coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Patch KeyCape OpenBao client without bootstrap secrets

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-26 02:36:04 +02:00
parent 1267df148a
commit 59c924bc18
6 changed files with 185 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
tools/security-bootstrap-console/security_bootstrap_console.py
View File

@@ -1342,7 +1342,7 @@ def admin_identity_command_payloads(data: dict[str, Any]) -> list[dict[str, str]
deploy_state = "done" if client_deployed else "todo" if source_ready and initial_config_applied else "blocked"
deploy_reason = "Live KeyCape is recorded as carrying the code-defined openbao-admin client."
if deploy_state == "todo":
deploy_reason = "Operator action: apply the already-shipped KeyCape config and restart KeyCape. No new client secret is created."
deploy_reason = "Operator action: patch the live keycape-config Secret in place and restart KeyCape. No bootstrap secret bundle decryption is required."
if deploy_state == "blocked":
deploy_reason = "Blocked until OpenBao initial configuration exists and the KeyCape client definition is present in source."
@@ -1361,16 +1361,14 @@ def admin_identity_command_payloads(data: dict[str, Any]) -> list[dict[str, str]
login_reason = "Configure OpenBao OIDC auth before testing the login path."
keycape_dir = shlex.quote(str(KEYCAPE_OPENBAO_CLIENT_CONFIG.parent))
k8s_dir = shlex.quote(str(REPO_ROOT / "sso-mfa/k8s"))
deploy_command = (
"bash <<'NETKINGDOM_KEYCAPE_APPLY'\n"
"set -euo pipefail\n"
f"cd {keycape_dir}\n"
"bash ./create-secrets.sh\n"
"bash ./patch-openbao-client.sh\n"
"kubectl rollout restart deployment/keycape -n sso\n"
"kubectl rollout status deployment/keycape -n sso --timeout=60s\n"
f"cd {k8s_dir}\n"
"bash ./verify-t07.sh\n"
"bash ./verify-openbao-client.sh\n"
"NETKINGDOM_KEYCAPE_APPLY\n"
)
oidc_config_inner = """bao auth enable -path=keycape oidc >/tmp/keycape-auth-enable.out 2>/tmp/keycape-auth-enable.err || {
@@ -1436,7 +1434,7 @@ rm -f /tmp/openbao-platform-admin-role.json /tmp/keycape-auth-enable.out /tmp/ke
return [
action(
"Apply code-defined KeyCape OpenBao client",
"Deployment action for the non-secret openbao-admin client already present in source. Run this only if live KeyCape has not yet loaded the updated config.",
"Deployment action for the non-secret openbao-admin client already present in source. Patches the live KeyCape Secret without decrypting the bootstrap secret bundle.",
deploy_state,
deploy_reason,
deploy_command,