generated from coulomb/repo-seed
74 lines
2.4 KiB
Bash
74 lines
2.4 KiB
Bash
#!/usr/bin/env bash
|
|
# Configure Railiance OpenBao to trust KeyCape for platform-admin OIDC login.
|
|
# The OpenBao token is prompted inside the pod TTY and is never placed on the
|
|
# local command line or stored by this script.
|
|
|
|
set -euo pipefail
|
|
|
|
KUBECTL="${KUBECTL:-kubectl}"
|
|
OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
|
|
OPENBAO_POD="${OPENBAO_POD:-openbao-0}"
|
|
|
|
"$KUBECTL" exec -it -n "$OPENBAO_NAMESPACE" "$OPENBAO_POD" -- sh -lc '
|
|
set -eu
|
|
|
|
restore_tty() { stty echo 2>/dev/null || true; }
|
|
trap restore_tty EXIT INT TERM
|
|
|
|
printf "OpenBao root/sudo token: " >&2
|
|
stty -echo
|
|
read -r BAO_TOKEN
|
|
stty echo
|
|
printf "\n" >&2
|
|
export BAO_TOKEN
|
|
|
|
bao auth enable -path=keycape oidc >/tmp/keycape-auth-enable.out 2>/tmp/keycape-auth-enable.err || {
|
|
if grep -q "path is already in use" /tmp/keycape-auth-enable.err; then
|
|
printf "auth/keycape already exists\n" >&2
|
|
else
|
|
cat /tmp/keycape-auth-enable.err >&2
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
# OpenBao requires oidc_client_secret for OIDC auth config. The current
|
|
# KeyCape openbao-admin profile is public PKCE and does not validate this
|
|
# downstream client-secret field, so this compatibility value is not a
|
|
# protected secret. Replace this with a real managed client secret when
|
|
# KeyCape supports confidential downstream clients.
|
|
bao write auth/keycape/config \
|
|
oidc_discovery_url="https://kc.coulomb.social" \
|
|
oidc_client_id="openbao-admin" \
|
|
oidc_client_secret="keycape-public-pkce-compatibility-value" \
|
|
default_role="platform-admin"
|
|
|
|
# Keep array-valued groups in groups_claim/bound_claims only. OpenBao
|
|
# claim_mappings copy scalar claim values into metadata and will fail if the
|
|
# groups array is mapped there.
|
|
cat >/tmp/openbao-platform-admin-role.json <<'"'"'ROLE_JSON'"'"'
|
|
{
|
|
"role_type": "oidc",
|
|
"user_claim": "sub",
|
|
"groups_claim": "groups",
|
|
"oidc_scopes": ["openid", "profile", "email", "groups"],
|
|
"allowed_redirect_uris": [
|
|
"http://localhost:8250/oidc/callback",
|
|
"http://127.0.0.1:8250/oidc/callback"
|
|
],
|
|
"bound_claims": {
|
|
"groups": ["net-kingdom-admins"]
|
|
},
|
|
"claim_mappings": {
|
|
"email": "email",
|
|
"preferred_username": "username"
|
|
},
|
|
"policies": ["platform-admin"],
|
|
"ttl": "1h"
|
|
}
|
|
ROLE_JSON
|
|
|
|
bao write auth/keycape/role/platform-admin @/tmp/openbao-platform-admin-role.json
|
|
rm -f /tmp/openbao-platform-admin-role.json /tmp/keycape-auth-enable.out /tmp/keycape-auth-enable.err
|
|
unset BAO_TOKEN
|
|
'
|