Verify KeyCape discovery without container wget

This commit is contained in:
2026-05-26 02:47:01 +02:00
parent 59c924bc18
commit a47c707a9a
3 changed files with 49 additions and 4 deletions

View File

@@ -333,6 +333,12 @@ decrypted bootstrap secrets after the operator correctly hit the absent
verifier for the `openbao-admin` client so this non-secret client addition can
be applied without decrypting the full bootstrap secret bundle.
**2026-05-26:** Fixed the focused KeyCape OpenBao verifier after the live
KeyCape image lacked `wget`. The verifier now checks the live Secret and then
uses a short local `kubectl port-forward` plus Python HTTP request for OIDC
discovery, avoiding assumptions about tools installed inside the KeyCape
container.
**2026-05-24:** Stepped back from ad hoc secret rollout and added the
custodian age-key bootstrap model to the control surface. The UI now records
the custodian public age recipient, a derived fingerprint, and a non-secret