generated from coulomb/repo-seed
Set listing_visibility=unauth on netkingdom and keycape during OIDC configure so the browser login mask can select KeyCape instead of falling back to token.
83 lines
2.9 KiB
Bash
83 lines
2.9 KiB
Bash
#!/usr/bin/env bash
|
|
# Configure Railiance OpenBao to trust KeyCape for platform-admin OIDC login.
|
|
# The OpenBao token is prompted inside the pod TTY and is never placed on the
|
|
# local command line or stored by this script.
|
|
|
|
set -euo pipefail
|
|
|
|
KUBECTL="${KUBECTL:-kubectl}"
|
|
OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
|
|
OPENBAO_POD="${OPENBAO_POD:-openbao-0}"
|
|
|
|
"$KUBECTL" exec -it -n "$OPENBAO_NAMESPACE" "$OPENBAO_POD" -- sh -lc '
|
|
set -eu
|
|
|
|
restore_tty() { stty echo 2>/dev/null || true; }
|
|
trap restore_tty EXIT INT TERM
|
|
|
|
printf "OpenBao root/sudo token: " >&2
|
|
stty -echo
|
|
read -r BAO_TOKEN
|
|
stty echo
|
|
printf "\n" >&2
|
|
export BAO_TOKEN
|
|
|
|
# OpenBao requires oidc_client_secret for OIDC auth config. The current
|
|
# KeyCape openbao-admin profile is public PKCE and does not validate this
|
|
# downstream client-secret field, so this compatibility value is not a
|
|
# protected secret. Replace this with a real managed client secret when
|
|
# KeyCape supports confidential downstream clients.
|
|
OPENBAO_OIDC_MOUNTS="netkingdom keycape"
|
|
|
|
# Keep array-valued groups in groups_claim/bound_claims only. OpenBao
|
|
# claim_mappings copy scalar claim values into metadata and will fail if the
|
|
# groups array is mapped there.
|
|
cat >/tmp/openbao-platform-admin-role.json <<'"'"'ROLE_JSON'"'"'
|
|
{
|
|
"role_type": "oidc",
|
|
"user_claim": "sub",
|
|
"groups_claim": "groups",
|
|
"oidc_scopes": ["openid", "profile", "email", "groups"],
|
|
"allowed_redirect_uris": [
|
|
"http://localhost:8250/oidc/callback",
|
|
"http://127.0.0.1:8250/oidc/callback",
|
|
"https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback",
|
|
"https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback"
|
|
],
|
|
"bound_claims": {
|
|
"groups": ["net-kingdom-admins"]
|
|
},
|
|
"claim_mappings": {
|
|
"email": "email",
|
|
"preferred_username": "username"
|
|
},
|
|
"policies": ["platform-admin"],
|
|
"ttl": "1h"
|
|
}
|
|
ROLE_JSON
|
|
|
|
for mount in $OPENBAO_OIDC_MOUNTS; do
|
|
bao auth enable -path="$mount" oidc >/tmp/openbao-${mount}-auth-enable.out 2>/tmp/openbao-${mount}-auth-enable.err || {
|
|
if grep -q "path is already in use" /tmp/openbao-${mount}-auth-enable.err; then
|
|
printf "auth/%s already exists\n" "$mount" >&2
|
|
else
|
|
cat /tmp/openbao-${mount}-auth-enable.err >&2
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
bao write "auth/${mount}/config" \
|
|
oidc_discovery_url="https://kc.coulomb.social" \
|
|
oidc_client_id="openbao-admin" \
|
|
oidc_client_secret="keycape-public-pkce-compatibility-value" \
|
|
default_role="platform-admin"
|
|
|
|
bao write "auth/${mount}/role/platform-admin" @/tmp/openbao-platform-admin-role.json
|
|
bao write "sys/auth/${mount}/tune" listing_visibility=unauth
|
|
printf "configured auth/%s/role/platform-admin and listing_visibility=unauth\n" "$mount" >&2
|
|
done
|
|
|
|
rm -f /tmp/openbao-platform-admin-role.json /tmp/openbao-*-auth-enable.out /tmp/openbao-*-auth-enable.err
|
|
unset BAO_TOKEN
|
|
'
|