Use helper for OpenBao OIDC auth setup

2026-05-26 03:02:08 +02:00
parent a47c707a9a
commit 1edcfbb17d
4 changed files with 95 additions and 53 deletions
--- a/tools/security-bootstrap-console/security_bootstrap_console.py
+++ b/tools/security-bootstrap-console/security_bootstrap_console.py
@@ -1349,7 +1349,7 @@ def admin_identity_command_payloads(data: dict[str, Any]) -> list[dict[str, str]
    auth_state = "done" if auth_configured else "todo" if client_deployed else "blocked"
    auth_reason = "OpenBao OIDC/JWT auth is recorded as configured."
    if auth_state == "todo":
-        auth_reason = "Operator action: requires a root/sudo-capable OpenBao token at the hidden prompt; the token value is not recorded."
+        auth_reason = "Operator action: run the helper script and enter a root/sudo-capable OpenBao token at the pod TTY prompt. The token value is not recorded."
    if auth_state == "blocked":
        auth_reason = "Apply and confirm the live KeyCape openbao-admin client before configuring OpenBao auth."

@@ -1371,57 +1371,7 @@ def admin_identity_command_payloads(data: dict[str, Any]) -> list[dict[str, str]
        "bash ./verify-openbao-client.sh\n"
        "NETKINGDOM_KEYCAPE_APPLY\n"
    )
-    oidc_config_inner = """bao auth enable -path=keycape oidc >/tmp/keycape-auth-enable.out 2>/tmp/keycape-auth-enable.err || {
-  if grep -q "path is already in use" /tmp/keycape-auth-enable.err; then
-    printf "auth/keycape already exists\\n" >&2
-  else
-    cat /tmp/keycape-auth-enable.err >&2
-    exit 1
-  fi
-}
-bao write auth/keycape/config \\
-  oidc_discovery_url="https://kc.coulomb.social" \\
-  oidc_client_id="openbao-admin" \\
-  oidc_client_secret="" \\
-  default_role="platform-admin"
-cat >/tmp/openbao-platform-admin-role.json <<ROLE_JSON
-{
-  "role_type": "oidc",
-  "user_claim": "sub",
-  "groups_claim": "groups",
-  "oidc_scopes": ["openid", "profile", "email", "groups"],
-  "allowed_redirect_uris": [
-    "http://localhost:8250/oidc/callback",
-    "http://127.0.0.1:8250/oidc/callback"
-  ],
-  "bound_claims": {
-    "groups": ["net-kingdom-admins"]
-  },
-  "claim_mappings": {
-    "email": "email",
-    "preferred_username": "username",
-    "groups": "groups"
-  },
-  "policies": ["platform-admin"],
-  "ttl": "1h"
-}
-ROLE_JSON
-bao write auth/keycape/role/platform-admin @/tmp/openbao-platform-admin-role.json
-rm -f /tmp/openbao-platform-admin-role.json /tmp/keycape-auth-enable.out /tmp/keycape-auth-enable.err"""
-    configure_command = (
-        "kubectl exec -it -n openbao openbao-0 -- sh -lc '\n"
-        "  restore_tty() { stty echo 2>/dev/null || true; }\n"
-        "  trap restore_tty EXIT INT TERM\n"
-        "  printf \"OpenBao root/sudo token: \" >&2\n"
-        "  stty -echo\n"
-        "  read -r BAO_TOKEN\n"
-        "  stty echo\n"
-        "  printf \"\\n\" >&2\n"
-        "  export BAO_TOKEN\n"
-        f"{oidc_config_inner}\n"
-        "  unset BAO_TOKEN\n"
-        "'"
-    )
+    configure_command = f"bash {shlex.quote(str(KEYCAPE_OPENBAO_CLIENT_CONFIG.parent / 'configure-openbao-oidc.sh'))}"
    login_command = (
        "# Terminal 1: keep a local OpenBao API port open while testing.\n"
        "kubectl -n openbao port-forward svc/openbao-active 8200:8200\n\n"
@@ -1442,7 +1392,7 @@ rm -f /tmp/openbao-platform-admin-role.json /tmp/keycape-auth-enable.out /tmp/ke
        ),
        action(
            "Configure OpenBao OIDC auth",
-            "Create or update the auth/keycape mount and platform-admin role so KeyCape group claims map to OpenBao platform-admin policy.",
+            "Create or update the auth/keycape mount and platform-admin role so KeyCape group claims map to OpenBao platform-admin policy. The helper uses a non-secret compatibility client-secret value because OpenBao requires the field while the current KeyCape client is public PKCE.",
            auth_state,
            auth_reason,
            configure_command,