generated from coulomb/repo-seed
feat(keycape): add netkingdom OIDC mount and bao.coulomb.social callbacks
Configure OpenBao auth for both netkingdom and keycape mounts with browser redirect URIs; update verify scripts and runtime architecture notes.
This commit is contained in:
@@ -1,6 +1,6 @@
|
||||
#!/usr/bin/env bash
|
||||
# Verify the live KeyCape config carries the OpenBao CLI client and KeyCape is
|
||||
# serving OIDC discovery after rollout.
|
||||
# Verify the live KeyCape config carries the OpenBao admin client and KeyCape
|
||||
# is serving OIDC discovery after rollout.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
@@ -15,30 +15,41 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
|
||||
PUBLIC_URL="${KEYCAPE_PUBLIC_URL:-https://kc.coulomb.social}"
|
||||
PUBLIC_AUTHORIZE_URL="${PUBLIC_URL%/}/authorize"
|
||||
PUBLIC_PROBE_OUTPUT=$(
|
||||
curl -sS -i -G "$PUBLIC_AUTHORIZE_URL" \
|
||||
--data-urlencode "client_id=openbao-admin" \
|
||||
--data-urlencode "redirect_uri=http://localhost:8250/oidc/callback" \
|
||||
--data-urlencode "response_type=code" \
|
||||
--data-urlencode "scope=openid profile email groups" \
|
||||
--data-urlencode "state=netkingdom-openbao-client-probe" \
|
||||
--data-urlencode "code_challenge=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQ" \
|
||||
--data-urlencode "code_challenge_method=S256" \
|
||||
2>&1 || true
|
||||
)
|
||||
|
||||
if grep -q '"unknown client_id"' <<<"$PUBLIC_PROBE_OUTPUT"; then
|
||||
echo "[FAIL] $PUBLIC_AUTHORIZE_URL rejects openbao-admin with unknown client_id" >&2
|
||||
echo " Check DNS for kc.coulomb.social and ensure it reaches the KeyCape ingress that was patched." >&2
|
||||
exit 1
|
||||
fi
|
||||
if ! grep -qE '^HTTP/[0-9.]+ 302 ' <<<"$PUBLIC_PROBE_OUTPUT"; then
|
||||
echo "[FAIL] $PUBLIC_AUTHORIZE_URL did not return the expected OIDC redirect for openbao-admin" >&2
|
||||
echo " First response:" >&2
|
||||
sed -n '1,12p' <<<"$PUBLIC_PROBE_OUTPUT" >&2
|
||||
exit 1
|
||||
fi
|
||||
echo "[PASS] public KeyCape authorize endpoint recognizes openbao-admin"
|
||||
probe_redirect() {
|
||||
local label="$1"
|
||||
local redirect_uri="$2"
|
||||
local output
|
||||
output=$(
|
||||
curl -sS -i -G "$PUBLIC_AUTHORIZE_URL" \
|
||||
--data-urlencode "client_id=openbao-admin" \
|
||||
--data-urlencode "redirect_uri=$redirect_uri" \
|
||||
--data-urlencode "response_type=code" \
|
||||
--data-urlencode "scope=openid profile email groups" \
|
||||
--data-urlencode "state=netkingdom-openbao-client-probe" \
|
||||
--data-urlencode "code_challenge=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQ" \
|
||||
--data-urlencode "code_challenge_method=S256" \
|
||||
2>&1 || true
|
||||
)
|
||||
|
||||
if grep -q '"unknown client_id"' <<<"$output"; then
|
||||
echo "[FAIL] $PUBLIC_AUTHORIZE_URL rejects openbao-admin with unknown client_id" >&2
|
||||
echo " Check DNS for kc.coulomb.social and ensure it reaches the KeyCape ingress that was patched." >&2
|
||||
exit 1
|
||||
fi
|
||||
if ! grep -qE '^HTTP/[0-9.]+ 302 ' <<<"$output"; then
|
||||
echo "[FAIL] $PUBLIC_AUTHORIZE_URL did not accept the $label redirect URI for openbao-admin" >&2
|
||||
echo " Redirect URI: $redirect_uri" >&2
|
||||
echo " First response:" >&2
|
||||
sed -n '1,12p' <<<"$output" >&2
|
||||
exit 1
|
||||
fi
|
||||
echo "[PASS] public KeyCape authorize endpoint accepts $label redirect"
|
||||
}
|
||||
|
||||
probe_redirect "CLI" "http://localhost:8250/oidc/callback"
|
||||
probe_redirect "browser UI netkingdom mount" "https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback"
|
||||
probe_redirect "browser UI keycape compatibility mount" "https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback"
|
||||
|
||||
KC_POD=$("$KUBECTL" get pod -n "$NAMESPACE" \
|
||||
-l app.kubernetes.io/name=keycape \
|
||||
|
||||
Reference in New Issue
Block a user