From 0d6d76f2309b3c2b82e710557cab890955bf7099 Mon Sep 17 00:00:00 2001 From: tegwick Date: Fri, 19 Jun 2026 20:28:16 +0200 Subject: [PATCH] Finish HF-WP-0003 OpenBao KeyCape login overlay workplan Mark all tasks done after live deployment of the railiance-platform overlay gateway and update the phased checklist in OpenBaoIntroduction.md. --- docs/OpenBaoIntroduction.md | 2 +- ...F-WP-0003-openbao-keycape-login-overlay.md | 28 ++++++++++++++----- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/docs/OpenBaoIntroduction.md b/docs/OpenBaoIntroduction.md index 5fd911a..313fba4 100644 --- a/docs/OpenBaoIntroduction.md +++ b/docs/OpenBaoIntroduction.md @@ -250,7 +250,7 @@ Use this as a maturity ladder, not a single big bang. - [x] OpenBao deployed; audit enabled; root token retired or break-glass only - [x] Human operator path: KeyCape OIDC, MFA, browser UI - [x] Platform operator secrets under `platform/operators/` -- [ ] Streamlined login mask (hide namespace, method, mount, role) +- [x] Streamlined login mask (hide namespace, method, mount, role) — `HF-WP-0003`, overlay in `railiance-platform/helm/openbao-ui-overlay/` - [ ] `platform-readonly` role for auditors - [ ] Path tree for `tenants/coulomb/` - [ ] Kubernetes auth roles for platform workloads diff --git a/workplans/HF-WP-0003-openbao-keycape-login-overlay.md b/workplans/HF-WP-0003-openbao-keycape-login-overlay.md index 05aa2aa..c31e0eb 100644 --- a/workplans/HF-WP-0003-openbao-keycape-login-overlay.md +++ b/workplans/HF-WP-0003-openbao-keycape-login-overlay.md @@ -4,7 +4,7 @@ type: workplan title: "Streamline OpenBao login screen for KeyCape sign-in" domain: helix_forge repo: helix-forge -status: ready +status: finished owner: codex topic_slug: openbao-keycape-login-overlay created: "2026-06-19" @@ -143,7 +143,7 @@ apply plumbing changes when we migrate upstream. ```task id: HF-WP-0003-T01 -status: todo +status: done priority: high target_repo: railiance-platform ``` @@ -168,7 +168,7 @@ directory skeleton is committed. ```task id: HF-WP-0003-T02 -status: todo +status: done priority: high target_repo: railiance-platform depends_on: HF-WP-0003-T01 @@ -194,7 +194,7 @@ against the pinned `2.5.4` login markup. ```task id: HF-WP-0003-T03 -status: todo +status: done priority: high target_repo: railiance-platform depends_on: HF-WP-0003-T02 @@ -220,7 +220,7 @@ production deploy applies them without manual steps. ```task id: HF-WP-0003-T04 -status: todo +status: done priority: medium target_repo: railiance-platform depends_on: HF-WP-0003-T03 @@ -247,7 +247,7 @@ when overlay is missing or upstream markup drifts. ```task id: HF-WP-0003-T05 -status: todo +status: done priority: medium target_repo: railiance-platform depends_on: HF-WP-0003-T04 @@ -279,7 +279,7 @@ without rediscovering the approach. ```task id: HF-WP-0003-T06 -status: todo +status: done priority: high depends_on: HF-WP-0003-T05 ``` @@ -310,6 +310,20 @@ This workplan is complete when: 5. A documented reapply runbook exists for OpenBao image/chart upgrades. 6. An automated verifier catches missing overlay and upstream UI drift. +## Implementation Log + +### 2026-06-19 — KeyCape login overlay live + +- Chose nginx UI gateway with `sub_filter` HTML injection (upgrade-safe overlay + assets in Git; no OpenBao pod file edits). +- Added `railiance-platform/helm/openbao-ui-overlay/` assets and + `openbao-ui-gateway` Deployment/Service/Ingress. +- Disabled chart-managed OpenBao ingress; public `bao.coulomb.social` ingress + now targets the overlay gateway. +- `make openbao-deploy` applies middleware, Helm upgrade, then overlay. +- `make openbao-verify-login-overlay` passes against production, including + `--check-upstream-drift`. + ## Notes - Primary implementation repo: `railiance-platform` (Helm, overlay, verifiers,