Add KeyCape login overlay gateway for OpenBao browser UI

Streamline bao.coulomb.social login as "Sign in with KeyCape" via a versioned nginx gateway that injects overlay assets and proxies to OpenBao. Disable chart ingress in favor of the overlay ingress, wire make openbao-deploy, and add openbao-verify-login-overlay with upstream drift detection.
2026-06-19 20:28:16 +02:00
parent 665d43386f
commit 6ddf4e56b4
14 changed files with 728 additions and 22 deletions
--- a/scripts/openbao-ui-overlay-apply.sh
+++ b/scripts/openbao-ui-overlay-apply.sh
@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
+KUBECTL="${KUBECTL:-kubectl}"
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+OVERLAY_DIR="${OPENBAO_UI_OVERLAY_DIR:-$ROOT_DIR/helm/openbao-ui-overlay}"
+K8S_MANIFEST="${OPENBAO_UI_OVERLAY_K8S:-$ROOT_DIR/helm/openbao-ui-overlay-k8s.yaml}"
+
+usage() {
+  cat <<'USAGE'
+Usage: scripts/openbao-ui-overlay-apply.sh
+
+Builds and applies the OpenBao KeyCape login overlay ConfigMaps and gateway
+Deployment/Service/Ingress. Idempotent — safe to run on every openbao-deploy.
+
+Environment:
+  OPENBAO_NAMESPACE      Kubernetes namespace. Default: openbao
+  KUBECTL                  kubectl command, including --kubeconfig if needed
+  OPENBAO_UI_OVERLAY_DIR   Overlay asset directory
+  OPENBAO_UI_OVERLAY_K8S   Gateway manifest path
+USAGE
+}
+
+if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
+  usage
+  exit 0
+fi
+
+for required in overlay.css overlay.js presets.json nginx.conf VERSION; do
+  if [ ! -f "$OVERLAY_DIR/$required" ]; then
+    echo "missing overlay asset: $OVERLAY_DIR/$required" >&2
+    exit 1
+  fi
+done
+
+if [ ! -f "$K8S_MANIFEST" ]; then
+  echo "missing gateway manifest: $K8S_MANIFEST" >&2
+  exit 1
+fi
+
+# shellcheck disable=SC2086
+$KUBECTL create namespace "$OPENBAO_NAMESPACE" --dry-run=client -o yaml | $KUBECTL apply -f -
+
+# shellcheck disable=SC2086
+$KUBECTL create configmap openbao-ui-overlay \
+  --namespace "$OPENBAO_NAMESPACE" \
+  --from-file="$OVERLAY_DIR/overlay.css" \
+  --from-file="$OVERLAY_DIR/overlay.js" \
+  --from-file="$OVERLAY_DIR/presets.json" \
+  --from-file="$OVERLAY_DIR/VERSION" \
+  --dry-run=client -o yaml | $KUBECTL apply -f -
+
+# shellcheck disable=SC2086
+$KUBECTL create configmap openbao-ui-gateway-nginx \
+  --namespace "$OPENBAO_NAMESPACE" \
+  --from-file=nginx.conf="$OVERLAY_DIR/nginx.conf" \
+  --dry-run=client -o yaml | $KUBECTL apply -f -
+
+# shellcheck disable=SC2086
+$KUBECTL apply -f "$K8S_MANIFEST"
+
+# shellcheck disable=SC2086
+$KUBECTL rollout restart deployment/openbao-ui-gateway -n "$OPENBAO_NAMESPACE"
+
+# shellcheck disable=SC2086
+$KUBECTL rollout status deployment/openbao-ui-gateway -n "$OPENBAO_NAMESPACE" --timeout=120s
+
+printf '[OK] OpenBao UI overlay applied from %s\n' "$OVERLAY_DIR"