generated from coulomb/repo-seed
Use helper for OpenBao OIDC auth setup
This commit is contained in:
@@ -139,6 +139,21 @@ decoded `config.yaml` or signing key. The verifier checks the live Secret and
|
||||
then opens a short local `kubectl port-forward` to KeyCape; it does not require
|
||||
`curl` or `wget` inside the KeyCape container image.
|
||||
|
||||
After the live KeyCape client is present, configure Railiance OpenBao to trust
|
||||
KeyCape:
|
||||
|
||||
```bash
|
||||
bash ./configure-openbao-oidc.sh
|
||||
```
|
||||
|
||||
The script prompts for a root/sudo-capable OpenBao token inside the pod TTY.
|
||||
OpenBao currently requires `oidc_client_secret` for OIDC auth config, while
|
||||
KeyCape's `openbao-admin` client is public PKCE and does not validate a
|
||||
downstream client secret. The script therefore writes the explicit
|
||||
non-secret compatibility value `keycape-public-pkce-compatibility-value`.
|
||||
Replace that with a real managed client secret when KeyCape supports
|
||||
confidential downstream clients.
|
||||
|
||||
Example entry (public client, PKCE, for a SPA):
|
||||
```yaml
|
||||
clients:
|
||||
|
||||
Reference in New Issue
Block a user