coulomb/helix-forge
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Finish HF-WP-0003 OpenBao KeyCape login overlay workplan

Browse Source 
Mark all tasks done after live deployment of the railiance-platform overlay
gateway and update the phased checklist in OpenBaoIntroduction.md.
This commit is contained in:
Bernd Worsch
2026-06-19 20:28:16 +02:00
parent 02f11f8a9b
commit 0d6d76f230
2 changed files with 22 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/OpenBaoIntroduction.md
View File

@@ -250,7 +250,7 @@ Use this as a maturity ladder, not a single big bang.
- [x] OpenBao deployed; audit enabled; root token retired or break-glass only
- [x] Human operator path: KeyCape OIDC, MFA, browser UI
- [x] Platform operator secrets under `platform/operators/`
- [ ] Streamlined login mask (hide namespace, method, mount, role)
- [x] Streamlined login mask (hide namespace, method, mount, role)`HF-WP-0003`, overlay in `railiance-platform/helm/openbao-ui-overlay/`
- [ ] `platform-readonly` role for auditors
- [ ] Path tree for `tenants/coulomb/`
- [ ] Kubernetes auth roles for platform workloads

28
workplans/HF-WP-0003-openbao-keycape-login-overlay.md
View File

@@ -4,7 +4,7 @@ type: workplan
title: "Streamline OpenBao login screen for KeyCape sign-in"
domain: helix_forge
repo: helix-forge
status: ready
status: finished
owner: codex
topic_slug: openbao-keycape-login-overlay
created: "2026-06-19"
@@ -143,7 +143,7 @@ apply plumbing changes when we migrate upstream.
```task
id: HF-WP-0003-T01
status: todo
status: done
priority: high
target_repo: railiance-platform
```
@@ -168,7 +168,7 @@ directory skeleton is committed.
```task
id: HF-WP-0003-T02
status: todo
status: done
priority: high
target_repo: railiance-platform
depends_on: HF-WP-0003-T01
@@ -194,7 +194,7 @@ against the pinned `2.5.4` login markup.
```task
id: HF-WP-0003-T03
status: todo
status: done
priority: high
target_repo: railiance-platform
depends_on: HF-WP-0003-T02
@@ -220,7 +220,7 @@ production deploy applies them without manual steps.
```task
id: HF-WP-0003-T04
status: todo
status: done
priority: medium
target_repo: railiance-platform
depends_on: HF-WP-0003-T03
@@ -247,7 +247,7 @@ when overlay is missing or upstream markup drifts.
```task
id: HF-WP-0003-T05
status: todo
status: done
priority: medium
target_repo: railiance-platform
depends_on: HF-WP-0003-T04
@@ -279,7 +279,7 @@ without rediscovering the approach.
```task
id: HF-WP-0003-T06
status: todo
status: done
priority: high
depends_on: HF-WP-0003-T05
```
@@ -310,6 +310,20 @@ This workplan is complete when:
5. A documented reapply runbook exists for OpenBao image/chart upgrades.
6. An automated verifier catches missing overlay and upstream UI drift.
## Implementation Log
### 2026-06-19 — KeyCape login overlay live
- Chose nginx UI gateway with `sub_filter` HTML injection (upgrade-safe overlay
assets in Git; no OpenBao pod file edits).
- Added `railiance-platform/helm/openbao-ui-overlay/` assets and
`openbao-ui-gateway` Deployment/Service/Ingress.
- Disabled chart-managed OpenBao ingress; public `bao.coulomb.social` ingress
now targets the overlay gateway.
- `make openbao-deploy` applies middleware, Helm upgrade, then overlay.
- `make openbao-verify-login-overlay` passes against production, including
`--check-upstream-drift`.
## Notes
- Primary implementation repo: `railiance-platform` (Helm, overlay, verifiers,