generated from coulomb/repo-seed
Split OpenBao admin identity tasks
This commit is contained in:
@@ -101,13 +101,27 @@ kubectl rollout restart deployment/keycape -n sso
|
||||
## OIDC client registration
|
||||
|
||||
Downstream applications are registered in the `clients:` block in
|
||||
`keycape/create-secrets.sh`. After editing:
|
||||
`keycape/create-secrets.sh`. The NetKingdom bootstrap console and Railiance
|
||||
OpenBao admin CLI clients are code-defined there; operators should not create
|
||||
those clients manually in a separate UI. After changing the block:
|
||||
|
||||
```bash
|
||||
./create-secrets.sh # regenerates keycape-config Secret
|
||||
kubectl rollout restart deployment/keycape -n sso
|
||||
```
|
||||
|
||||
The `openbao-admin` client is intentionally a public PKCE client for the
|
||||
current local operator CLI flow. It registers the OpenBao CLI callback URIs:
|
||||
|
||||
```text
|
||||
http://localhost:8250/oidc/callback
|
||||
http://127.0.0.1:8250/oidc/callback
|
||||
```
|
||||
|
||||
OpenBao browser UI callbacks are not registered yet because Railiance OpenBao
|
||||
currently has public ingress disabled. Add exact UI callback URIs only after
|
||||
the OpenBao UI exposure model is explicitly designed.
|
||||
|
||||
Example entry (public client, PKCE, for a SPA):
|
||||
```yaml
|
||||
clients:
|
||||
|
||||
@@ -121,6 +121,14 @@ clients:
|
||||
allowedScopes: ["openid", "profile", "email", "groups"]
|
||||
grantTypes: ["authorization_code"]
|
||||
clientType: "public"
|
||||
- clientId: "openbao-admin"
|
||||
displayName: "Railiance OpenBao Admin CLI"
|
||||
redirectUris:
|
||||
- "http://localhost:8250/oidc/callback"
|
||||
- "http://127.0.0.1:8250/oidc/callback"
|
||||
allowedScopes: ["openid", "profile", "email", "groups"]
|
||||
grantTypes: ["authorization_code"]
|
||||
clientType: "public"
|
||||
EOF
|
||||
)
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@
|
||||
# 3. At least one non-admin user exists in LLDAP
|
||||
# 4. Break-glass user exists and is in net-kingdom-admins
|
||||
# 5. privacyIDEA self-service portal reachable
|
||||
# 6. KeyCape config has at least one OIDC client registered
|
||||
# 6. KeyCape config has OIDC clients, including openbao-admin
|
||||
#
|
||||
# Usage:
|
||||
# chmod +x verify-t07.sh
|
||||
@@ -174,6 +174,39 @@ if [[ -n "$KC_POD" ]]; then
|
||||
else
|
||||
warn "No OIDC clients registered — add clients to keycape/create-secrets.sh and re-run it"
|
||||
fi
|
||||
OPENBAO_CLIENT_CHECK=$(echo "$CONFIG" | python3 -c '
|
||||
import sys
|
||||
import yaml
|
||||
|
||||
cfg = yaml.safe_load(sys.stdin.read()) or {}
|
||||
clients = cfg.get("clients") or []
|
||||
target = next((client for client in clients if client.get("clientId") == "openbao-admin"), None)
|
||||
if not target:
|
||||
print("missing openbao-admin client")
|
||||
raise SystemExit(2)
|
||||
required_redirects = {
|
||||
"http://localhost:8250/oidc/callback",
|
||||
"http://127.0.0.1:8250/oidc/callback",
|
||||
}
|
||||
required_scopes = {"openid", "profile", "email", "groups"}
|
||||
missing_redirects = sorted(required_redirects - set(target.get("redirectUris") or []))
|
||||
missing_scopes = sorted(required_scopes - set(target.get("allowedScopes") or []))
|
||||
if target.get("clientType") != "public":
|
||||
print("openbao-admin clientType must be public for the current PKCE-only KeyCape profile")
|
||||
raise SystemExit(3)
|
||||
if missing_redirects:
|
||||
print("openbao-admin missing redirect URI(s): " + ", ".join(missing_redirects))
|
||||
raise SystemExit(4)
|
||||
if missing_scopes:
|
||||
print("openbao-admin missing scope(s): " + ", ".join(missing_scopes))
|
||||
raise SystemExit(5)
|
||||
print("openbao-admin client has local CLI redirects and required scopes")
|
||||
' 2>/dev/null || echo "missing or invalid openbao-admin client")
|
||||
if [[ "$OPENBAO_CLIENT_CHECK" == openbao-admin* ]]; then
|
||||
pass "$OPENBAO_CLIENT_CHECK"
|
||||
else
|
||||
fail "$OPENBAO_CLIENT_CHECK"
|
||||
fi
|
||||
else
|
||||
warn "Skipping client check — KeyCape not reachable in-cluster"
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user