From 947c6108a6a8e0de3d783bd886032f918126c19d Mon Sep 17 00:00:00 2001
From: kappa <kappa@inouter.com>
Date: Thu, 12 Mar 2026 18:56:37 +0900
Subject: [PATCH] =?UTF-8?q?vault:=20jump-seoul=20SSH=20CA=20=EB=93=B1?=
 =?UTF-8?q?=EB=A1=9D=20=EC=99=84=EB=A3=8C,=20admin=20principal=20=EC=B6=94?=
 =?UTF-8?q?=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 infra/vault.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/infra/vault.md b/infra/vault.md
index 1950d2c..c485049 100644
--- a/infra/vault.md
+++ b/infra/vault.md
@@ -41,7 +41,7 @@ vault.inouter.com(Synology)에서 hcv.inouter.com(K3s)으로 이관 완료 (2026
 
 ## SSH CA (Signed Certificates)
 
-Vault SSH Secrets Engine (ssh-client-signer/) 활성화. CA 키: ed25519. 역할: admin (allowed_users: root,kaffa, TTL 8h, max 24h).
+Vault SSH Secrets Engine (ssh-client-signer/) 활성화. CA 키: ed25519. 역할: admin (allowed_users: root,kaffa,admin, TTL 8h, max 24h).
 
 CA 등록 완료 서버:
 - [[infra-hosts|apisix-osaka]] (100.108.39.107) — root
@@ -49,10 +49,11 @@ CA 등록 완료 서버:
 - [[infra-hosts|incus-kr1]] (100.84.111.28) — kaffa
 - [[infra-hosts|incus-kr2]] (100.119.109.41) — kaffa
 - [[infra-hosts|sandbox-tokyo]] (100.79.87.48) — root
+- [[infra-hosts|jump-seoul]] (100.120.61.54) — admin
 
-미등록: jump-seoul (접속 불가), safeline-osaka (응답 없음)
+미등록: safeline-osaka (응답 없음)
 
-자동화: ~/.ssh/vault-sign.sh가 인증서 만료 시 자동 재발급. ~/.ssh/config에 Match exec로 연동. `ssh apisix-osaka` 등 일반 SSH처럼 사용 가능.
+자동화: ~/.ssh/vault-sign.sh가 인증서 만료 시 자동 재발급 (curl + jq 기반). 인증서에 root,kaffa,admin principals 포함. ~/.ssh/config에 Match exec로 연동. `ssh apisix-osaka` 등 일반 SSH처럼 사용 가능.
 
 ## MCP 서버