generated from coulomb/repo-seed
Close OpenBao OIDC admin bootstrap path
This commit is contained in:
@@ -12,7 +12,8 @@
|
||||
#
|
||||
# Optional environment:
|
||||
# KUBECTL=/path/to/kubectl
|
||||
# KEYCAPE_PI_REALM=coulomb|netkingdom
|
||||
# KEYCAPE_PI_REALM=coulomb|netkingdom # defaults to coulomb, the live privacyIDEA realm
|
||||
# KEYCAPE_PI_REQUIRE_FOR_ALL=true|false # defaults to true to avoid admin token-list checks
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
@@ -94,49 +95,67 @@ current_config="$(
|
||||
current_realm="$(
|
||||
CONFIG_YAML="$current_config" python3 -c '
|
||||
import os
|
||||
import re
|
||||
import sys
|
||||
|
||||
match = re.search(r"(?m)^ realm:\s*[\"'\'']?([^\"'\'']+)", os.environ["CONFIG_YAML"])
|
||||
print(match.group(1).strip() if match else "")
|
||||
try:
|
||||
import yaml
|
||||
except ImportError:
|
||||
print("PyYAML is required: install python3-yaml", file=sys.stderr)
|
||||
sys.exit(1)
|
||||
|
||||
config = yaml.safe_load(os.environ["CONFIG_YAML"]) or {}
|
||||
privacyidea = config.get("privacyidea") or {}
|
||||
if not isinstance(privacyidea, dict):
|
||||
print("")
|
||||
else:
|
||||
print(str(privacyidea.get("realm") or "").strip())
|
||||
'
|
||||
)"
|
||||
|
||||
selected_realm="${KEYCAPE_PI_REALM:-}"
|
||||
if [[ -z "$selected_realm" && -n "$current_realm" ]]; then
|
||||
selected_realm="$current_realm"
|
||||
fi
|
||||
if [[ -z "$selected_realm" ]]; then
|
||||
selected_realm="coulomb"
|
||||
selected_realm="${KEYCAPE_PI_REALM:-coulomb}"
|
||||
selected_require_for_all="${KEYCAPE_PI_REQUIRE_FOR_ALL:-true}"
|
||||
if [[ -z "${KEYCAPE_PI_REALM:-}" && -n "$current_realm" && "$current_realm" != "$selected_realm" ]]; then
|
||||
echo "[WARN] KeyCape currently points privacyIDEA at realm '$current_realm'; repairing to '$selected_realm'." >&2
|
||||
fi
|
||||
|
||||
if [[ "$selected_realm" != "coulomb" && "$selected_realm" != "netkingdom" ]]; then
|
||||
echo "[FAIL] Refusing unsupported privacyIDEA realm: $selected_realm" >&2
|
||||
exit 1
|
||||
fi
|
||||
if [[ "$selected_require_for_all" != "true" && "$selected_require_for_all" != "false" ]]; then
|
||||
echo "[FAIL] KEYCAPE_PI_REQUIRE_FOR_ALL must be true or false." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Selected privacyIDEA realm for KeyCape: $selected_realm"
|
||||
echo "Selected privacyIDEA requireForAll for KeyCape: $selected_require_for_all"
|
||||
|
||||
"$KUBECTL" get secret "$KEYCAPE_SECRET" -n "$SSO_NAMESPACE" \
|
||||
-o jsonpath='{.data.key\.pem}' | base64 -d > "$tmpdir/key.pem"
|
||||
chmod 600 "$tmpdir/key.pem"
|
||||
|
||||
CONFIG_YAML="$current_config" PI_TOKEN="$PI_TOKEN" PI_REALM="$selected_realm" \
|
||||
CONFIG_YAML="$current_config" PI_TOKEN="$PI_TOKEN" PI_REALM="$selected_realm" PI_REQUIRE_FOR_ALL="$selected_require_for_all" \
|
||||
python3 -c '
|
||||
import json
|
||||
import os
|
||||
import re
|
||||
import sys
|
||||
|
||||
config = os.environ["CONFIG_YAML"]
|
||||
token = json.dumps(os.environ["PI_TOKEN"])
|
||||
realm = json.dumps(os.environ["PI_REALM"])
|
||||
|
||||
config, token_count = re.subn(r"(?m)^ adminToken:.*$", " adminToken: " + token, config)
|
||||
config, realm_count = re.subn(r"(?m)^ realm:.*$", " realm: " + realm, config)
|
||||
if token_count != 1 or realm_count != 1:
|
||||
print("Could not patch exactly one adminToken and one realm field.", file=sys.stderr)
|
||||
try:
|
||||
import yaml
|
||||
except ImportError:
|
||||
print("PyYAML is required: install python3-yaml", file=sys.stderr)
|
||||
sys.exit(1)
|
||||
sys.stdout.write(config)
|
||||
|
||||
config = yaml.safe_load(os.environ["CONFIG_YAML"]) or {}
|
||||
if not isinstance(config, dict):
|
||||
print("KeyCape config.yaml must decode to a YAML mapping.", file=sys.stderr)
|
||||
sys.exit(1)
|
||||
privacyidea = config.setdefault("privacyidea", {})
|
||||
if not isinstance(privacyidea, dict):
|
||||
print("KeyCape privacyidea config must decode to a YAML mapping.", file=sys.stderr)
|
||||
sys.exit(1)
|
||||
privacyidea["adminToken"] = os.environ["PI_TOKEN"]
|
||||
privacyidea["realm"] = os.environ["PI_REALM"]
|
||||
privacyidea["requireForAll"] = os.environ["PI_REQUIRE_FOR_ALL"] == "true"
|
||||
sys.stdout.write(yaml.safe_dump(config, sort_keys=False))
|
||||
' > "$tmpdir/config.yaml"
|
||||
|
||||
echo "Applying refreshed KeyCape config Secret ..."
|
||||
|
||||
Reference in New Issue
Block a user