generated from coulomb/repo-seed
Use helper for OpenBao OIDC auth setup
This commit is contained in:
@@ -139,6 +139,21 @@ decoded `config.yaml` or signing key. The verifier checks the live Secret and
|
||||
then opens a short local `kubectl port-forward` to KeyCape; it does not require
|
||||
`curl` or `wget` inside the KeyCape container image.
|
||||
|
||||
After the live KeyCape client is present, configure Railiance OpenBao to trust
|
||||
KeyCape:
|
||||
|
||||
```bash
|
||||
bash ./configure-openbao-oidc.sh
|
||||
```
|
||||
|
||||
The script prompts for a root/sudo-capable OpenBao token inside the pod TTY.
|
||||
OpenBao currently requires `oidc_client_secret` for OIDC auth config, while
|
||||
KeyCape's `openbao-admin` client is public PKCE and does not validate a
|
||||
downstream client secret. The script therefore writes the explicit
|
||||
non-secret compatibility value `keycape-public-pkce-compatibility-value`.
|
||||
Replace that with a real managed client secret when KeyCape supports
|
||||
confidential downstream clients.
|
||||
|
||||
Example entry (public client, PKCE, for a SPA):
|
||||
```yaml
|
||||
clients:
|
||||
|
||||
71
sso-mfa/k8s/keycape/configure-openbao-oidc.sh
Normal file
71
sso-mfa/k8s/keycape/configure-openbao-oidc.sh
Normal file
@@ -0,0 +1,71 @@
|
||||
#!/usr/bin/env bash
|
||||
# Configure Railiance OpenBao to trust KeyCape for platform-admin OIDC login.
|
||||
# The OpenBao token is prompted inside the pod TTY and is never placed on the
|
||||
# local command line or stored by this script.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
KUBECTL="${KUBECTL:-kubectl}"
|
||||
OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
|
||||
OPENBAO_POD="${OPENBAO_POD:-openbao-0}"
|
||||
|
||||
"$KUBECTL" exec -it -n "$OPENBAO_NAMESPACE" "$OPENBAO_POD" -- sh -lc '
|
||||
set -eu
|
||||
|
||||
restore_tty() { stty echo 2>/dev/null || true; }
|
||||
trap restore_tty EXIT INT TERM
|
||||
|
||||
printf "OpenBao root/sudo token: " >&2
|
||||
stty -echo
|
||||
read -r BAO_TOKEN
|
||||
stty echo
|
||||
printf "\n" >&2
|
||||
export BAO_TOKEN
|
||||
|
||||
bao auth enable -path=keycape oidc >/tmp/keycape-auth-enable.out 2>/tmp/keycape-auth-enable.err || {
|
||||
if grep -q "path is already in use" /tmp/keycape-auth-enable.err; then
|
||||
printf "auth/keycape already exists\n" >&2
|
||||
else
|
||||
cat /tmp/keycape-auth-enable.err >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# OpenBao requires oidc_client_secret for OIDC auth config. The current
|
||||
# KeyCape openbao-admin profile is public PKCE and does not validate this
|
||||
# downstream client-secret field, so this compatibility value is not a
|
||||
# protected secret. Replace this with a real managed client secret when
|
||||
# KeyCape supports confidential downstream clients.
|
||||
bao write auth/keycape/config \
|
||||
oidc_discovery_url="https://kc.coulomb.social" \
|
||||
oidc_client_id="openbao-admin" \
|
||||
oidc_client_secret="keycape-public-pkce-compatibility-value" \
|
||||
default_role="platform-admin"
|
||||
|
||||
cat >/tmp/openbao-platform-admin-role.json <<'"'"'ROLE_JSON'"'"'
|
||||
{
|
||||
"role_type": "oidc",
|
||||
"user_claim": "sub",
|
||||
"groups_claim": "groups",
|
||||
"oidc_scopes": ["openid", "profile", "email", "groups"],
|
||||
"allowed_redirect_uris": [
|
||||
"http://localhost:8250/oidc/callback",
|
||||
"http://127.0.0.1:8250/oidc/callback"
|
||||
],
|
||||
"bound_claims": {
|
||||
"groups": ["net-kingdom-admins"]
|
||||
},
|
||||
"claim_mappings": {
|
||||
"email": "email",
|
||||
"preferred_username": "username",
|
||||
"groups": "groups"
|
||||
},
|
||||
"policies": ["platform-admin"],
|
||||
"ttl": "1h"
|
||||
}
|
||||
ROLE_JSON
|
||||
|
||||
bao write auth/keycape/role/platform-admin @/tmp/openbao-platform-admin-role.json
|
||||
rm -f /tmp/openbao-platform-admin-role.json /tmp/keycape-auth-enable.out /tmp/keycape-auth-enable.err
|
||||
unset BAO_TOKEN
|
||||
'
|
||||
Reference in New Issue
Block a user