coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Record Railiance KeyCape rollout

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-24 18:12:41 +02:00
parent d555a33695
commit 4cc22bec9e
2 changed files with 21 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
sso-mfa/k8s/keycape/deployment.yaml
View File

@@ -51,8 +51,11 @@ spec:
- name: keycape
# Image published to self-hosted Gitea OCI registry on CoulombCore (KEY-WP-0002).
# k3s insecure registry configured for 92.205.130.254:32166 — no pull secret needed.
image: 92.205.130.254:32166/coulomb/key-cape:latest
imagePullPolicy: Always
# 2026-05-24: direct-imported into railiance01 k3s for the
# bootstrap-console OIDC/MFA rollout. Use IfNotPresent while the
# HTTP registry push/pull path is being cleaned up.
image: 92.205.130.254:32166/coulomb/key-cape:main-56d279a
imagePullPolicy: IfNotPresent
ports:
- name: http

16
workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
View File

@@ -176,6 +176,22 @@ control surface now uses that dedicated client. Live verification remains
pending until the updated KeyCape image and regenerated `keycape-config` Secret
are rolled out.
**2026-05-24:** Rolled the fix to the public Railiance SSO host
(`kc.coulomb.social`, currently resolving to `railiance01`). The live
`keycape-config` Secret was patched without printing or rotating secret values,
the `main-1d68639` KeyCape image was direct-imported into k3s, and the
deployment was set to `IfNotPresent`. Public `/authorize` now accepts
`netkingdom-bootstrap-console` and redirects to
`https://auth.coulomb.social/...`. Follow-up: clean up the Gitea HTTP registry
push/pull path so direct image import is no longer needed.
**2026-05-24:** Fixed the next live login failure before OTP: Authelia rejected
KeyCape's token exchange because the upstream `keycape` client only permits
`client_secret_basic`, while KeyCape was sending `client_secret_post`. KeyCape
commit `56d279a` now uses HTTP Basic auth for the upstream token exchange, the
image `main-56d279a` was direct-imported into Railiance k3s, and the live
deployment runs that tag.
**2026-05-24:** Stepped back from ad hoc secret rollout and added the
custodian age-key bootstrap model to the control surface. The UI now records
the custodian public age recipient, a derived fingerprint, and a non-secret