generated from coulomb/repo-seed
Close OpenBao OIDC admin bootstrap path
This commit is contained in:
@@ -8,7 +8,7 @@ status: active
|
||||
owner: codex
|
||||
topic_slug: netkingdom
|
||||
created: "2026-05-24"
|
||||
updated: "2026-05-26"
|
||||
updated: "2026-06-01"
|
||||
depends_on:
|
||||
- NK-WP-0006
|
||||
- NK-WP-0012
|
||||
@@ -407,7 +407,7 @@ remain part of the user-onboarding readiness work in `NET-WP-0017`.
|
||||
|
||||
```task
|
||||
id: NET-WP-0015-T06
|
||||
status: in_progress
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "ef97f3cb-9792-4b9d-bd2b-8871d368a50f"
|
||||
```
|
||||
@@ -416,12 +416,32 @@ Replace temporary operator tokens with NetKingdom IAM-backed OpenBao admin
|
||||
auth when the issuer and claim mapping are ready. The OpenBao root token must
|
||||
not be the normal admin path.
|
||||
|
||||
**2026-05-26:** The KeyCape `openbao-admin` client is code-defined, patched
|
||||
**2026-05-26:** The KeyCape `openbao-admin` client was code-defined, patched
|
||||
into the live `keycape-config` Secret, rolled out, and verified without
|
||||
requiring decrypted bootstrap secrets. This task remains in progress because
|
||||
OpenBao `auth/keycape` still needs the fixed helper command to complete and
|
||||
the MFA-backed `bao login -method=oidc -path=keycape role=platform-admin` path
|
||||
still needs verification.
|
||||
requiring decrypted bootstrap secrets. At that point, OpenBao `auth/keycape`
|
||||
still needed the fixed helper command and the MFA-backed
|
||||
`bao login -method=oidc -path=keycape role=platform-admin` path still needed
|
||||
verification.
|
||||
|
||||
**2026-06-01:** Added a guided bootstrap runbook action for the live
|
||||
privacyIDEA state-loss case encountered during OpenBao OIDC login testing. The
|
||||
new action recreates the `coulomb` realm, `lldap-coulomb` resolver,
|
||||
self-enrollment policy, and phase-one passthrough policy by prompting for
|
||||
`pi-admin` and LLDAP bind/admin passwords, writing them only to temporary
|
||||
files through `repair-realm-live.sh`, and running `bootstrap-realm.sh` plus
|
||||
`verify-t06.sh`. TOTP enrollment/re-enrollment and the final MFA-backed
|
||||
OpenBao login verification remain operator steps.
|
||||
|
||||
**2026-06-01:** Closed after the `platform-root` MFA-backed OpenBao OIDC login
|
||||
completed through KeyCape and the resulting token lookup showed
|
||||
`platform-admin` in both token policy fields. The remaining OpenBao hardening,
|
||||
audit, escrow, reset/rotation, and reopening gates continue under T07/T08 and
|
||||
`NET-WP-0017`.
|
||||
|
||||
**2026-06-01:** Added OpenBao token revocation to the guided
|
||||
Usecases & Runbooks section. The UI now includes a self-revoke card for the
|
||||
current pod token-helper token and an accessor-based revocation card for
|
||||
disclosed tokens, both keeping OpenBao token values off the local command line.
|
||||
|
||||
### T07 - Verify Recovery, Audit, And Rotation
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ status: active
|
||||
owner: codex
|
||||
topic_slug: netkingdom
|
||||
created: "2026-05-26"
|
||||
updated: "2026-05-29"
|
||||
updated: "2026-06-01"
|
||||
depends_on:
|
||||
- NET-WP-0015
|
||||
- NET-WP-0016
|
||||
@@ -40,8 +40,9 @@ first non-root onboarding dry run must prove the lifecycle model.
|
||||
- Trial unseal shares were rotated.
|
||||
- The KeyCape `openbao-admin` client is live and verified, including the public
|
||||
`https://kc.coulomb.social` route and certificate.
|
||||
- OpenBao OIDC auth configuration is applied; MFA-backed OpenBao admin login is
|
||||
still pending.
