Use helper for OpenBao OIDC auth setup

This commit is contained in:
2026-05-26 03:02:08 +02:00
parent a47c707a9a
commit 1edcfbb17d
4 changed files with 95 additions and 53 deletions

View File

@@ -139,6 +139,21 @@ decoded `config.yaml` or signing key. The verifier checks the live Secret and
then opens a short local `kubectl port-forward` to KeyCape; it does not require
`curl` or `wget` inside the KeyCape container image.
After the live KeyCape client is present, configure Railiance OpenBao to trust
KeyCape:
```bash
bash ./configure-openbao-oidc.sh
```
The script prompts for a root/sudo-capable OpenBao token inside the pod TTY.
OpenBao currently requires `oidc_client_secret` for OIDC auth config, while
KeyCape's `openbao-admin` client is public PKCE and does not validate a
downstream client secret. The script therefore writes the explicit
non-secret compatibility value `keycape-public-pkce-compatibility-value`.
Replace that with a real managed client secret when KeyCape supports
confidential downstream clients.
Example entry (public client, PKCE, for a SPA):
```yaml
clients: