#!/usr/bin/env bash # Configure Railiance OpenBao to trust KeyCape for platform-admin OIDC login. # The OpenBao token is prompted inside the pod TTY and is never placed on the # local command line or stored by this script. set -euo pipefail KUBECTL="${KUBECTL:-kubectl}" OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}" OPENBAO_POD="${OPENBAO_POD:-openbao-0}" "$KUBECTL" exec -it -n "$OPENBAO_NAMESPACE" "$OPENBAO_POD" -- sh -lc ' set -eu restore_tty() { stty echo 2>/dev/null || true; } trap restore_tty EXIT INT TERM printf "OpenBao root/sudo token: " >&2 stty -echo read -r BAO_TOKEN stty echo printf "\n" >&2 export BAO_TOKEN bao auth enable -path=keycape oidc >/tmp/keycape-auth-enable.out 2>/tmp/keycape-auth-enable.err || { if grep -q "path is already in use" /tmp/keycape-auth-enable.err; then printf "auth/keycape already exists\n" >&2 else cat /tmp/keycape-auth-enable.err >&2 exit 1 fi } # OpenBao requires oidc_client_secret for OIDC auth config. The current # KeyCape openbao-admin profile is public PKCE and does not validate this # downstream client-secret field, so this compatibility value is not a # protected secret. Replace this with a real managed client secret when # KeyCape supports confidential downstream clients. bao write auth/keycape/config \ oidc_discovery_url="https://kc.coulomb.social" \ oidc_client_id="openbao-admin" \ oidc_client_secret="keycape-public-pkce-compatibility-value" \ default_role="platform-admin" # Keep array-valued groups in groups_claim/bound_claims only. OpenBao # claim_mappings copy scalar claim values into metadata and will fail if the # groups array is mapped there. cat >/tmp/openbao-platform-admin-role.json <<'"'"'ROLE_JSON'"'"' { "role_type": "oidc", "user_claim": "sub", "groups_claim": "groups", "oidc_scopes": ["openid", "profile", "email", "groups"], "allowed_redirect_uris": [ "http://localhost:8250/oidc/callback", "http://127.0.0.1:8250/oidc/callback" ], "bound_claims": { "groups": ["net-kingdom-admins"] }, "claim_mappings": { "email": "email", "preferred_username": "username" }, "policies": ["platform-admin"], "ttl": "1h" } ROLE_JSON bao write auth/keycape/role/platform-admin @/tmp/openbao-platform-admin-role.json rm -f /tmp/openbao-platform-admin-role.json /tmp/keycape-auth-enable.out /tmp/keycape-auth-enable.err unset BAO_TOKEN '