generated from coulomb/repo-seed
chore(consistency): sync task status from DB [auto]
Updated by fix-consistency on 2026-06-15: - HF-WP-0002-T05: progress → wait
This commit is contained in:
@@ -60,11 +60,12 @@ Desired new posture:
|
|||||||
- Browser login redirects to KeyCape and returns to OpenBao UI at:
|
- Browser login redirects to KeyCape and returns to OpenBao UI at:
|
||||||
|
|
||||||
```text
|
```text
|
||||||
https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback
|
https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
|
||||||
```
|
```
|
||||||
|
|
||||||
- UI access maps to the existing `platform-admin` policy through the KeyCape
|
- UI access maps to the existing `platform-admin` policy through the
|
||||||
OIDC path.
|
KeyCape-backed `netkingdom` OIDC path. The earlier `keycape` path remains a
|
||||||
|
compatibility alias while operators move to the clearer mount name.
|
||||||
- OpenBao remains a privileged platform-secret surface, not a general public
|
- OpenBao remains a privileged platform-secret surface, not a general public
|
||||||
application. Exposure must be TLS-only, audited, MFA-backed, and restricted
|
application. Exposure must be TLS-only, audited, MFA-backed, and restricted
|
||||||
by identity and preferably by network boundary.
|
by identity and preferably by network boundary.
|
||||||
@@ -100,8 +101,9 @@ Preferred controls:
|
|||||||
2. Add or update the Railiance Platform OpenBao ingress manifest or Helm values
|
2. Add or update the Railiance Platform OpenBao ingress manifest or Helm values
|
||||||
so the OpenBao UI service is exposed at `bao.coulomb.social`.
|
so the OpenBao UI service is exposed at `bao.coulomb.social`.
|
||||||
3. Add the OpenBao UI redirect URI to the KeyCape OpenBao admin client.
|
3. Add the OpenBao UI redirect URI to the KeyCape OpenBao admin client.
|
||||||
4. Add the same URI to the OpenBao `auth/keycape/role/platform-admin`
|
4. Add the same URI to the OpenBao `auth/netkingdom/role/platform-admin`
|
||||||
`allowed_redirect_uris`.
|
`allowed_redirect_uris`, keeping `auth/keycape` as a compatibility alias
|
||||||
|
unless explicitly retired later.
|
||||||
5. Verify browser login end to end with the approved platform-root/operator
|
5. Verify browser login end to end with the approved platform-root/operator
|
||||||
identity and MFA.
|
identity and MFA.
|
||||||
6. Verify metadata-only inspection of candidate paths such as:
|
6. Verify metadata-only inspection of candidate paths such as:
|
||||||
@@ -175,7 +177,7 @@ the Helm upgrade. Live DNS/deployment verification remains pending.
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
### T03 - Add KeyCape UI Redirect URI
|
### T03 - Add KeyCape UI Redirect URIs
|
||||||
|
|
||||||
```task
|
```task
|
||||||
id: HF-WP-0002-T03
|
id: HF-WP-0002-T03
|
||||||
@@ -188,24 +190,26 @@ state_hub_task_id: "fc1d5850-eed9-4fd6-aac4-8c0e89d8b67d"
|
|||||||
Update the KeyCape OpenBao admin client to include:
|
Update the KeyCape OpenBao admin client to include:
|
||||||
|
|
||||||
```text
|
```text
|
||||||
https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback
|
https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
|
||||||
```
|
```
|
||||||
|
|
||||||
Keep the existing localhost CLI callback URIs unless there is a separate
|
Keep the existing localhost CLI callback URIs and the earlier
|
||||||
decision to retire CLI login.
|
`https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback`
|
||||||
|
compatibility callback unless there is a separate decision to retire them.
|
||||||
|
|
||||||
Done when KeyCape accepts the OpenBao UI callback for the `openbao-admin`
|
Done when KeyCape accepts the OpenBao UI callback for the `openbao-admin`
|
||||||
client and the deployed KeyCape configuration verifies cleanly.
|
client and the deployed KeyCape configuration verifies cleanly.
|
||||||
|
|
||||||
Code progress on 2026-06-15: `net-kingdom` now includes the browser callback
|
Code progress on 2026-06-15: `net-kingdom` now includes the preferred
|
||||||
URI in both the full `create-secrets.sh` KeyCape config generator and the
|
`netkingdom` browser callback URI and the `keycape` compatibility callback in
|
||||||
focused live `openbao-client-config.py` patch/verify helper. The focused
|
both the full `create-secrets.sh` KeyCape config generator and the focused
|
||||||
verifier also probes both CLI and browser redirect URIs. Live KeyCape rollout
|
live `openbao-client-config.py` patch/verify helper. The focused verifier also
|
||||||
verification remains pending.
