coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
55 Commits 1 Branch 0 Tags
520c7ea2c04ced056c74e655bef307f4cfb08f96
Commit Graph

16 Commits

Author SHA1 Message Date
tegwick
520c7ea2c0 fix(openbao-ui): serve standalone KeyCape login at /ui/vault/auth 
Ember's auth route bounces between ?with=netkingdom/ and ?with=token when
OIDC mounts are hidden from the unauthenticated listing. Bypass Ember on the
bare auth path with a static login page that calls auth_url directly; OIDC
callbacks still proxy to the OpenBao UI.
 2026-06-19 21:13:08 +02:00
tegwick
80648a78b7 Stop OpenBao login redirect loop by removing URL rewriting 
Remove redirect-bootstrap and mount polling that fought Ember's token
fallback. Keep cosmetic overlay and direct KeyCape OIDC on sign-in only.
 2026-06-19 21:07:37 +02:00
tegwick
cb45f29fb2 Fix OpenBao login falling back to token auth 
Add synchronous redirect-bootstrap, direct KeyCape OIDC on sign-in, and mount
watching so the UI no longer lands on ?with=token when netkingdom is hidden
from unauthenticated mount listing. Document listing_visibility tune helper.
 2026-06-19 21:04:31 +02:00
tegwick
6ddf4e56b4 Add KeyCape login overlay gateway for OpenBao browser UI 
Streamline bao.coulomb.social login as "Sign in with KeyCape" via a versioned
nginx gateway that injects overlay assets and proxies to OpenBao. Disable chart
ingress in favor of the overlay ingress, wire make openbao-deploy, and add
openbao-verify-login-overlay with upstream drift detection.
 2026-06-19 20:28:16 +02:00
tegwick
423eccc8e9 feat(openbao): enable bao.coulomb.social ingress and Traefik middlewares 
Expose OpenBao UI via TLS ingress with rate-limit and HSTS middlewares.
Track netkingdom OIDC mount in authenticated verify checks.
 2026-06-18 01:23:02 +02:00
tegwick
7838df6069 fix(openbao): complete SSH apply script for OpenBao 2.5.x issuers 
Generate default CA via ssh/config/ca, split composite KUBECTL for role writes,
read pubkey from config/ca, allow warden key_id in roles, prefer production kubeconfig.
 2026-06-18 01:18:56 +02:00
tegwick
c24956fb5a feat(openbao): add SSH engine automation for ops-warden signing 
Declarative roles, warden-sign policy, apply/verify scripts, and Makefile
targets openbao-configure-ssh and openbao-verify-ssh. Document operator flow
in docs/openbao.md for NET-WP-0020 T5 / WP-0008 T2.
 2026-06-18 01:06:43 +02:00
tegwick
18c1b86498 Reject placeholder OpenBao drill evidence 2026-06-02 02:02:09 +02:00
tegwick
606a5f3e1e Add OpenBao emergency drill evidence validator 2026-06-02 00:08:17 +02:00
tegwick
123b9aafce Add OpenBao restore evidence validator 2026-06-01 23:57:00 +02:00
tegwick
5e4040d43d Add OpenBao authenticated readiness verifier 2026-06-01 22:46:14 +02:00
tegwick
087bb91b86 Configure OpenBao file audit declaratively 2026-06-01 22:12:23 +02:00
tegwick
3a5f9f58e9 Clean up OpenBao config rerun output 2026-05-25 15:57:24 +02:00
tegwick
b76e9101d8 Tolerate declarative OpenBao audit setup 2026-05-25 15:14:41 +02:00
tegwick
3741294b05 Treat sealed OpenBao preflight as expected 2026-05-25 10:49:29 +02:00
tegwick
a7ffeb8b46 Platform secret setup 2026-05-23 13:59:58 +02:00