feat(keycape): add netkingdom OIDC mount and bao.coulomb.social callbacks

Configure OpenBao auth for both netkingdom and keycape mounts with browser
redirect URIs; update verify scripts and runtime architecture notes.
This commit is contained in:
2026-06-18 01:23:02 +02:00
parent 8a05dd0db7
commit efbdab4652
8 changed files with 95 additions and 54 deletions

View File

@@ -22,25 +22,12 @@ OPENBAO_POD="${OPENBAO_POD:-openbao-0}"
printf "\n" >&2
export BAO_TOKEN
bao auth enable -path=keycape oidc >/tmp/keycape-auth-enable.out 2>/tmp/keycape-auth-enable.err || {
if grep -q "path is already in use" /tmp/keycape-auth-enable.err; then
printf "auth/keycape already exists\n" >&2
else
cat /tmp/keycape-auth-enable.err >&2
exit 1
fi
}
# OpenBao requires oidc_client_secret for OIDC auth config. The current
# KeyCape openbao-admin profile is public PKCE and does not validate this
# downstream client-secret field, so this compatibility value is not a
# protected secret. Replace this with a real managed client secret when
# KeyCape supports confidential downstream clients.
bao write auth/keycape/config \
oidc_discovery_url="https://kc.coulomb.social" \
oidc_client_id="openbao-admin" \
oidc_client_secret="keycape-public-pkce-compatibility-value" \
default_role="platform-admin"
OPENBAO_OIDC_MOUNTS="netkingdom keycape"
# Keep array-valued groups in groups_claim/bound_claims only. OpenBao
# claim_mappings copy scalar claim values into metadata and will fail if the
@@ -53,7 +40,9 @@ OPENBAO_POD="${OPENBAO_POD:-openbao-0}"
"oidc_scopes": ["openid", "profile", "email", "groups"],
"allowed_redirect_uris": [
"http://localhost:8250/oidc/callback",
"http://127.0.0.1:8250/oidc/callback"
"http://127.0.0.1:8250/oidc/callback",
"https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback",
"https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback"
],
"bound_claims": {
"groups": ["net-kingdom-admins"]
@@ -67,7 +56,26 @@ OPENBAO_POD="${OPENBAO_POD:-openbao-0}"
}
ROLE_JSON
bao write auth/keycape/role/platform-admin @/tmp/openbao-platform-admin-role.json
rm -f /tmp/openbao-platform-admin-role.json /tmp/keycape-auth-enable.out /tmp/keycape-auth-enable.err
for mount in $OPENBAO_OIDC_MOUNTS; do
bao auth enable -path="$mount" oidc >/tmp/openbao-${mount}-auth-enable.out 2>/tmp/openbao-${mount}-auth-enable.err || {
if grep -q "path is already in use" /tmp/openbao-${mount}-auth-enable.err; then
printf "auth/%s already exists\n" "$mount" >&2
else
cat /tmp/openbao-${mount}-auth-enable.err >&2
exit 1
fi
}
bao write "auth/${mount}/config" \
oidc_discovery_url="https://kc.coulomb.social" \
oidc_client_id="openbao-admin" \
oidc_client_secret="keycape-public-pkce-compatibility-value" \
default_role="platform-admin"
bao write "auth/${mount}/role/platform-admin" @/tmp/openbao-platform-admin-role.json
printf "configured auth/%s/role/platform-admin\n" "$mount" >&2
done
rm -f /tmp/openbao-platform-admin-role.json /tmp/openbao-*-auth-enable.out /tmp/openbao-*-auth-enable.err
unset BAO_TOKEN
'