generated from coulomb/repo-seed
openbao and itsec tooling integration
This commit is contained in:
@@ -13,6 +13,33 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
"$KUBECTL" get secret "$SECRET" -n "$NAMESPACE" -o json \
|
||||
| python3 "$SCRIPT_DIR/openbao-client-config.py" verify
|
||||
|
||||
PUBLIC_URL="${KEYCAPE_PUBLIC_URL:-https://kc.coulomb.social}"
|
||||
PUBLIC_AUTHORIZE_URL="${PUBLIC_URL%/}/authorize"
|
||||
PUBLIC_PROBE_OUTPUT=$(
|
||||
curl -sS -i -G "$PUBLIC_AUTHORIZE_URL" \
|
||||
--data-urlencode "client_id=openbao-admin" \
|
||||
--data-urlencode "redirect_uri=http://localhost:8250/oidc/callback" \
|
||||
--data-urlencode "response_type=code" \
|
||||
--data-urlencode "scope=openid profile email groups" \
|
||||
--data-urlencode "state=netkingdom-openbao-client-probe" \
|
||||
--data-urlencode "code_challenge=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQ" \
|
||||
--data-urlencode "code_challenge_method=S256" \
|
||||
2>&1 || true
|
||||
)
|
||||
|
||||
if grep -q '"unknown client_id"' <<<"$PUBLIC_PROBE_OUTPUT"; then
|
||||
echo "[FAIL] $PUBLIC_AUTHORIZE_URL rejects openbao-admin with unknown client_id" >&2
|
||||
echo " Check DNS for kc.coulomb.social and ensure it reaches the KeyCape ingress that was patched." >&2
|
||||
exit 1
|
||||
fi
|
||||
if ! grep -qE '^HTTP/[0-9.]+ 302 ' <<<"$PUBLIC_PROBE_OUTPUT"; then
|
||||
echo "[FAIL] $PUBLIC_AUTHORIZE_URL did not return the expected OIDC redirect for openbao-admin" >&2
|
||||
echo " First response:" >&2
|
||||
sed -n '1,12p' <<<"$PUBLIC_PROBE_OUTPUT" >&2
|
||||
exit 1
|
||||
fi
|
||||
echo "[PASS] public KeyCape authorize endpoint recognizes openbao-admin"
|
||||
|
||||
KC_POD=$("$KUBECTL" get pod -n "$NAMESPACE" \
|
||||
-l app.kubernetes.io/name=keycape \
|
||||
--field-selector=status.phase=Running \
|
||||
|
||||
Reference in New Issue
Block a user