Blastwall Documentation

blastwall

End-to-end Calabi lab validation for the identity, policy, rollout, and proof path.

The Calabi PoC flow is the logistics test. It configures IdM, validates the read-side gate with eigenstate.ipa, builds a policy RPM, deploys it, and proves the expected denial from a mapped automation identity on a generic automation endpoint.

Execution Boundary

Run these playbooks on bastion-01, not directly from the workstation. Stage the poc-calabi/ directory to a bastion-local path before execution.

Inputs

Provide IdM admin credentials through the environment. The automation user password is optional and only needed when the lab path requires it.

export IPA_ADMIN_PASSWORD='...'
export BLASTWALL_AUTO_PASSWORD='...'

Run Order

ansible-playbook 00-preflight.yml
ansible-playbook 10-configure-idm.yml
ansible-playbook 15-validate-idm-with-eigenstate.yml
ansible-playbook 20-build-policy-rpm.yml
ansible-playbook 30-deploy-and-test.yml

Expected Result

  • blastwall-auto can SSH to automation-endpoint.
  • id -Z returns blastwall_u:blastwall_r:blastwall_t:s0 or the public alias.
  • sudo -n /usr/bin/id -u returns 0.
  • The AF_ALG/authencesn probe prints BLOCKED.