorded.
-              if ! bao audit list -format=json 2>/dev/null | grep -q '"file/"'; then
-                echo "Enabling file audit device..."
-                bao audit enable file file_path=/openbao/audit/audit.log
-              else
-                echo "File audit device already enabled."
-              fi
-
-              # --- 8. Database secrets engine: fleetdm MySQL static-role rotation ---
+              # NOTE: the file audit device used to be enabled here at
+              # runtime. OpenBao rejects that path -- `bao audit enable`
+              # returns "cannot enable audit device via API; use
+              # declarative, config-based audit device management
+              # instead". The audit device is now declared in the
+              # openbao HelmRelease's standalone.config HCL (a
+              # `audit "file" { file_path = "/openbao/audit/audit.log" }`
+              # stanza alongside listener and storage). No runtime step
+              # is needed for OpenBao to start auditing.
+
+              # --- 7. Database secrets engine: fleetdm MySQL static-role rotation ---
               # OpenBao owns and periodically rotates the 'fleet' MySQL user's
               # password; ESO reads the current value via the VaultDynamicSecret
               # generator in the fleetdm namespace.