generated from coulomb/repo-seed
Fix OpenBao public route action state
This commit is contained in:
@@ -577,7 +577,9 @@ def next_action(
|
|||||||
return "Run OpenBao OIDC auth setup"
|
return "Run OpenBao OIDC auth setup"
|
||||||
if gate.name == "OIDC admin login":
|
if gate.name == "OIDC admin login":
|
||||||
if data and yes(data, "openbao_oidc_auth_configured") and not yes(data, "openbao_oidc_admin_login_verified"):
|
if data and yes(data, "openbao_oidc_auth_configured") and not yes(data, "openbao_oidc_admin_login_verified"):
|
||||||
return "Check KeyCape public route"
|
if not yes(data, "openbao_oidc_client_registered"):
|
||||||
|
return "Check KeyCape public route"
|
||||||
|
return "Verify OpenBao OIDC admin login"
|
||||||
return "Verify OpenBao OIDC admin login"
|
return "Verify OpenBao OIDC admin login"
|
||||||
return gate.name
|
return gate.name
|
||||||
if gate.status == "blocked":
|
if gate.status == "blocked":
|
||||||
@@ -597,7 +599,9 @@ def next_action(
|
|||||||
return "Run OpenBao OIDC auth setup"
|
return "Run OpenBao OIDC auth setup"
|
||||||
if gate.name == "OIDC admin login":
|
if gate.name == "OIDC admin login":
|
||||||
if data and yes(data, "openbao_oidc_auth_configured") and not yes(data, "openbao_oidc_admin_login_verified"):
|
if data and yes(data, "openbao_oidc_auth_configured") and not yes(data, "openbao_oidc_admin_login_verified"):
|
||||||
return "Check KeyCape public route"
|
if not yes(data, "openbao_oidc_client_registered"):
|
||||||
|
return "Check KeyCape public route"
|
||||||
|
return "Verify OpenBao OIDC admin login"
|
||||||
return "Verify OpenBao OIDC admin login"
|
return "Verify OpenBao OIDC admin login"
|
||||||
if gate.name == "Root-token disposition":
|
if gate.name == "Root-token disposition":
|
||||||
return "Record root-token disposition"
|
return "Record root-token disposition"
|
||||||
@@ -1377,12 +1381,12 @@ def admin_identity_command_payloads(data: dict[str, Any]) -> list[dict[str, str]
|
|||||||
"NETKINGDOM_KEYCAPE_APPLY\n"
|
"NETKINGDOM_KEYCAPE_APPLY\n"
|
||||||
)
|
)
|
||||||
configure_command = f"bash {shlex.quote(str(KEYCAPE_OPENBAO_CLIENT_CONFIG.parent / 'configure-openbao-oidc.sh'))}"
|
configure_command = f"bash {shlex.quote(str(KEYCAPE_OPENBAO_CLIENT_CONFIG.parent / 'configure-openbao-oidc.sh'))}"
|
||||||
public_route_state = "done" if login_verified else "todo" if auth_configured else "blocked"
|
public_route_state = "done" if client_deployed else "todo" if source_ready else "blocked"
|
||||||
public_route_reason = "The public KeyCape route has been proven by a completed OIDC-backed OpenBao login."
|
public_route_reason = "The live KeyCape verifier has proven the public route, discovery endpoint, and openbao-admin client."
|
||||||
if public_route_state == "todo":
|
if public_route_state == "todo":
|
||||||
public_route_reason = "Operator action: confirm public DNS routes kc.coulomb.social to the patched KeyCape ingress and that /authorize recognizes openbao-admin."
|
public_route_reason = "Operator action: confirm public DNS routes kc.coulomb.social to the patched KeyCape ingress and that /authorize recognizes openbao-admin."
|
||||||
if public_route_state == "blocked":
|
if public_route_state == "blocked":
|
||||||
public_route_reason = "Configure OpenBao OIDC auth before probing the public login route."
|
public_route_reason = "Ship the code-defined KeyCape OpenBao client before probing the public login route."
|
||||||
public_route_command = (
|
public_route_command = (
|
||||||
"bash <<'NETKINGDOM_KEYCAPE_PUBLIC_ROUTE'\n"
|
"bash <<'NETKINGDOM_KEYCAPE_PUBLIC_ROUTE'\n"
|
||||||
"set -euo pipefail\n"
|
"set -euo pipefail\n"
|
||||||
|
|||||||
Reference in New Issue
Block a user