|
probes CLI, `netkingdom`, and `keycape` redirect URIs. Live KeyCape rollout
|
||||||
|
verification for the preferred mount remains pending.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
### T04 - Add OpenBao UI Redirect URI To platform-admin Role
|
### T04 - Add OpenBao UI Redirect URIs To platform-admin Role
|
||||||
|
|
||||||
```task
|
```task
|
||||||
id: HF-WP-0002-T04
|
id: HF-WP-0002-T04
|
||||||
@@ -215,24 +219,25 @@ target_repo: railiance-platform
|
|||||||
state_hub_task_id: "4f69cacb-9d8f-4ab6-a84f-3c9041f0d39a"
|
state_hub_task_id: "4f69cacb-9d8f-4ab6-a84f-3c9041f0d39a"
|
||||||
```
|
```
|
||||||
|
|
||||||
Update the OpenBao `auth/keycape/role/platform-admin` role so
|
Update the OpenBao `auth/netkingdom/role/platform-admin` role so
|
||||||
`allowed_redirect_uris` includes:
|
`allowed_redirect_uris` includes:
|
||||||
|
|
||||||
```text
|
```text
|
||||||
https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback
|
https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
|
||||||
```
|
```
|
||||||
|
|
||||||
Keep the role bound to the intended KeyCape claims/groups and the
|
Keep the `auth/keycape/role/platform-admin` compatibility role aligned while
|
||||||
`platform-admin` policy. Do not broaden this to root.
|
it remains enabled. Keep both roles bound to the intended KeyCape
|
||||||
|
claims/groups and the `platform-admin` policy. Do not broaden this to root.
|
||||||
|
|
||||||
Done when the role supports browser UI login without breaking the existing CLI
|
Done when the role supports browser UI login without breaking the existing CLI
|
||||||
OIDC path.
|
OIDC path.
|
||||||
|
|
||||||
Code progress on 2026-06-15: `net-kingdom/sso-mfa/k8s/keycape/configure-openbao-oidc.sh`
|
Code progress on 2026-06-15: `net-kingdom/sso-mfa/k8s/keycape/configure-openbao-oidc.sh`
|
||||||
now writes the browser callback URI into the OpenBao
|
now configures both `auth/netkingdom/role/platform-admin` and the
|
||||||
`auth/keycape/role/platform-admin` `allowed_redirect_uris` while preserving the
|
`auth/keycape/role/platform-admin` compatibility role with the browser callback
|
||||||
existing localhost CLI callbacks. Live role update and browser proof remain
|
URIs while preserving the existing localhost CLI callbacks. Live preferred
|
||||||
pending.
|
role update remains pending.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@@ -248,7 +253,7 @@ state_hub_task_id: "31d1da2d-8498-4c7d-a6fa-da9d0133bfe2"
|
|||||||
Perform an attended browser login:
|
Perform an attended browser login:
|
||||||
|
|
||||||
1. Open `https://bao.coulomb.social`.
|
1. Open `https://bao.coulomb.social`.
|
||||||
2. Choose the KeyCape/OIDC auth method mounted at `keycape`.
|
2. Choose the KeyCape/OIDC auth method mounted at `netkingdom`.
|
||||||
3. Use role `platform-admin`.
|
3. Use role `platform-admin`.
|
||||||
4. Authenticate via `kc.coulomb.social` with MFA.
|
4. Authenticate via `kc.coulomb.social` with MFA.
|
||||||
5. Confirm the user can see permitted metadata paths.
|
5. Confirm the user can see permitted metadata paths.
|
||||||
@@ -258,11 +263,14 @@ For the `HF-WP-0001` unblock, inspect only metadata/path presence for the
|
|||||||
Inter-Hub operator key location. Do not copy secret values into Git, State Hub,
|
Inter-Hub operator key location. Do not copy secret values into Git, State Hub,
|
||||||
chat, or workplans.
|
chat, or workplans.
|
||||||
|
|
||||||
Done when browser login succeeds and the operator can determine whether an
|
Done when browser login succeeds through the preferred `netkingdom` mount and
|
||||||
Inter-Hub operator key exists without installing a local `bao` CLI.
|
the operator can determine whether an Inter-Hub operator key exists without
|
||||||
|
installing a local `bao` CLI.
|
||||||
|
|
||||||
Waiting on live DNS/deployment, KeyCape config rollout, OpenBao role update,
|
Progress on 2026-06-15: the operator reached the OpenBao UI and completed an
|
||||||
and an attended platform-admin browser login.
