coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add KeyCape login overlay gateway for OpenBao browser UI

Browse Source 
Streamline bao.coulomb.social login as "Sign in with KeyCape" via a versioned
nginx gateway that injects overlay assets and proxies to OpenBao. Disable chart
ingress in favor of the overlay ingress, wire make openbao-deploy, and add
openbao-verify-login-overlay with upstream drift detection.
This commit is contained in:
Bernd Worsch
2026-06-19 20:28:16 +02:00
parent 665d43386f
commit 6ddf4e56b4
14 changed files with 728 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/openbao.md
View File

@@ -52,9 +52,11 @@ make openbao-deploy
make openbao-status
```
`make openbao-deploy` also applies `helm/openbao-middleware.yaml`, which
defines the Traefik rate-limit and HSTS middlewares referenced by the OpenBao
Ingress.
`make openbao-deploy` applies `helm/openbao-middleware.yaml` (Traefik
rate-limit and HSTS), upgrades the OpenBao Helm release, then applies the
KeyCape login overlay gateway (`helm/openbao-ui-overlay-k8s.yaml`). Public
ingress for `bao.coulomb.social` targets `openbao-ui-gateway`, not the chart
ingress (which stays disabled in `helm/openbao-values.yaml`).
On Railiance01 directly:
@@ -300,7 +302,13 @@ The browser operator surface is:
https://bao.coulomb.social
```
Use the KeyCape-backed auth method:
Operators see a streamlined **Sign in with KeyCape** mask. The raw OpenBao
fields (namespace, method, mount path, role) are hidden presets applied by the
UI overlay in `helm/openbao-ui-overlay/`. Public ingress targets the
`openbao-ui-gateway` nginx proxy, which injects overlay assets and forwards to
the OpenBao service.
Hidden defaults (also in `helm/openbao-ui-overlay/presets.json`):
```text
method: OIDC
@@ -309,6 +317,19 @@ mount path: netkingdom
role: platform-admin
```
Deploy or refresh the overlay:
```bash
make openbao-overlay-apply
make openbao-verify-login-overlay
make openbao-verify-login-overlay OPENBAO_VERIFY_LOGIN_OVERLAY_ARGS=--check-upstream-drift
```
After an OpenBao image or chart upgrade, follow
`helm/openbao-ui-overlay/README.md` to refresh overlay selectors and
`patches/<version>/manifest.sha256` fingerprints if upstream login markup
changed.
The OpenBao UI redirects the browser to KeyCape at `kc.coulomb.social`, then
returns to: