generated from coulomb/repo-seed
Finish HF-WP-0003 OpenBao KeyCape login overlay workplan
Mark all tasks done after live deployment of the railiance-platform overlay gateway and update the phased checklist in OpenBaoIntroduction.md.
This commit is contained in:
@@ -250,7 +250,7 @@ Use this as a maturity ladder, not a single big bang.
|
|||||||
- [x] OpenBao deployed; audit enabled; root token retired or break-glass only
|
- [x] OpenBao deployed; audit enabled; root token retired or break-glass only
|
||||||
- [x] Human operator path: KeyCape OIDC, MFA, browser UI
|
- [x] Human operator path: KeyCape OIDC, MFA, browser UI
|
||||||
- [x] Platform operator secrets under `platform/operators/`
|
- [x] Platform operator secrets under `platform/operators/`
|
||||||
- [ ] Streamlined login mask (hide namespace, method, mount, role)
|
- [x] Streamlined login mask (hide namespace, method, mount, role) — `HF-WP-0003`, overlay in `railiance-platform/helm/openbao-ui-overlay/`
|
||||||
- [ ] `platform-readonly` role for auditors
|
- [ ] `platform-readonly` role for auditors
|
||||||
- [ ] Path tree for `tenants/coulomb/`
|
- [ ] Path tree for `tenants/coulomb/`
|
||||||
- [ ] Kubernetes auth roles for platform workloads
|
- [ ] Kubernetes auth roles for platform workloads
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ type: workplan
|
|||||||
title: "Streamline OpenBao login screen for KeyCape sign-in"
|
title: "Streamline OpenBao login screen for KeyCape sign-in"
|
||||||
domain: helix_forge
|
domain: helix_forge
|
||||||
repo: helix-forge
|
repo: helix-forge
|
||||||
status: ready
|
status: finished
|
||||||
owner: codex
|
owner: codex
|
||||||
topic_slug: openbao-keycape-login-overlay
|
topic_slug: openbao-keycape-login-overlay
|
||||||
created: "2026-06-19"
|
created: "2026-06-19"
|
||||||
@@ -143,7 +143,7 @@ apply plumbing changes when we migrate upstream.
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: HF-WP-0003-T01
|
id: HF-WP-0003-T01
|
||||||
status: todo
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
target_repo: railiance-platform
|
target_repo: railiance-platform
|
||||||
```
|
```
|
||||||
@@ -168,7 +168,7 @@ directory skeleton is committed.
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: HF-WP-0003-T02
|
id: HF-WP-0003-T02
|
||||||
status: todo
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
target_repo: railiance-platform
|
target_repo: railiance-platform
|
||||||
depends_on: HF-WP-0003-T01
|
depends_on: HF-WP-0003-T01
|
||||||
@@ -194,7 +194,7 @@ against the pinned `2.5.4` login markup.
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: HF-WP-0003-T03
|
id: HF-WP-0003-T03
|
||||||
status: todo
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
target_repo: railiance-platform
|
target_repo: railiance-platform
|
||||||
depends_on: HF-WP-0003-T02
|
depends_on: HF-WP-0003-T02
|
||||||
@@ -220,7 +220,7 @@ production deploy applies them without manual steps.
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: HF-WP-0003-T04
|
id: HF-WP-0003-T04
|
||||||
status: todo
|
status: done
|
||||||
priority: medium
|
priority: medium
|
||||||
target_repo: railiance-platform
|
target_repo: railiance-platform
|
||||||
depends_on: HF-WP-0003-T03
|
depends_on: HF-WP-0003-T03
|
||||||
@@ -247,7 +247,7 @@ when overlay is missing or upstream markup drifts.
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: HF-WP-0003-T05
|
id: HF-WP-0003-T05
|
||||||
status: todo
|
status: done
|
||||||
priority: medium
|
priority: medium
|
||||||
target_repo: railiance-platform
|
target_repo: railiance-platform
|
||||||
depends_on: HF-WP-0003-T04
|
depends_on: HF-WP-0003-T04
|
||||||
@@ -279,7 +279,7 @@ without rediscovering the approach.
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: HF-WP-0003-T06
|
id: HF-WP-0003-T06
|
||||||
status: todo
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
depends_on: HF-WP-0003-T05
|
depends_on: HF-WP-0003-T05
|
||||||
```
|
```
|
||||||
@@ -310,6 +310,20 @@ This workplan is complete when:
|
|||||||
5. A documented reapply runbook exists for OpenBao image/chart upgrades.
|
5. A documented reapply runbook exists for OpenBao image/chart upgrades.
|
||||||
6. An automated verifier catches missing overlay and upstream UI drift.
|
6. An automated verifier catches missing overlay and upstream UI drift.
|
||||||
|
|
||||||
|
## Implementation Log
|
||||||
|
|
||||||
|
### 2026-06-19 — KeyCape login overlay live
|
||||||
|
|
||||||
|
- Chose nginx UI gateway with `sub_filter` HTML injection (upgrade-safe overlay
|
||||||
|
assets in Git; no OpenBao pod file edits).
|
||||||
|
- Added `railiance-platform/helm/openbao-ui-overlay/` assets and
|
||||||
|
`openbao-ui-gateway` Deployment/Service/Ingress.
|
||||||
|
- Disabled chart-managed OpenBao ingress; public `bao.coulomb.social` ingress
|
||||||
|
now targets the overlay gateway.
|
||||||
|
- `make openbao-deploy` applies middleware, Helm upgrade, then overlay.
|
||||||
|
- `make openbao-verify-login-overlay` passes against production, including
|
||||||
|
`--check-upstream-drift`.
|
||||||
|
|
||||||
## Notes
|
## Notes
|
||||||
|
|
||||||
- Primary implementation repo: `railiance-platform` (Helm, overlay, verifiers,
|
- Primary implementation repo: `railiance-platform` (Helm, overlay, verifiers,
|
||||||
|
|||||||
Reference in New Issue
Block a user