Files
net-kingdom/sso-mfa/k8s/keycape/configure-openbao-oidc.sh
tegwick 3875d546bc Expose OIDC auth mounts to unauthenticated OpenBao UI listing
Set listing_visibility=unauth on netkingdom and keycape during OIDC configure
so the browser login mask can select KeyCape instead of falling back to token.
2026-06-19 21:04:31 +02:00

83 lines
2.9 KiB
Bash

#!/usr/bin/env bash
# Configure Railiance OpenBao to trust KeyCape for platform-admin OIDC login.
# The OpenBao token is prompted inside the pod TTY and is never placed on the
# local command line or stored by this script.
set -euo pipefail
KUBECTL="${KUBECTL:-kubectl}"
OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
OPENBAO_POD="${OPENBAO_POD:-openbao-0}"
"$KUBECTL" exec -it -n "$OPENBAO_NAMESPACE" "$OPENBAO_POD" -- sh -lc '
set -eu
restore_tty() { stty echo 2>/dev/null || true; }
trap restore_tty EXIT INT TERM
printf "OpenBao root/sudo token: " >&2
stty -echo
read -r BAO_TOKEN
stty echo
printf "\n" >&2
export BAO_TOKEN
# OpenBao requires oidc_client_secret for OIDC auth config. The current
# KeyCape openbao-admin profile is public PKCE and does not validate this
# downstream client-secret field, so this compatibility value is not a
# protected secret. Replace this with a real managed client secret when
# KeyCape supports confidential downstream clients.
OPENBAO_OIDC_MOUNTS="netkingdom keycape"
# Keep array-valued groups in groups_claim/bound_claims only. OpenBao
# claim_mappings copy scalar claim values into metadata and will fail if the
# groups array is mapped there.
cat >/tmp/openbao-platform-admin-role.json <<'"'"'ROLE_JSON'"'"'
{
"role_type": "oidc",
"user_claim": "sub",
"groups_claim": "groups",
"oidc_scopes": ["openid", "profile", "email", "groups"],
"allowed_redirect_uris": [
"http://localhost:8250/oidc/callback",
"http://127.0.0.1:8250/oidc/callback",
"https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback",
"https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback"
],
"bound_claims": {
"groups": ["net-kingdom-admins"]
},
"claim_mappings": {
"email": "email",
"preferred_username": "username"
},
"policies": ["platform-admin"],
"ttl": "1h"
}
ROLE_JSON
for mount in $OPENBAO_OIDC_MOUNTS; do
bao auth enable -path="$mount" oidc >/tmp/openbao-${mount}-auth-enable.out 2>/tmp/openbao-${mount}-auth-enable.err || {
if grep -q "path is already in use" /tmp/openbao-${mount}-auth-enable.err; then
printf "auth/%s already exists\n" "$mount" >&2
else
cat /tmp/openbao-${mount}-auth-enable.err >&2
exit 1
fi
}
bao write "auth/${mount}/config" \
oidc_discovery_url="https://kc.coulomb.social" \
oidc_client_id="openbao-admin" \
oidc_client_secret="keycape-public-pkce-compatibility-value" \
default_role="platform-admin"
bao write "auth/${mount}/role/platform-admin" @/tmp/openbao-platform-admin-role.json
bao write "sys/auth/${mount}/tune" listing_visibility=unauth
printf "configured auth/%s/role/platform-admin and listing_visibility=unauth\n" "$mount" >&2
done
rm -f /tmp/openbao-platform-admin-role.json /tmp/openbao-*-auth-enable.out /tmp/openbao-*-auth-enable.err
unset BAO_TOKEN
'