Use helper for OpenBao OIDC auth setup

This commit is contained in:
2026-05-26 03:02:08 +02:00
parent a47c707a9a
commit 1edcfbb17d
4 changed files with 95 additions and 53 deletions

View File

@@ -139,6 +139,21 @@ decoded `config.yaml` or signing key. The verifier checks the live Secret and
then opens a short local `kubectl port-forward` to KeyCape; it does not require
`curl` or `wget` inside the KeyCape container image.
After the live KeyCape client is present, configure Railiance OpenBao to trust
KeyCape:
```bash
bash ./configure-openbao-oidc.sh
```
The script prompts for a root/sudo-capable OpenBao token inside the pod TTY.
OpenBao currently requires `oidc_client_secret` for OIDC auth config, while
KeyCape's `openbao-admin` client is public PKCE and does not validate a
downstream client secret. The script therefore writes the explicit
non-secret compatibility value `keycape-public-pkce-compatibility-value`.
Replace that with a real managed client secret when KeyCape supports
confidential downstream clients.
Example entry (public client, PKCE, for a SPA):
```yaml
clients:

View File

@@ -0,0 +1,71 @@
#!/usr/bin/env bash
# Configure Railiance OpenBao to trust KeyCape for platform-admin OIDC login.
# The OpenBao token is prompted inside the pod TTY and is never placed on the
# local command line or stored by this script.
set -euo pipefail
KUBECTL="${KUBECTL:-kubectl}"
OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
OPENBAO_POD="${OPENBAO_POD:-openbao-0}"
"$KUBECTL" exec -it -n "$OPENBAO_NAMESPACE" "$OPENBAO_POD" -- sh -lc '
set -eu
restore_tty() { stty echo 2>/dev/null || true; }
trap restore_tty EXIT INT TERM
printf "OpenBao root/sudo token: " >&2
stty -echo
read -r BAO_TOKEN
stty echo
printf "\n" >&2
export BAO_TOKEN
bao auth enable -path=keycape oidc >/tmp/keycape-auth-enable.out 2>/tmp/keycape-auth-enable.err || {
if grep -q "path is already in use" /tmp/keycape-auth-enable.err; then
printf "auth/keycape already exists\n" >&2
else
cat /tmp/keycape-auth-enable.err >&2
exit 1
fi
}
# OpenBao requires oidc_client_secret for OIDC auth config. The current
# KeyCape openbao-admin profile is public PKCE and does not validate this
# downstream client-secret field, so this compatibility value is not a
# protected secret. Replace this with a real managed client secret when
# KeyCape supports confidential downstream clients.
bao write auth/keycape/config \
oidc_discovery_url="https://kc.coulomb.social" \
oidc_client_id="openbao-admin" \
oidc_client_secret="keycape-public-pkce-compatibility-value" \
default_role="platform-admin"
cat >/tmp/openbao-platform-admin-role.json <<'"'"'ROLE_JSON'"'"'
{
"role_type": "oidc",
"user_claim": "sub",
"groups_claim": "groups",
"oidc_scopes": ["openid", "profile", "email", "groups"],
"allowed_redirect_uris": [
"http://localhost:8250/oidc/callback",
"http://127.0.0.1:8250/oidc/callback"
],
"bound_claims": {
"groups": ["net-kingdom-admins"]
},
"claim_mappings": {
"email": "email",
"preferred_username": "username",
"groups": "groups"
},
"policies": ["platform-admin"],
"ttl": "1h"
}
ROLE_JSON
bao write auth/keycape/role/platform-admin @/tmp/openbao-platform-admin-role.json
rm -f /tmp/openbao-platform-admin-role.json /tmp/keycape-auth-enable.out /tmp/keycape-auth-enable.err
unset BAO_TOKEN
'