generated from coulomb/repo-seed
feat(keycape): add netkingdom OIDC mount and bao.coulomb.social callbacks
Configure OpenBao auth for both netkingdom and keycape mounts with browser redirect URIs; update verify scripts and runtime architecture notes.
This commit is contained in:
@@ -117,7 +117,7 @@ keeps KeyCape from using the admin token-list API as the MFA-required check.
|
||||
|
||||
Downstream applications are registered in the `clients:` block in
|
||||
`keycape/create-secrets.sh`. The NetKingdom bootstrap console and Railiance
|
||||
OpenBao admin CLI clients are code-defined there; operators should not create
|
||||
OpenBao admin clients are code-defined there; operators should not create
|
||||
those clients manually in a separate UI. After changing the block:
|
||||
|
||||
```bash
|
||||
@@ -126,16 +126,20 @@ kubectl rollout restart deployment/keycape -n sso
|
||||
```
|
||||
|
||||
The `openbao-admin` client is intentionally a public PKCE client for the
|
||||
current local operator CLI flow. It registers the OpenBao CLI callback URIs:
|
||||
current operator flow. It registers both the OpenBao CLI callback URIs and the
|
||||
browser UI callbacks for `bao.coulomb.social`:
|
||||
|
||||
```text
|
||||
http://localhost:8250/oidc/callback
|
||||
http://127.0.0.1:8250/oidc/callback
|
||||
https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
|
||||
https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback
|
||||
```
|
||||
|
||||
OpenBao browser UI callbacks are not registered yet because Railiance OpenBao
|
||||
currently has public ingress disabled. Add exact UI callback URIs only after
|
||||
the OpenBao UI exposure model is explicitly designed.
|
||||
The browser UI callback is paired with the Railiance Platform OpenBao ingress
|
||||
at `https://bao.coulomb.social`. The preferred browser auth mount is
|
||||
`netkingdom`; `keycape` remains a compatibility alias. Keep the localhost
|
||||
callbacks unless there is a separate decision to retire CLI login.
|
||||
|
||||
To add or refresh only the OpenBao client in a live cluster, do not decrypt the
|
||||
bootstrap secret bundle and do not re-run the full secret generator. Patch the
|
||||
@@ -161,6 +165,13 @@ KeyCape:
|
||||
bash ./configure-openbao-oidc.sh
|
||||
```
|
||||
|
||||
That script registers the browser UI callbacks on the OpenBao
|
||||
`auth/netkingdom/role/platform-admin` role and the compatibility
|
||||
`auth/keycape/role/platform-admin` role. Browser operators should use the
|
||||
OpenBao UI at `https://bao.coulomb.social`, leave namespace blank, choose
|
||||
OIDC, set mount path `netkingdom`, and use role `platform-admin`; root-token
|
||||
browser use is outside the approved operator path.
|
||||
|
||||
The script prompts for a root/sudo-capable OpenBao token inside the pod TTY.
|
||||
OpenBao currently requires `oidc_client_secret` for OIDC auth config, while
|
||||
KeyCape's `openbao-admin` client is public PKCE and does not validate a
|
||||
|
||||
Reference in New Issue
Block a user