generated from coulomb/repo-seed
93 lines
3.0 KiB
Bash
Executable File
93 lines
3.0 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Verify the live KeyCape config carries the OpenBao CLI client and KeyCape is
|
|
# serving OIDC discovery after rollout.
|
|
|
|
set -euo pipefail
|
|
|
|
NAMESPACE="${KEYCAPE_NAMESPACE:-sso}"
|
|
SECRET="${KEYCAPE_CONFIG_SECRET:-keycape-config}"
|
|
KUBECTL="${KUBECTL:-kubectl}"
|
|
PORT="${KEYCAPE_VERIFY_PORT:-18080}"
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
"$KUBECTL" get secret "$SECRET" -n "$NAMESPACE" -o json \
|
|
| python3 "$SCRIPT_DIR/openbao-client-config.py" verify
|
|
|
|
PUBLIC_URL="${KEYCAPE_PUBLIC_URL:-https://kc.coulomb.social}"
|
|
PUBLIC_AUTHORIZE_URL="${PUBLIC_URL%/}/authorize"
|
|
PUBLIC_PROBE_OUTPUT=$(
|
|
curl -sS -i -G "$PUBLIC_AUTHORIZE_URL" \
|
|
--data-urlencode "client_id=openbao-admin" \
|
|
--data-urlencode "redirect_uri=http://localhost:8250/oidc/callback" \
|
|
--data-urlencode "response_type=code" \
|
|
--data-urlencode "scope=openid profile email groups" \
|
|
--data-urlencode "state=netkingdom-openbao-client-probe" \
|
|
--data-urlencode "code_challenge=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQ" \
|
|
--data-urlencode "code_challenge_method=S256" \
|
|
2>&1 || true
|
|
)
|
|
|
|
if grep -q '"unknown client_id"' <<<"$PUBLIC_PROBE_OUTPUT"; then
|
|
echo "[FAIL] $PUBLIC_AUTHORIZE_URL rejects openbao-admin with unknown client_id" >&2
|
|
echo " Check DNS for kc.coulomb.social and ensure it reaches the KeyCape ingress that was patched." >&2
|
|
exit 1
|
|
fi
|
|
if ! grep -qE '^HTTP/[0-9.]+ 302 ' <<<"$PUBLIC_PROBE_OUTPUT"; then
|
|
echo "[FAIL] $PUBLIC_AUTHORIZE_URL did not return the expected OIDC redirect for openbao-admin" >&2
|
|
echo " First response:" >&2
|
|
sed -n '1,12p' <<<"$PUBLIC_PROBE_OUTPUT" >&2
|
|
exit 1
|
|
fi
|
|
echo "[PASS] public KeyCape authorize endpoint recognizes openbao-admin"
|
|
|
|
KC_POD=$("$KUBECTL" get pod -n "$NAMESPACE" \
|
|
-l app.kubernetes.io/name=keycape \
|
|
--field-selector=status.phase=Running \
|
|
-o jsonpath='{.items[0].metadata.name}' 2>/dev/null || true)
|
|
|
|
if [[ -z "$KC_POD" ]]; then
|
|
echo "[FAIL] no running KeyCape pod found in namespace $NAMESPACE" >&2
|
|
exit 1
|
|
fi
|
|
|
|
PF_LOG="${TMPDIR:-/tmp}/netkingdom-keycape-openbao-client-port-forward.log"
|
|
rm -f "$PF_LOG"
|
|
|
|
"$KUBECTL" -n "$NAMESPACE" port-forward --address 127.0.0.1 svc/keycape "$PORT:8080" \
|
|
>"$PF_LOG" 2>&1 &
|
|
PF_PID=$!
|
|
|
|
cleanup() {
|
|
kill "$PF_PID" 2>/dev/null || true
|
|
wait "$PF_PID" 2>/dev/null || true
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
for _ in $(seq 1 30); do
|
|
if python3 - "$PORT" <<'PY' >/dev/null 2>&1
|
|
import json
|
|
import sys
|
|
import urllib.request
|
|
|
|
port = sys.argv[1]
|
|
with urllib.request.urlopen(f"http://127.0.0.1:{port}/.well-known/openid-configuration", timeout=2) as response:
|
|
payload = json.load(response)
|
|
if not payload.get("issuer"):
|
|
raise SystemExit("missing issuer")
|
|
PY
|
|
then
|
|
echo "[PASS] KeyCape discovery endpoint responds via local port-forward to pod $KC_POD"
|
|
exit 0
|
|
fi
|
|
if ! kill -0 "$PF_PID" 2>/dev/null; then
|
|
echo "[FAIL] KeyCape port-forward exited before discovery responded" >&2
|
|
cat "$PF_LOG" >&2
|
|
exit 1
|
|
fi
|
|
sleep 1
|
|
done
|
|
|
|
echo "[FAIL] KeyCape discovery endpoint did not respond via local port-forward" >&2
|
|
cat "$PF_LOG" >&2
|
|
exit 1
|