coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
520c7ea2c04ced056c74e655bef307f4cfb08f96
railiance-platform/helm/openbao-ui-overlay
History
tegwick 520c7ea2c0 fix(openbao-ui): serve standalone KeyCape login at /ui/vault/auth 
Ember's auth route bounces between ?with=netkingdom/ and ?with=token when
OIDC mounts are hidden from the unauthenticated listing. Bypass Ember on the
bare auth path with a static login page that calls auth_url directly; OIDC
callbacks still proxy to the OpenBao UI.
2026-06-19 21:13:08 +02:00
..
patches/2.5.4
Add KeyCape login overlay gateway for OpenBao browser UI
2026-06-19 20:28:16 +02:00
login.css
fix(openbao-ui): serve standalone KeyCape login at /ui/vault/auth
2026-06-19 21:13:08 +02:00
login.html
fix(openbao-ui): serve standalone KeyCape login at /ui/vault/auth
2026-06-19 21:13:08 +02:00
login.js
fix(openbao-ui): serve standalone KeyCape login at /ui/vault/auth
2026-06-19 21:13:08 +02:00
nginx.conf
fix(openbao-ui): serve standalone KeyCape login at /ui/vault/auth
2026-06-19 21:13:08 +02:00
overlay.css
Fix OpenBao login falling back to token auth
2026-06-19 21:04:31 +02:00
overlay.js
Stop OpenBao login redirect loop by removing URL rewriting
2026-06-19 21:07:37 +02:00
presets.json
Add KeyCape login overlay gateway for OpenBao browser UI
2026-06-19 20:28:16 +02:00
README.md
fix(openbao-ui): serve standalone KeyCape login at /ui/vault/auth
2026-06-19 21:13:08 +02:00
VERSION
Add KeyCape login overlay gateway for OpenBao browser UI
2026-06-19 20:28:16 +02:00

README.md

OpenBao KeyCape login overlay

Streamlines the browser login mask at https://bao.coulomb.social to a single Sign in with KeyCape action. Namespace, auth method, mount path, and role are preset in presets.json and hidden by overlay.css / overlay.js.

Mechanism (T01 decision)

OpenBao ships UI assets inside the container image. There is no supported API to customize the login form (/sys/config/ui only configures response headers).

We use an nginx UI gateway (openbao-ui-gateway) that:

  1. Proxies all traffic to openbao.openbao.svc.cluster.local:8200.
  2. Serves overlay assets from a ConfigMap at /ui/platform-overlay/.
  3. Injects overlay.css and overlay.js into HTML responses via sub_filter.

Overlay assets live entirely in this directory. Upgrading OpenBao does not require hand-editing files inside the OpenBao pod.

Track upstream openbao/openbao#2936 for native custom CSS. When available, keep presets.json and branding assets and retire nginx sub_filter injection if the upstream API covers the same behaviour.

Layout

File Purpose
VERSION OpenBao image tag this overlay targets (openbao-values.yaml)
presets.json Hidden login defaults (netkingdom, platform-admin, …)
overlay.css Hide raw OpenBao login fields
overlay.js Apply presets, branding on post-login Ember pages
login.html / login.js / login.css Standalone KeyCape login at /ui/vault/auth
nginx.conf Gateway proxy + standalone auth page + HTML injection
patches/<version>/manifest.sha256 Upstream UI fingerprints for drift detection

Deploy

From railiance-platform:

make openbao-overlay-apply   # overlay only
make openbao-deploy          # middleware + overlay + Helm upgrade
make openbao-verify-login-overlay

Reapply after an OpenBao upgrade

  1. Bump server.image.tag in helm/openbao-values.yaml.

  2. Deploy: make openbao-deploy.

  3. Fetch live UI assets and compare hashes:

    curl -sS https://bao.coulomb.social/ui/ -o /tmp/index.html
# locate vault-*.js path in /tmp/index.html, then:
curl -sS "https://bao.coulomb.social/ui/assets/vault-....js" -o /tmp/vault.js
sha256sum /tmp/index.html /tmp/vault.js

  4. If hashes differ from patches/<old-version>/manifest.sha256, update overlay.css / overlay.js selectors against the new Ember templates.

  5. Write patches/<new-version>/manifest.sha256, update VERSION.

  6. Run make openbao-verify-login-overlay CHECK_UPSTREAM_DRIFT=1.

  7. Attended browser login through KeyCape MFA.

Workplan: helix-forge/workplans/HF-WP-0003-openbao-keycape-login-overlay.md

Reference in New Issue View Git Blame Copy Permalink