# OpenBao browser UI gateway — injects the KeyCape login overlay and proxies # to the OpenBao service. Public ingress for bao.coulomb.social targets this # gateway instead of the chart-managed OpenBao ingress. # # ConfigMap data is applied by scripts/openbao-ui-overlay-apply.sh from # helm/openbao-ui-overlay/*. apiVersion: apps/v1 kind: Deployment metadata: name: openbao-ui-gateway namespace: openbao labels: app.kubernetes.io/name: openbao-ui-gateway app.kubernetes.io/part-of: railiance-platform railiance-platform/component: secrets spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: openbao-ui-gateway template: metadata: labels: app.kubernetes.io/name: openbao-ui-gateway app.kubernetes.io/part-of: railiance-platform railiance-platform/component: secrets spec: containers: - name: nginx image: nginx:1.27-alpine imagePullPolicy: IfNotPresent ports: - name: http containerPort: 8080 protocol: TCP readinessProbe: httpGet: path: /ui/platform-overlay/presets.json port: http initialDelaySeconds: 3 periodSeconds: 10 livenessProbe: httpGet: path: /ui/platform-overlay/presets.json port: http initialDelaySeconds: 10 periodSeconds: 20 resources: requests: cpu: 25m memory: 32Mi limits: cpu: 200m memory: 128Mi volumeMounts: - name: nginx-config mountPath: /etc/nginx/nginx.conf subPath: nginx.conf readOnly: true - name: overlay-assets mountPath: /etc/nginx/overlay readOnly: true volumes: - name: nginx-config configMap: name: openbao-ui-gateway-nginx - name: overlay-assets configMap: name: openbao-ui-overlay --- apiVersion: v1 kind: Service metadata: name: openbao-ui-gateway namespace: openbao labels: app.kubernetes.io/name: openbao-ui-gateway app.kubernetes.io/part-of: railiance-platform railiance-platform/component: secrets spec: type: ClusterIP selector: app.kubernetes.io/name: openbao-ui-gateway ports: - name: http port: 8080 targetPort: http protocol: TCP --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: openbao-ui-gateway namespace: openbao labels: app.kubernetes.io/name: openbao-ui-gateway app.kubernetes.io/part-of: railiance-platform railiance-platform/component: secrets annotations: cert-manager.io/cluster-issuer: letsencrypt-prod traefik.ingress.kubernetes.io/router.middlewares: >- openbao-openbao-rate-limit@kubernetescrd, openbao-openbao-hsts@kubernetescrd spec: ingressClassName: traefik tls: - secretName: bao-tls hosts: - bao.coulomb.social rules: - host: bao.coulomb.social http: paths: - path: / pathType: Prefix backend: service: name: openbao-ui-gateway port: number: 8080