NationTech/harmony
3
0
Fork 2
Code Issues 38 Pull Requests 29 Actions Packages Projects Releases 1 Wiki Activity

feat(harmony): harmony-sso deploy hardening (Zitadel + OpenBao Scores) #303

Merged
johnride merged 1 commits from pr/harmony-sso-deploy-hardening into master 2026-05-29 15:03:45 +00:00
Conversation 1 Commits 1 Files Changed 6 +508 -106
stremblay commented 2026-05-28 18:10:56 +00:00
Owner
Copy Link

Summary

Makes the Zitadel and OpenBao deployment Scores converge reliably on k3d and
adds who-changed-what auditing. Touches only the harmony modules + harmony-k8s;
independent of the config/secret crates.

Changes

Zitadel (modules/zitadel):

  • Wait for the gRPC management backend before configuring (fixes 503 /
    connection-refused races); embed userinfo in the id_token so the email
    claim is present for OpenBao JWT auth.
  • Reconcile OIDC config on already-existing apps; treat "no changes" as
    idempotent success.
  • Allow the refresh-token grant on the device-code app (enables silent refresh).
  • password_change_required flag on ZitadelScore (defaults false).

OpenBao (modules/openbao):

  • Authoritative init: ask OpenBao its state rather than a brittle pre-check.
  • Declarative file audit device in the server config for who-changed-what
    attribution (logs each operation with the authenticated identity).

harmony-k8s: exec_pod_capture returns both stdout and stderr regardless
of exit code.

Consumer fix

The new ZitadelScore field adds ..Default::default() to the
fleet_staging_install literal so that consumer stays green.

Context

PR 3 of 4 splitting feat/unified-config-and-secrets. Independent — merge in
any order.

Verification

cargo check --workspace --all-targets --all-features, cargo fmt --check,
harmony openbao module test passing; validated end-to-end via a local
integration of all 4 parts + a live cargo run -p example-harmony-sso.

## Summary Makes the Zitadel and OpenBao deployment Scores converge reliably on k3d and adds who-changed-what auditing. Touches only the harmony modules + harmony-k8s; independent of the config/secret crates. ## Changes **Zitadel** (`modules/zitadel`): - Wait for the gRPC management backend before configuring (fixes 503 / connection-refused races); embed userinfo in the id_token so the `email` claim is present for OpenBao JWT auth. - Reconcile OIDC config on already-existing apps; treat "no changes" as idempotent success. - Allow the refresh-token grant on the device-code app (enables silent refresh). - `password_change_required` flag on `ZitadelScore` (defaults false). **OpenBao** (`modules/openbao`): - Authoritative init: ask OpenBao its state rather than a brittle pre-check. - Declarative file audit device in the server config for who-changed-what attribution (logs each operation with the authenticated identity). **harmony-k8s**: `exec_pod_capture` returns both stdout and stderr regardless of exit code. ## Consumer fix The new `ZitadelScore` field adds `..Default::default()` to the `fleet_staging_install` literal so that consumer stays green. ## Context PR 3 of 4 splitting `feat/unified-config-and-secrets`. Independent — merge in any order. ## Verification `cargo check --workspace --all-targets --all-features`, `cargo fmt --check`, harmony openbao module test passing; validated end-to-end via a local integration of all 4 parts + a live `cargo run -p example-harmony-sso`.
stremblay added 1 commit 2026-05-28 18:10:57 +00:00
feat(harmony): harmony-sso deploy hardening (Zitadel + OpenBao Scores)
All checks were successful
Run Check Script / check (pull_request) Successful in 2m50s
Details
d0fff742f4 
Net-diff PR (3 of 4) splitting feat/unified-config-and-secrets.
harmony modules + harmony-k8s; independent of the config/secret crates.

Zitadel: wait for gRPC backend + embed userinfo in id_token; reconcile OIDC
config on existing apps + treat "no changes" as idempotent; refresh-token
grant on the device-code app; password_change_required flag on ZitadelScore.
OpenBao: authoritative init (drop brittle pre-check); declarative file audit
device for who-changed-what attribution.
harmony-k8s: exec_pod_capture returns both streams.

The fleet_staging_install ZitadelScore literal gains ..Default::default()
so the new password_change_required field doesn't break that consumer.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
johnride reviewed 2026-05-28 20:42:18 +00:00
johnride left a comment
Owner
Copy Link

Not sure about the handling of the credentials, default settings should be leaning a bit more towards high security and never delete I think.

Specifically the zitadel master password and openbao keys should be handled manually I think when defaults are used and we're not in the 100% happy path.

This is mergeable though just something to keep in mind and improve upon as we figure it out.

Not sure about the handling of the credentials, default settings should be leaning a bit more towards high security and never delete I think. Specifically the zitadel master password and openbao keys should be handled manually I think when defaults are used and we're not in the 100% happy path. This is mergeable though just something to keep in mind and improve upon as we figure it out.
johnride merged commit df762b01a4 into master 2026-05-29 15:03:45 +00:00
johnride deleted branch pr/harmony-sso-deploy-hardening 2026-05-29 15:03:46 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
Architecture Decision Record
Good first issue
RFC
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
johnride jvtrudel reda stremblay
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: NationTech/harmony#303
No description provided.
Delete Branch "pr/harmony-sso-deploy-hardening"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?