feat(openbao): enable bao.coulomb.social ingress and Traefik middlewares

Expose OpenBao UI via TLS ingress with rate-limit and HSTS middlewares.
Track netkingdom OIDC mount in authenticated verify checks.

helm/openbao-middleware.yaml

@@ -0,0 +1,38 @@
+# Traefik middlewares for OpenBao browser UI/API exposure.
+#
+# These names are referenced by helm/openbao-values.yaml as:
+#   openbao-openbao-rate-limit@kubernetescrd
+#   openbao-openbao-hsts@kubernetescrd
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: openbao-rate-limit
+  namespace: openbao
+  labels:
+    app.kubernetes.io/name: openbao
+    app.kubernetes.io/part-of: railiance-platform
+    railiance-platform/component: secrets
+spec:
+  rateLimit:
+    # The OpenBao browser UI performs a burst of API calls on load, including
+    # repeated /v1/sys/health checks. Keep this high enough for normal admin
+    # use while still bounding runaway clients.
+    average: 600
+    period: 1m
+    burst: 180
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: openbao-hsts
+  namespace: openbao
+  labels:
+    app.kubernetes.io/name: openbao
+    app.kubernetes.io/part-of: railiance-platform
+    railiance-platform/component: secrets
+spec:
+  headers:
+    stsSeconds: 31536000
+    stsIncludeSubdomains: true
+    stsPreload: true

helm/openbao-values.yaml

@@ -31,7 +31,23 @@ server:
       memory: 512Mi
 
   ingress:
-    enabled: false
+    enabled: true
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+      traefik.ingress.kubernetes.io/router.middlewares: >-
+        openbao-openbao-rate-limit@kubernetescrd,
+        openbao-openbao-hsts@kubernetescrd
+    ingressClassName: traefik
+    pathType: Prefix
+    activeService: true
+    hosts:
+      - host: bao.coulomb.social
+        paths:
+          - /
+    tls:
+      - secretName: bao-tls
+        hosts:
+          - bao.coulomb.social
 
   authDelegator:
     enabled: true