feat(openbao): enable bao.coulomb.social ingress and Traefik middlewares
Expose OpenBao UI via TLS ingress with rate-limit and HSTS middlewares. Track netkingdom OIDC mount in authenticated verify checks.
This commit is contained in:
1
.gitignore
vendored
1
.gitignore
vendored
@@ -3,6 +3,7 @@ helm/*.yaml
|
|||||||
!helm/*.sops.yaml
|
!helm/*.sops.yaml
|
||||||
!helm/*.yaml.template
|
!helm/*.yaml.template
|
||||||
!helm/openbao-values.yaml
|
!helm/openbao-values.yaml
|
||||||
|
!helm/openbao-middleware.yaml
|
||||||
# Kubernetes manifests (no secrets) are safe to commit
|
# Kubernetes manifests (no secrets) are safe to commit
|
||||||
!helm/*-cluster.yaml
|
!helm/*-cluster.yaml
|
||||||
!helm/*-networkpolicies.yaml
|
!helm/*-networkpolicies.yaml
|
||||||
|
|||||||
38
helm/openbao-middleware.yaml
Normal file
38
helm/openbao-middleware.yaml
Normal file
@@ -0,0 +1,38 @@
|
|||||||
|
# Traefik middlewares for OpenBao browser UI/API exposure.
|
||||||
|
#
|
||||||
|
# These names are referenced by helm/openbao-values.yaml as:
|
||||||
|
# openbao-openbao-rate-limit@kubernetescrd
|
||||||
|
# openbao-openbao-hsts@kubernetescrd
|
||||||
|
|
||||||
|
apiVersion: traefik.io/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: openbao-rate-limit
|
||||||
|
namespace: openbao
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: openbao
|
||||||
|
app.kubernetes.io/part-of: railiance-platform
|
||||||
|
railiance-platform/component: secrets
|
||||||
|
spec:
|
||||||
|
rateLimit:
|
||||||
|
# The OpenBao browser UI performs a burst of API calls on load, including
|
||||||
|
# repeated /v1/sys/health checks. Keep this high enough for normal admin
|
||||||
|
# use while still bounding runaway clients.
|
||||||
|
average: 600
|
||||||
|
period: 1m
|
||||||
|
burst: 180
|
||||||
|
---
|
||||||
|
apiVersion: traefik.io/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: openbao-hsts
|
||||||
|
namespace: openbao
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: openbao
|
||||||
|
app.kubernetes.io/part-of: railiance-platform
|
||||||
|
railiance-platform/component: secrets
|
||||||
|
spec:
|
||||||
|
headers:
|
||||||
|
stsSeconds: 31536000
|
||||||
|
stsIncludeSubdomains: true
|
||||||
|
stsPreload: true
|
||||||
@@ -31,7 +31,23 @@ server:
|
|||||||
memory: 512Mi
|
memory: 512Mi
|
||||||
|
|
||||||
ingress:
|
ingress:
|
||||||
enabled: false
|
enabled: true
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||||
|
traefik.ingress.kubernetes.io/router.middlewares: >-
|
||||||
|
openbao-openbao-rate-limit@kubernetescrd,
|
||||||
|
openbao-openbao-hsts@kubernetescrd
|
||||||
|
ingressClassName: traefik
|
||||||
|
pathType: Prefix
|
||||||
|
activeService: true
|
||||||
|
hosts:
|
||||||
|
- host: bao.coulomb.social
|
||||||
|
paths:
|
||||||
|
- /
|
||||||
|
tls:
|
||||||
|
- secretName: bao-tls
|
||||||
|
hosts:
|
||||||
|
- bao.coulomb.social
|
||||||
|
|
||||||
authDelegator:
|
authDelegator:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|||||||
@@ -15,7 +15,7 @@ Usage: scripts/openbao-verify-authenticated.sh [--dry-run] [--use-token-helper]
|
|||||||
Runs authenticated, non-mutating OpenBao readiness checks:
|
Runs authenticated, non-mutating OpenBao readiness checks:
|
||||||
- audit list includes file/
|
- audit list includes file/
|
||||||
- secrets list includes platform/
|
- secrets list includes platform/
|
||||||
- auth list includes kubernetes/ and keycape/
|
- auth list includes kubernetes/, netkingdom/, and keycape/
|
||||||
- audit log exists and is non-empty
|
- audit log exists and is non-empty
|
||||||
|
|
||||||
The token is read from OPENBAO_TOKEN_FILE or an interactive hidden prompt. The
|
The token is read from OPENBAO_TOKEN_FILE or an interactive hidden prompt. The
|
||||||
@@ -130,6 +130,7 @@ Path Type
|
|||||||
---- ----
|
---- ----
|
||||||
keycape/ oidc
|
keycape/ oidc
|
||||||
kubernetes/ kubernetes
|
kubernetes/ kubernetes
|
||||||
|
netkingdom/ oidc
|
||||||
token/ token
|
token/ token
|
||||||
AUTH
|
AUTH
|
||||||
;;
|
;;
|
||||||
@@ -210,6 +211,7 @@ step "Auth methods"
|
|||||||
if auth_output="$(remote_bao "$token" auth list 2>&1)"; then
|
if auth_output="$(remote_bao "$token" auth list 2>&1)"; then
|
||||||
printf '%s\n' "$auth_output"
|
printf '%s\n' "$auth_output"
|
||||||
require_pattern "kubernetes/ auth method is visible" "$auth_output" '(^|[[:space:]])kubernetes/'
|
require_pattern "kubernetes/ auth method is visible" "$auth_output" '(^|[[:space:]])kubernetes/'
|
||||||
|
require_pattern "netkingdom/ auth method is visible" "$auth_output" '(^|[[:space:]])netkingdom/'
|
||||||
require_pattern "keycape/ auth method is visible" "$auth_output" '(^|[[:space:]])keycape/'
|
require_pattern "keycape/ auth method is visible" "$auth_output" '(^|[[:space:]])keycape/'
|
||||||
else
|
else
|
||||||
printf '%s\n' "$auth_output" >&2
|
printf '%s\n' "$auth_output" >&2
|
||||||
|
|||||||
Reference in New Issue
Block a user