feat(openbao): enable bao.coulomb.social ingress and Traefik middlewares

Expose OpenBao UI via TLS ingress with rate-limit and HSTS middlewares. Track netkingdom OIDC mount in authenticated verify checks.
2026-06-18 01:23:02 +02:00
parent 7838df6069
commit 423eccc8e9
4 changed files with 59 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@ helm/*.yaml
 !helm/*.sops.yaml
 !helm/*.yaml.template
 !helm/openbao-values.yaml
+!helm/openbao-middleware.yaml
 # Kubernetes manifests (no secrets) are safe to commit
 !helm/*-cluster.yaml
 !helm/*-networkpolicies.yaml
--- a/helm/openbao-middleware.yaml
+++ b/helm/openbao-middleware.yaml
@@ -0,0 +1,38 @@
+# Traefik middlewares for OpenBao browser UI/API exposure.
+#
+# These names are referenced by helm/openbao-values.yaml as:
+#   openbao-openbao-rate-limit@kubernetescrd
+#   openbao-openbao-hsts@kubernetescrd
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: openbao-rate-limit
+  namespace: openbao
+  labels:
+    app.kubernetes.io/name: openbao
+    app.kubernetes.io/part-of: railiance-platform
+    railiance-platform/component: secrets
+spec:
+  rateLimit:
+    # The OpenBao browser UI performs a burst of API calls on load, including
+    # repeated /v1/sys/health checks. Keep this high enough for normal admin
+    # use while still bounding runaway clients.
+    average: 600
+    period: 1m
+    burst: 180
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: openbao-hsts
+  namespace: openbao
+  labels:
+    app.kubernetes.io/name: openbao
+    app.kubernetes.io/part-of: railiance-platform
+    railiance-platform/component: secrets
+spec:
+  headers:
+    stsSeconds: 31536000
+    stsIncludeSubdomains: true
+    stsPreload: true
--- a/helm/openbao-values.yaml
+++ b/helm/openbao-values.yaml
@@ -31,7 +31,23 @@ server:
      memory: 512Mi

  ingress:
-    enabled: false
+    enabled: true
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+      traefik.ingress.kubernetes.io/router.middlewares: >-
+        openbao-openbao-rate-limit@kubernetescrd,
+        openbao-openbao-hsts@kubernetescrd
+    ingressClassName: traefik
+    pathType: Prefix
+    activeService: true
+    hosts:
+      - host: bao.coulomb.social
+        paths:
+          - /
+    tls:
+      - secretName: bao-tls
+        hosts:
+          - bao.coulomb.social

  authDelegator:
    enabled: true
--- a/scripts/openbao-verify-authenticated.sh
+++ b/scripts/openbao-verify-authenticated.sh
@@ -15,7 +15,7 @@ Usage: scripts/openbao-verify-authenticated.sh [--dry-run] [--use-token-helper]
 Runs authenticated, non-mutating OpenBao readiness checks:
  - audit list includes file/
  - secrets list includes platform/
-  - auth list includes kubernetes/ and keycape/
+  - auth list includes kubernetes/, netkingdom/, and keycape/
  - audit log exists and is non-empty

 The token is read from OPENBAO_TOKEN_FILE or an interactive hidden prompt. The
@@ -130,6 +130,7 @@ Path           Type
 ----           ----
 keycape/       oidc
 kubernetes/    kubernetes
+netkingdom/    oidc
 token/         token
 AUTH
        ;;
@@ -210,6 +211,7 @@ step "Auth methods"
 if auth_output="$(remote_bao "$token" auth list 2>&1)"; then
  printf '%s\n' "$auth_output"
  require_pattern "kubernetes/ auth method is visible" "$auth_output" '(^|[[:space:]])kubernetes/'
+  require_pattern "netkingdom/ auth method is visible" "$auth_output" '(^|[[:space:]])netkingdom/'
  require_pattern "keycape/ auth method is visible" "$auth_output" '(^|[[:space:]])keycape/'
 else
  printf '%s\n' "$auth_output" >&2