Files
net-kingdom/sso-mfa/k8s/keycape/configure-openbao-oidc.sh

74 lines
2.4 KiB
Bash

#!/usr/bin/env bash
# Configure Railiance OpenBao to trust KeyCape for platform-admin OIDC login.
# The OpenBao token is prompted inside the pod TTY and is never placed on the
# local command line or stored by this script.
set -euo pipefail
KUBECTL="${KUBECTL:-kubectl}"
OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
OPENBAO_POD="${OPENBAO_POD:-openbao-0}"
"$KUBECTL" exec -it -n "$OPENBAO_NAMESPACE" "$OPENBAO_POD" -- sh -lc '
set -eu
restore_tty() { stty echo 2>/dev/null || true; }
trap restore_tty EXIT INT TERM
printf "OpenBao root/sudo token: " >&2
stty -echo
read -r BAO_TOKEN
stty echo
printf "\n" >&2
export BAO_TOKEN
bao auth enable -path=keycape oidc >/tmp/keycape-auth-enable.out 2>/tmp/keycape-auth-enable.err || {
if grep -q "path is already in use" /tmp/keycape-auth-enable.err; then
printf "auth/keycape already exists\n" >&2
else
cat /tmp/keycape-auth-enable.err >&2
exit 1
fi
}
# OpenBao requires oidc_client_secret for OIDC auth config. The current
# KeyCape openbao-admin profile is public PKCE and does not validate this
# downstream client-secret field, so this compatibility value is not a
# protected secret. Replace this with a real managed client secret when
# KeyCape supports confidential downstream clients.
bao write auth/keycape/config \
oidc_discovery_url="https://kc.coulomb.social" \
oidc_client_id="openbao-admin" \
oidc_client_secret="keycape-public-pkce-compatibility-value" \
default_role="platform-admin"
# Keep array-valued groups in groups_claim/bound_claims only. OpenBao
# claim_mappings copy scalar claim values into metadata and will fail if the
# groups array is mapped there.
cat >/tmp/openbao-platform-admin-role.json <<'"'"'ROLE_JSON'"'"'
{
"role_type": "oidc",
"user_claim": "sub",
"groups_claim": "groups",
"oidc_scopes": ["openid", "profile", "email", "groups"],
"allowed_redirect_uris": [
"http://localhost:8250/oidc/callback",
"http://127.0.0.1:8250/oidc/callback"
],
"bound_claims": {
"groups": ["net-kingdom-admins"]
},
"claim_mappings": {
"email": "email",
"preferred_username": "username"
},
"policies": ["platform-admin"],
"ttl": "1h"
}
ROLE_JSON
bao write auth/keycape/role/platform-admin @/tmp/openbao-platform-admin-role.json
rm -f /tmp/openbao-platform-admin-role.json /tmp/keycape-auth-enable.out /tmp/keycape-auth-enable.err
unset BAO_TOKEN
'