Patch KeyCape OpenBao client without bootstrap secrets

This commit is contained in:
2026-05-26 02:36:04 +02:00
parent 1267df148a
commit 59c924bc18
6 changed files with 185 additions and 6 deletions

View File

@@ -122,6 +122,21 @@ OpenBao browser UI callbacks are not registered yet because Railiance OpenBao
currently has public ingress disabled. Add exact UI callback URIs only after
the OpenBao UI exposure model is explicitly designed.
To add or refresh only the OpenBao client in a live cluster, do not decrypt the
bootstrap secret bundle and do not re-run the full secret generator. Patch the
existing live `keycape-config` Secret in place:
```bash
cd sso-mfa/k8s/keycape
bash ./patch-openbao-client.sh
kubectl rollout restart deployment/keycape -n sso
kubectl rollout status deployment/keycape -n sso --timeout=60s
bash ./verify-openbao-client.sh
```
The patch script preserves existing secret values and does not print the
decoded `config.yaml` or signing key.
Example entry (public client, PKCE, for a SPA):
```yaml
clients: