generated from coulomb/repo-seed
Split OpenBao admin identity tasks
This commit is contained in:
@@ -101,13 +101,27 @@ kubectl rollout restart deployment/keycape -n sso
|
||||
## OIDC client registration
|
||||
|
||||
Downstream applications are registered in the `clients:` block in
|
||||
`keycape/create-secrets.sh`. After editing:
|
||||
`keycape/create-secrets.sh`. The NetKingdom bootstrap console and Railiance
|
||||
OpenBao admin CLI clients are code-defined there; operators should not create
|
||||
those clients manually in a separate UI. After changing the block:
|
||||
|
||||
```bash
|
||||
./create-secrets.sh # regenerates keycape-config Secret
|
||||
kubectl rollout restart deployment/keycape -n sso
|
||||
```
|
||||
|
||||
The `openbao-admin` client is intentionally a public PKCE client for the
|
||||
current local operator CLI flow. It registers the OpenBao CLI callback URIs:
|
||||
|
||||
```text
|
||||
http://localhost:8250/oidc/callback
|
||||
http://127.0.0.1:8250/oidc/callback
|
||||
```
|
||||
|
||||
OpenBao browser UI callbacks are not registered yet because Railiance OpenBao
|
||||
currently has public ingress disabled. Add exact UI callback URIs only after
|
||||
the OpenBao UI exposure model is explicitly designed.
|
||||
|
||||
Example entry (public client, PKCE, for a SPA):
|
||||
```yaml
|
||||
clients:
|
||||
|
||||
@@ -121,6 +121,14 @@ clients:
|
||||
allowedScopes: ["openid", "profile", "email", "groups"]
|
||||
grantTypes: ["authorization_code"]
|
||||
clientType: "public"
|
||||
- clientId: "openbao-admin"
|
||||
displayName: "Railiance OpenBao Admin CLI"
|
||||
redirectUris:
|
||||
- "http://localhost:8250/oidc/callback"
|
||||
- "http://127.0.0.1:8250/oidc/callback"
|
||||
allowedScopes: ["openid", "profile", "email", "groups"]
|
||||
grantTypes: ["authorization_code"]
|
||||
clientType: "public"
|
||||
EOF
|
||||
)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user