coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(keycape): add netkingdom OIDC mount and bao.coulomb.social callbacks

Browse Source 
Configure OpenBao auth for both netkingdom and keycape mounts with browser
redirect URIs; update verify scripts and runtime architecture notes.
This commit is contained in:
Bernd Worsch
2026-06-18 01:23:02 +02:00
parent 8a05dd0db7
commit efbdab4652
8 changed files with 95 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/NetkingdomRuntimeArchitecture.md
View File

@@ -24,8 +24,8 @@ Recursive trust rule: Normal tenant admin (even Coulomb) must never suffice to a
- MFA/Token: privacyIDEA (self-service enrollment for TOTP; pi-admin for setup/repair; used for assurance on privileged actions).
- OIDC Provider: KeyCape (issuer https://kc.coulomb.social; conforms to NetKingdom IAM Profile v0.2).
- KeyCape issues tokens with required claims: tenant, principal_type, groups, roles, scope/scp, assurance.
- Registered clients include: netkingdom-bootstrap-console (for console OIDC login), openbao-admin (for OpenBao OIDC auth).
- Redirects: http://localhost:8250/oidc/callback, http://127.0.0.1:8250/oidc/callback.
- Registered clients include: netkingdom-bootstrap-console (for console OIDC login), openbao-admin (for OpenBao OIDC auth).
- Redirects: http://localhost:8250/oidc/callback, http://127.0.0.1:8250/oidc/callback, https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback, https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback.
- Groups/roles for bootstrap: net-kingdom-admins (for platform-admin OpenBao policy), net-kingdom-users (for scoped non-root).
- platform-root / king credential: dedicated LLDAP user (separate from personal accounts like tegwick). Password in operator password safe; TOTP via privacyIDEA; roles include platform-root-custodian, openbao-admin, identity-admin.
@@ -56,6 +56,10 @@ Authelia acts as the SSO proxy/authenticator in lightweight mode, fronting LLDAP
- Delivery: direct clients, External Secrets Operator -> K8s Secrets, CSI mounts.
- Auth: OIDC/JWT against KeyCape (maps claims/groups to policies, e.g. platform-admin for net-kingdom-admins group).
- platform-root can obtain platform-admin policy via KeyCape/MFA (proven in 0015/0017).
- Browser operator access uses `https://bao.coulomb.social` for the OpenBao UI
and redirects to KeyCape at `kc.coulomb.social`; use auth path `netkingdom`
and role `platform-admin`, not root-token browser login. The `keycape` auth
path is retained only as a compatibility alias.
- Root token: revoked/dispositioned after init; used only for bootstrap/break-glass. Unseal keys in custody (age/SOPS protected, offline packets, king credential).
**Bootstrap to runtime transition:**
@@ -202,4 +206,4 @@ See NET-WP-0019 and sso-mfa/k8s/lldap/dry-run-nonroot-user.sh:
- NET-WP-0017, 0019 workplans + their evidence
- DECISIONS.md, ADRs (e.g. 0007, 0010), canon/standards/iam-profile_v0.2.md
This document will be updated as T03 retrospective, T05 guide, T06/T08 work, and T09 risk assessment proceed. It is the single source for "what the running system actually is" for rebuild guidance.
This document will be updated as T03 retrospective, T05 guide, T06/T08 work, and T09 risk assessment proceed. It is the single source for "what the running system actually is" for rebuild guidance.