coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use helper for OpenBao OIDC auth setup

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-26 03:02:08 +02:00
parent a47c707a9a
commit 1edcfbb17d
4 changed files with 95 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
View File

@@ -339,6 +339,12 @@ uses a short local `kubectl port-forward` plus Python HTTP request for OIDC
discovery, avoiding assumptions about tools installed inside the KeyCape
container.
**2026-05-26:** Fixed the OpenBao OIDC auth setup after OpenBao rejected an
empty `oidc_client_secret` even though the current KeyCape `openbao-admin`
client is public PKCE. The UI now points to a short helper script instead of a
long nested shell/JSON command, and the helper writes an explicit non-secret
compatibility value until KeyCape supports confidential downstream clients.
**2026-05-24:** Stepped back from ad hoc secret rollout and added the
custodian age-key bootstrap model to the control surface. The UI now records
the custodian public age recipient, a derived fingerprint, and a non-secret