Split OpenBao admin identity tasks

This commit is contained in:
2026-05-26 02:13:55 +02:00
parent 9dc7e140b8
commit f3c8d70270
5 changed files with 292 additions and 23 deletions

View File

@@ -101,13 +101,27 @@ kubectl rollout restart deployment/keycape -n sso
## OIDC client registration
Downstream applications are registered in the `clients:` block in
`keycape/create-secrets.sh`. After editing:
`keycape/create-secrets.sh`. The NetKingdom bootstrap console and Railiance
OpenBao admin CLI clients are code-defined there; operators should not create
those clients manually in a separate UI. After changing the block:
```bash
./create-secrets.sh # regenerates keycape-config Secret
kubectl rollout restart deployment/keycape -n sso
```
The `openbao-admin` client is intentionally a public PKCE client for the
current local operator CLI flow. It registers the OpenBao CLI callback URIs:
```text
http://localhost:8250/oidc/callback
http://127.0.0.1:8250/oidc/callback
```
OpenBao browser UI callbacks are not registered yet because Railiance OpenBao
currently has public ingress disabled. Add exact UI callback URIs only after
the OpenBao UI exposure model is explicitly designed.
Example entry (public client, PKCE, for a SPA):
```yaml
clients:

View File

@@ -121,6 +121,14 @@ clients:
allowedScopes: ["openid", "profile", "email", "groups"]
grantTypes: ["authorization_code"]
clientType: "public"
- clientId: "openbao-admin"
displayName: "Railiance OpenBao Admin CLI"
redirectUris:
- "http://localhost:8250/oidc/callback"
- "http://127.0.0.1:8250/oidc/callback"
allowedScopes: ["openid", "profile", "email", "groups"]
grantTypes: ["authorization_code"]
clientType: "public"
EOF
)

View File

@@ -9,7 +9,7 @@
# 3. At least one non-admin user exists in LLDAP
# 4. Break-glass user exists and is in net-kingdom-admins
# 5. privacyIDEA self-service portal reachable
# 6. KeyCape config has at least one OIDC client registered
# 6. KeyCape config has OIDC clients, including openbao-admin
#
# Usage:
# chmod +x verify-t07.sh
@@ -174,6 +174,39 @@ if [[ -n "$KC_POD" ]]; then
else
warn "No OIDC clients registered — add clients to keycape/create-secrets.sh and re-run it"
fi
OPENBAO_CLIENT_CHECK=$(echo "$CONFIG" | python3 -c '
import sys
import yaml
cfg = yaml.safe_load(sys.stdin.read()) or {}
clients = cfg.get("clients") or []
target = next((client for client in clients if client.get("clientId") == "openbao-admin"), None)
if not target:
print("missing openbao-admin client")
raise SystemExit(2)
required_redirects = {
"http://localhost:8250/oidc/callback",
"http://127.0.0.1:8250/oidc/callback",
}
required_scopes = {"openid", "profile", "email", "groups"}
missing_redirects = sorted(required_redirects - set(target.get("redirectUris") or []))
missing_scopes = sorted(required_scopes - set(target.get("allowedScopes") or []))
if target.get("clientType") != "public":
print("openbao-admin clientType must be public for the current PKCE-only KeyCape profile")
raise SystemExit(3)
if missing_redirects:
print("openbao-admin missing redirect URI(s): " + ", ".join(missing_redirects))
raise SystemExit(4)
if missing_scopes:
print("openbao-admin missing scope(s): " + ", ".join(missing_scopes))
raise SystemExit(5)
print("openbao-admin client has local CLI redirects and required scopes")
' 2>/dev/null || echo "missing or invalid openbao-admin client")
if [[ "$OPENBAO_CLIENT_CHECK" == openbao-admin* ]]; then
pass "$OPENBAO_CLIENT_CHECK"
else
fail "$OPENBAO_CLIENT_CHECK"
fi
else
warn "Skipping client check — KeyCape not reachable in-cluster"
fi