|
attended platform-admin browser login. The preferred `netkingdom` mount has
|
||||||
|
been added in code and remains to be rolled out and used for the final
|
||||||
|
metadata-only inspection proof.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@@ -280,7 +288,7 @@ NetKingdom so future operators know:
|
|||||||
|
|
||||||
- `kc.coulomb.social` is the KeyCape/OIDC login authority.
|
- `kc.coulomb.social` is the KeyCape/OIDC login authority.
|
||||||
- `bao.coulomb.social` is the OpenBao UI.
|
- `bao.coulomb.social` is the OpenBao UI.
|
||||||
- Browser login uses auth path `keycape` and role `platform-admin`.
|
- Browser login uses auth path `netkingdom` and role `platform-admin`.
|
||||||
- Metadata-only inspection is preferred when looking for whether a secret
|
- Metadata-only inspection is preferred when looking for whether a secret
|
||||||
exists.
|
exists.
|
||||||
- Secret values, OpenBao tokens, Inter-Hub keys, and one-time displayed API
|
- Secret values, OpenBao tokens, Inter-Hub keys, and one-time displayed API
|
||||||
@@ -290,9 +298,9 @@ Done when the next operator can follow the browser path without rediscovering
|
|||||||
the CLI-only limitation.
|
the CLI-only limitation.
|
||||||
|
|
||||||
Completed on 2026-06-15: updated the Railiance Platform OpenBao runbook and
|
Completed on 2026-06-15: updated the Railiance Platform OpenBao runbook and
|
||||||
NetKingdom KeyCape/OpenBao docs to describe `bao.coulomb.social`, the KeyCape
|
NetKingdom KeyCape/OpenBao docs to describe `bao.coulomb.social`, the
|
||||||
OIDC callback, `platform-admin` browser login, metadata-only inspection, and
|
preferred `netkingdom` KeyCape/OIDC auth path, `platform-admin` browser login,
|
||||||
the no-root-token/no-secret-copying boundary.
|
metadata-only inspection, and the no-root-token/no-secret-copying boundary.
|
||||||
|
|
||||||
## Implementation Log
|
## Implementation Log
|
||||||
|
|
||||||
@@ -309,11 +317,13 @@ path:
|
|||||||
- `railiance-platform/Makefile` applies the OpenBao middleware before Helm
|
- `railiance-platform/Makefile` applies the OpenBao middleware before Helm
|
||||||
deployment.
|
deployment.
|
||||||
- `net-kingdom/sso-mfa/k8s/keycape/create-secrets.sh` and
|
- `net-kingdom/sso-mfa/k8s/keycape/create-secrets.sh` and
|
||||||
`openbao-client-config.py` include the browser callback URI for
|
`openbao-client-config.py` include the preferred `netkingdom` browser
|
||||||
`openbao-admin`.
|
callback URI and the `keycape` compatibility callback for `openbao-admin`.
|
||||||
- `net-kingdom/sso-mfa/k8s/keycape/configure-openbao-oidc.sh` writes the same
|
- `net-kingdom/sso-mfa/k8s/keycape/configure-openbao-oidc.sh` writes the same
|
||||||
browser callback URI to the OpenBao `platform-admin` role.
|
browser callback URIs to the OpenBao `auth/netkingdom` and `auth/keycape`
|
||||||
- `net-kingdom` verifiers now expect and probe the browser callback URI.
|
`platform-admin` roles.
|
||||||
|
- `net-kingdom` verifiers now expect and probe CLI, `netkingdom`, and
|
||||||
|
`keycape` callback URIs.
|
||||||
- Railiance Platform and NetKingdom docs now describe the browser path and
|
- Railiance Platform and NetKingdom docs now describe the browser path and
|
||||||
secret-handling boundaries.
|
secret-handling boundaries.
|
||||||
|
|
||||||
@@ -333,6 +343,13 @@ Verification not performed:
|
|||||||
- Live OpenBao role update.
|
- Live OpenBao role update.
|
||||||
- Attended browser login and metadata-only secret-path inspection.
|
- Attended browser login and metadata-only secret-path inspection.
|
||||||
|
|
||||||
|
### 2026-06-15 - Preferred netkingdom auth mount added
|
||||||
|
|
||||||
|
After the first successful browser login, the preferred OpenBao OIDC auth
|
||||||
|
mount was changed from `keycape` to `netkingdom` to match the platform domain
|
||||||
|
language and reduce operator confusion in the UI. The `keycape` mount remains
|
||||||
|
configured as a compatibility alias.
|
||||||
|
|
||||||
## Acceptance Criteria
|
## Acceptance Criteria
|
||||||
|
|
||||||
This workplan is complete when:
|
This workplan is complete when:
|
||||||
|
|||||||
Reference in New Issue
Block a user