|
||||
- OpenBao OIDC auth configuration is applied; MFA-backed OpenBao admin login
|
||||
completed successfully and the resulting token lookup showed the
|
||||
`platform-admin` policy for `platform-root`.
|
||||
- Declarative/durable audit handling, residual taint closeout, cleanup/rotation,
|
||||
and the first ordinary-user onboarding dry run are still pending.
|
||||
|
||||
@@ -51,7 +52,7 @@ first non-root onboarding dry run must prove the lifecycle model.
|
||||
|
||||
```task
|
||||
id: NET-WP-0017-T01
|
||||
status: in_progress
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "9b087bbd-631b-4316-b94d-a8265a05b065"
|
||||
```
|
||||
@@ -74,6 +75,51 @@ the OpenBao `auth/keycape` OIDC configuration and `platform-admin` role. The
|
||||
remaining T01 gate is the human browser login with MFA and a token lookup that
|
||||
shows the expected OpenBao `platform-admin` policy.
|
||||
|
||||
**2026-06-01:** Added a guided console recovery action for the observed
|
||||
privacyIDEA state-loss blocker: if the live instance lacks the `coulomb` realm,
|
||||
LLDAP resolver, or self-service policies, the operator can run **Repair
|
||||
privacyIDEA realm and self-service** from **Usecases & Runbooks**. The action
|
||||
does not store secrets; it calls `repair-realm-live.sh`, prompts live, creates
|
||||
temporary env files for `bootstrap-realm.sh`, removes them on exit, and then
|
||||
runs `verify-t06.sh`. After repair, `platform-root` TOTP
|
||||
enrollment/re-enrollment and the MFA-backed `bao login` proof are still
|
||||
required.
|
||||
|
||||
**2026-06-01:** Fixed the follow-up OpenBao OIDC token exchange
|
||||
`user not found` error caused by live `keycape-config` drift: the Secret had
|
||||
lost the non-secret LLDAP lookup fields `userOU: ou=people` and
|
||||
`groupOU: ou=groups`. The KeyCape live patch helper now enforces those fields
|
||||
alongside the `openbao-admin` client, the live Secret was patched, KeyCape was
|
||||
restarted, and `verify-openbao-client.sh` passes again.
|
||||
|
||||
**2026-06-01:** Deployed a KeyCape runtime lookup fix for the remaining
|
||||
`user not found` token-exchange failure after config drift was ruled out. The
|
||||
LDAP adapter now treats provisioning metadata validation failures as runtime
|
||||
warnings instead of blocking token issuance for an otherwise resolved LLDAP
|
||||
user. The patched image `main-runtime-lookup-0601` is live and
|
||||
`verify-openbao-client.sh` passes after rollout.
|
||||
|
||||
**2026-06-01:** Deployed the follow-up KeyCape OIDC nonce fix after OpenBao
|
||||
rejected the exchanged ID token with `invalid id_token nonce`. KeyCape now
|
||||
persists the original authorization `nonce` through pending state and the
|
||||
authorization-code session, then emits it in the ID token. The patched image
|
||||
`main-nonce-0601` is live, reports 1/1 ready, and `verify-openbao-client.sh`
|
||||
passes after rollout.
|
||||
|
||||
**2026-06-01:** Fixed the next OpenBao role configuration failure,
|
||||
`error converting claim 'groups' to string`. KeyCape correctly emits `groups`
|
||||
as an array for `groups_claim`; OpenBao only failed because the role also copied
|
||||
that array through scalar `claim_mappings`. The helper now leaves groups in
|
||||
`groups_claim`/`bound_claims` and maps only scalar `email` and
|
||||
`preferred_username` metadata.
|
||||
|
||||
**2026-06-01:** The operator reached the OpenBao success page, "Signed in via
|
||||
your OIDC provider", after reapplying the corrected role. The follow-up
|
||||
terminal proof showed `token_policies`/`policies` containing `platform-admin`,
|
||||
`token_meta_role: platform-admin`, and `token_meta_username: platform-root`.
|
||||
T01 is closed; the pasted short-lived token should be treated as disclosed and
|
||||
revoked or allowed to expire after the check.
|
||||
|
||||
### T02 - Close OpenBao Audit And Recovery Production Gates
|
||||
|
||||
```task
|
||||
|
||||
Reference in New Issue
Block a user