generated from coulomb/repo-seed
feat(keycape): add netkingdom OIDC mount and bao.coulomb.social callbacks
Configure OpenBao auth for both netkingdom and keycape mounts with browser redirect URIs; update verify scripts and runtime architecture notes.
This commit is contained in:
@@ -22,25 +22,12 @@ OPENBAO_POD="${OPENBAO_POD:-openbao-0}"
|
||||
printf "\n" >&2
|
||||
export BAO_TOKEN
|
||||
|
||||
bao auth enable -path=keycape oidc >/tmp/keycape-auth-enable.out 2>/tmp/keycape-auth-enable.err || {
|
||||
if grep -q "path is already in use" /tmp/keycape-auth-enable.err; then
|
||||
printf "auth/keycape already exists\n" >&2
|
||||
else
|
||||
cat /tmp/keycape-auth-enable.err >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# OpenBao requires oidc_client_secret for OIDC auth config. The current
|
||||
# KeyCape openbao-admin profile is public PKCE and does not validate this
|
||||
# downstream client-secret field, so this compatibility value is not a
|
||||
# protected secret. Replace this with a real managed client secret when
|
||||
# KeyCape supports confidential downstream clients.
|
||||
bao write auth/keycape/config \
|
||||
oidc_discovery_url="https://kc.coulomb.social" \
|
||||
oidc_client_id="openbao-admin" \
|
||||
oidc_client_secret="keycape-public-pkce-compatibility-value" \
|
||||
default_role="platform-admin"
|
||||
OPENBAO_OIDC_MOUNTS="netkingdom keycape"
|
||||
|
||||
# Keep array-valued groups in groups_claim/bound_claims only. OpenBao
|
||||
# claim_mappings copy scalar claim values into metadata and will fail if the
|
||||
@@ -53,7 +40,9 @@ OPENBAO_POD="${OPENBAO_POD:-openbao-0}"
|
||||
"oidc_scopes": ["openid", "profile", "email", "groups"],
|
||||
"allowed_redirect_uris": [
|
||||
"http://localhost:8250/oidc/callback",
|
||||
"http://127.0.0.1:8250/oidc/callback"
|
||||
"http://127.0.0.1:8250/oidc/callback",
|
||||
"https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback",
|
||||
"https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback"
|
||||
],
|
||||
"bound_claims": {
|
||||
"groups": ["net-kingdom-admins"]
|
||||
@@ -67,7 +56,26 @@ OPENBAO_POD="${OPENBAO_POD:-openbao-0}"
|
||||
}
|
||||
ROLE_JSON
|
||||
|
||||
bao write auth/keycape/role/platform-admin @/tmp/openbao-platform-admin-role.json
|
||||
rm -f /tmp/openbao-platform-admin-role.json /tmp/keycape-auth-enable.out /tmp/keycape-auth-enable.err
|
||||
for mount in $OPENBAO_OIDC_MOUNTS; do
|
||||
bao auth enable -path="$mount" oidc >/tmp/openbao-${mount}-auth-enable.out 2>/tmp/openbao-${mount}-auth-enable.err || {
|
||||
if grep -q "path is already in use" /tmp/openbao-${mount}-auth-enable.err; then
|
||||
printf "auth/%s already exists\n" "$mount" >&2
|
||||
else
|
||||
cat /tmp/openbao-${mount}-auth-enable.err >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
bao write "auth/${mount}/config" \
|
||||
oidc_discovery_url="https://kc.coulomb.social" \
|
||||
oidc_client_id="openbao-admin" \
|
||||
oidc_client_secret="keycape-public-pkce-compatibility-value" \
|
||||
default_role="platform-admin"
|
||||
|
||||
bao write "auth/${mount}/role/platform-admin" @/tmp/openbao-platform-admin-role.json
|
||||
printf "configured auth/%s/role/platform-admin\n" "$mount" >&2
|
||||
done
|
||||
|
||||
rm -f /tmp/openbao-platform-admin-role.json /tmp/openbao-*-auth-enable.out /tmp/openbao-*-auth-enable.err
|
||||
unset BAO_TOKEN
|
||||
'
|
||||
|
||||
Reference in New Issue
Block a user