Harden KeyCape OpenBao client action

This commit is contained in:
2026-05-26 02:22:24 +02:00
parent f3c8d70270
commit 1267df148a
3 changed files with 18 additions and 7 deletions

View File

@@ -321,6 +321,12 @@ client is now code-defined in `sso-mfa/k8s/keycape/create-secrets.sh`, while
the UI action cards only ask the operator to apply live KeyCape config,
configure OpenBao with a protected token prompt, and verify MFA-backed login.
**2026-05-26:** Hardened the KeyCape OpenBao client deployment action after the
operator hit a non-executable `create-secrets.sh`. The action card now runs the
script through `bash`, uses absolute repo paths, and wraps the sequence in a
fail-fast heredoc so a failed config generation does not continue into a
KeyCape restart or verification.
**2026-05-24:** Stepped back from ad hoc secret rollout and added the
custodian age-key bootstrap model to the control surface. The UI now records
the custodian public age recipient, a derived fingerprint, and a non-secret