Add KeyCape login overlay gateway for OpenBao browser UI
Streamline bao.coulomb.social login as "Sign in with KeyCape" via a versioned nginx gateway that injects overlay assets and proxies to OpenBao. Disable chart ingress in favor of the overlay ingress, wire make openbao-deploy, and add openbao-verify-login-overlay with upstream drift detection.
This commit is contained in:
67
helm/openbao-ui-overlay/README.md
Normal file
67
helm/openbao-ui-overlay/README.md
Normal file
@@ -0,0 +1,67 @@
|
||||
# OpenBao KeyCape login overlay
|
||||
|
||||
Streamlines the browser login mask at `https://bao.coulomb.social` to a single
|
||||
**Sign in with KeyCape** action. Namespace, auth method, mount path, and role
|
||||
are preset in `presets.json` and hidden by `overlay.css` / `overlay.js`.
|
||||
|
||||
## Mechanism (T01 decision)
|
||||
|
||||
OpenBao ships UI assets inside the container image. There is no supported API
|
||||
to customize the login form ([`/sys/config/ui`](https://openbao.org/api-docs/system/config-ui/)
|
||||
only configures response headers).
|
||||
|
||||
We use an **nginx UI gateway** (`openbao-ui-gateway`) that:
|
||||
|
||||
1. Proxies all traffic to `openbao.openbao.svc.cluster.local:8200`.
|
||||
2. Serves overlay assets from a ConfigMap at `/ui/platform-overlay/`.
|
||||
3. Injects `overlay.css` and `overlay.js` into HTML responses via `sub_filter`.
|
||||
|
||||
Overlay assets live entirely in this directory. Upgrading OpenBao does not
|
||||
require hand-editing files inside the OpenBao pod.
|
||||
|
||||
Track upstream [openbao/openbao#2936](https://github.com/openbao/openbao/issues/2936)
|
||||
for native custom CSS. When available, keep `presets.json` and branding assets
|
||||
and retire nginx `sub_filter` injection if the upstream API covers the same
|
||||
behaviour.
|
||||
|
||||
## Layout
|
||||
|
||||
| File | Purpose |
|
||||
| --- | --- |
|
||||
| `VERSION` | OpenBao image tag this overlay targets (`openbao-values.yaml`) |
|
||||
| `presets.json` | Hidden login defaults (`netkingdom`, `platform-admin`, …) |
|
||||
| `overlay.css` | Hide raw OpenBao login fields |
|
||||
| `overlay.js` | Apply presets, branding, mount deep-link |
|
||||
| `nginx.conf` | Gateway proxy + HTML injection |
|
||||
| `patches/<version>/manifest.sha256` | Upstream UI fingerprints for drift detection |
|
||||
|
||||
## Deploy
|
||||
|
||||
From `railiance-platform`:
|
||||
|
||||
```bash
|
||||
make openbao-overlay-apply # overlay only
|
||||
make openbao-deploy # middleware + overlay + Helm upgrade
|
||||
make openbao-verify-login-overlay
|
||||
```
|
||||
|
||||
## Reapply after an OpenBao upgrade
|
||||
|
||||
1. Bump `server.image.tag` in `helm/openbao-values.yaml`.
|
||||
2. Deploy: `make openbao-deploy`.
|
||||
3. Fetch live UI assets and compare hashes:
|
||||
|
||||
```bash
|
||||
curl -sS https://bao.coulomb.social/ui/ -o /tmp/index.html
|
||||
# locate vault-*.js path in /tmp/index.html, then:
|
||||
curl -sS "https://bao.coulomb.social/ui/assets/vault-....js" -o /tmp/vault.js
|
||||
sha256sum /tmp/index.html /tmp/vault.js
|
||||
```
|
||||
|
||||
4. If hashes differ from `patches/<old-version>/manifest.sha256`, update
|
||||
`overlay.css` / `overlay.js` selectors against the new Ember templates.
|
||||
5. Write `patches/<new-version>/manifest.sha256`, update `VERSION`.
|
||||
6. Run `make openbao-verify-login-overlay CHECK_UPSTREAM_DRIFT=1`.
|
||||
7. Attended browser login through KeyCape MFA.
|
||||
|
||||
Workplan: `helix-forge/workplans/HF-WP-0003-openbao-keycape-login-overlay.md`
|
||||
Reference in New Issue
Block a user