feat(keycape): add netkingdom OIDC mount and bao.coulomb.social callbacks

Configure OpenBao auth for both netkingdom and keycape mounts with browser
redirect URIs; update verify scripts and runtime architecture notes.
This commit is contained in:
2026-06-18 01:23:02 +02:00
parent 8a05dd0db7
commit efbdab4652
8 changed files with 95 additions and 54 deletions

View File

@@ -1,6 +1,6 @@
#!/usr/bin/env bash
# Verify the live KeyCape config carries the OpenBao CLI client and KeyCape is
# serving OIDC discovery after rollout.
# Verify the live KeyCape config carries the OpenBao admin client and KeyCape
# is serving OIDC discovery after rollout.
set -euo pipefail
@@ -15,30 +15,41 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PUBLIC_URL="${KEYCAPE_PUBLIC_URL:-https://kc.coulomb.social}"
PUBLIC_AUTHORIZE_URL="${PUBLIC_URL%/}/authorize"
PUBLIC_PROBE_OUTPUT=$(
curl -sS -i -G "$PUBLIC_AUTHORIZE_URL" \
--data-urlencode "client_id=openbao-admin" \
--data-urlencode "redirect_uri=http://localhost:8250/oidc/callback" \
--data-urlencode "response_type=code" \
--data-urlencode "scope=openid profile email groups" \
--data-urlencode "state=netkingdom-openbao-client-probe" \
--data-urlencode "code_challenge=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQ" \
--data-urlencode "code_challenge_method=S256" \
2>&1 || true
)
if grep -q '"unknown client_id"' <<<"$PUBLIC_PROBE_OUTPUT"; then
echo "[FAIL] $PUBLIC_AUTHORIZE_URL rejects openbao-admin with unknown client_id" >&2
echo " Check DNS for kc.coulomb.social and ensure it reaches the KeyCape ingress that was patched." >&2
exit 1
fi
if ! grep -qE '^HTTP/[0-9.]+ 302 ' <<<"$PUBLIC_PROBE_OUTPUT"; then
echo "[FAIL] $PUBLIC_AUTHORIZE_URL did not return the expected OIDC redirect for openbao-admin" >&2
echo " First response:" >&2
sed -n '1,12p' <<<"$PUBLIC_PROBE_OUTPUT" >&2
exit 1
fi
echo "[PASS] public KeyCape authorize endpoint recognizes openbao-admin"
probe_redirect() {
local label="$1"
local redirect_uri="$2"
local output
output=$(
curl -sS -i -G "$PUBLIC_AUTHORIZE_URL" \
--data-urlencode "client_id=openbao-admin" \
--data-urlencode "redirect_uri=$redirect_uri" \
--data-urlencode "response_type=code" \
--data-urlencode "scope=openid profile email groups" \
--data-urlencode "state=netkingdom-openbao-client-probe" \
--data-urlencode "code_challenge=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQ" \
--data-urlencode "code_challenge_method=S256" \
2>&1 || true
)
if grep -q '"unknown client_id"' <<<"$output"; then
echo "[FAIL] $PUBLIC_AUTHORIZE_URL rejects openbao-admin with unknown client_id" >&2
echo " Check DNS for kc.coulomb.social and ensure it reaches the KeyCape ingress that was patched." >&2
exit 1
fi
if ! grep -qE '^HTTP/[0-9.]+ 302 ' <<<"$output"; then
echo "[FAIL] $PUBLIC_AUTHORIZE_URL did not accept the $label redirect URI for openbao-admin" >&2
echo " Redirect URI: $redirect_uri" >&2
echo " First response:" >&2
sed -n '1,12p' <<<"$output" >&2
exit 1
fi
echo "[PASS] public KeyCape authorize endpoint accepts $label redirect"
}
probe_redirect "CLI" "http://localhost:8250/oidc/callback"
probe_redirect "browser UI netkingdom mount" "https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback"
probe_redirect "browser UI keycape compatibility mount" "https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback"
KC_POD=$("$KUBECTL" get pod -n "$NAMESPACE" \
-l app.kubernetes.io/name=keycape \