generated from coulomb/repo-seed
Patch KeyCape OpenBao client without bootstrap secrets
This commit is contained in:
@@ -122,6 +122,21 @@ OpenBao browser UI callbacks are not registered yet because Railiance OpenBao
|
||||
currently has public ingress disabled. Add exact UI callback URIs only after
|
||||
the OpenBao UI exposure model is explicitly designed.
|
||||
|
||||
To add or refresh only the OpenBao client in a live cluster, do not decrypt the
|
||||
bootstrap secret bundle and do not re-run the full secret generator. Patch the
|
||||
existing live `keycape-config` Secret in place:
|
||||
|
||||
```bash
|
||||
cd sso-mfa/k8s/keycape
|
||||
bash ./patch-openbao-client.sh
|
||||
kubectl rollout restart deployment/keycape -n sso
|
||||
kubectl rollout status deployment/keycape -n sso --timeout=60s
|
||||
bash ./verify-openbao-client.sh
|
||||
```
|
||||
|
||||
The patch script preserves existing secret values and does not print the
|
||||
decoded `config.yaml` or signing key.
|
||||
|
||||
Example entry (public client, PKCE, for a SPA):
|
||||
```yaml
|
||||
clients:
|
||||
|
||||
Reference in New Issue
Block a user