#!/usr/bin/env bash # Verify the live KeyCape config carries the OpenBao CLI client and KeyCape is # serving OIDC discovery after rollout. set -euo pipefail NAMESPACE="${KEYCAPE_NAMESPACE:-sso}" SECRET="${KEYCAPE_CONFIG_SECRET:-keycape-config}" KUBECTL="${KUBECTL:-kubectl}" PORT="${KEYCAPE_VERIFY_PORT:-18080}" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" "$KUBECTL" get secret "$SECRET" -n "$NAMESPACE" -o json \ | python3 "$SCRIPT_DIR/openbao-client-config.py" verify PUBLIC_URL="${KEYCAPE_PUBLIC_URL:-https://kc.coulomb.social}" PUBLIC_AUTHORIZE_URL="${PUBLIC_URL%/}/authorize" PUBLIC_PROBE_OUTPUT=$( curl -sS -i -G "$PUBLIC_AUTHORIZE_URL" \ --data-urlencode "client_id=openbao-admin" \ --data-urlencode "redirect_uri=http://localhost:8250/oidc/callback" \ --data-urlencode "response_type=code" \ --data-urlencode "scope=openid profile email groups" \ --data-urlencode "state=netkingdom-openbao-client-probe" \ --data-urlencode "code_challenge=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQ" \ --data-urlencode "code_challenge_method=S256" \ 2>&1 || true ) if grep -q '"unknown client_id"' <<<"$PUBLIC_PROBE_OUTPUT"; then echo "[FAIL] $PUBLIC_AUTHORIZE_URL rejects openbao-admin with unknown client_id" >&2 echo " Check DNS for kc.coulomb.social and ensure it reaches the KeyCape ingress that was patched." >&2 exit 1 fi if ! grep -qE '^HTTP/[0-9.]+ 302 ' <<<"$PUBLIC_PROBE_OUTPUT"; then echo "[FAIL] $PUBLIC_AUTHORIZE_URL did not return the expected OIDC redirect for openbao-admin" >&2 echo " First response:" >&2 sed -n '1,12p' <<<"$PUBLIC_PROBE_OUTPUT" >&2 exit 1 fi echo "[PASS] public KeyCape authorize endpoint recognizes openbao-admin" KC_POD=$("$KUBECTL" get pod -n "$NAMESPACE" \ -l app.kubernetes.io/name=keycape \ --field-selector=status.phase=Running \ -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || true) if [[ -z "$KC_POD" ]]; then echo "[FAIL] no running KeyCape pod found in namespace $NAMESPACE" >&2 exit 1 fi PF_LOG="${TMPDIR:-/tmp}/netkingdom-keycape-openbao-client-port-forward.log" rm -f "$PF_LOG" "$KUBECTL" -n "$NAMESPACE" port-forward --address 127.0.0.1 svc/keycape "$PORT:8080" \ >"$PF_LOG" 2>&1 & PF_PID=$! cleanup() { kill "$PF_PID" 2>/dev/null || true wait "$PF_PID" 2>/dev/null || true } trap cleanup EXIT for _ in $(seq 1 30); do if python3 - "$PORT" <<'PY' >/dev/null 2>&1 import json import sys import urllib.request port = sys.argv[1] with urllib.request.urlopen(f"http://127.0.0.1:{port}/.well-known/openid-configuration", timeout=2) as response: payload = json.load(response) if not payload.get("issuer"): raise SystemExit("missing issuer") PY then echo "[PASS] KeyCape discovery endpoint responds via local port-forward to pod $KC_POD" exit 0 fi if ! kill -0 "$PF_PID" 2>/dev/null; then echo "[FAIL] KeyCape port-forward exited before discovery responded" >&2 cat "$PF_LOG" >&2 exit 1 fi sleep 1 done echo "[FAIL] KeyCape discovery endpoint did not respond via local port-forward" >&2 cat "$PF_LOG" >&2 exit 1