generated from coulomb/repo-seed
66 lines
1.8 KiB
Bash
66 lines
1.8 KiB
Bash
#!/usr/bin/env bash
|
|
# Verify the live KeyCape config carries the OpenBao CLI client and KeyCape is
|
|
# serving OIDC discovery after rollout.
|
|
|
|
set -euo pipefail
|
|
|
|
NAMESPACE="${KEYCAPE_NAMESPACE:-sso}"
|
|
SECRET="${KEYCAPE_CONFIG_SECRET:-keycape-config}"
|
|
KUBECTL="${KUBECTL:-kubectl}"
|
|
PORT="${KEYCAPE_VERIFY_PORT:-18080}"
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
"$KUBECTL" get secret "$SECRET" -n "$NAMESPACE" -o json \
|
|
| python3 "$SCRIPT_DIR/openbao-client-config.py" verify
|
|
|
|
KC_POD=$("$KUBECTL" get pod -n "$NAMESPACE" \
|
|
-l app.kubernetes.io/name=keycape \
|
|
--field-selector=status.phase=Running \
|
|
-o jsonpath='{.items[0].metadata.name}' 2>/dev/null || true)
|
|
|
|
if [[ -z "$KC_POD" ]]; then
|
|
echo "[FAIL] no running KeyCape pod found in namespace $NAMESPACE" >&2
|
|
exit 1
|
|
fi
|
|
|
|
PF_LOG="${TMPDIR:-/tmp}/netkingdom-keycape-openbao-client-port-forward.log"
|
|
rm -f "$PF_LOG"
|
|
|
|
"$KUBECTL" -n "$NAMESPACE" port-forward --address 127.0.0.1 svc/keycape "$PORT:8080" \
|
|
>"$PF_LOG" 2>&1 &
|
|
PF_PID=$!
|
|
|
|
cleanup() {
|
|
kill "$PF_PID" 2>/dev/null || true
|
|
wait "$PF_PID" 2>/dev/null || true
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
for _ in $(seq 1 30); do
|
|
if python3 - "$PORT" <<'PY' >/dev/null 2>&1
|
|
import json
|
|
import sys
|
|
import urllib.request
|
|
|
|
port = sys.argv[1]
|
|
with urllib.request.urlopen(f"http://127.0.0.1:{port}/.well-known/openid-configuration", timeout=2) as response:
|
|
payload = json.load(response)
|
|
if not payload.get("issuer"):
|
|
raise SystemExit("missing issuer")
|
|
PY
|
|
then
|
|
echo "[PASS] KeyCape discovery endpoint responds via local port-forward to pod $KC_POD"
|
|
exit 0
|
|
fi
|
|
if ! kill -0 "$PF_PID" 2>/dev/null; then
|
|
echo "[FAIL] KeyCape port-forward exited before discovery responded" >&2
|
|
cat "$PF_LOG" >&2
|
|
exit 1
|
|
fi
|
|
sleep 1
|
|
done
|
|
|
|
echo "[FAIL] KeyCape discovery endpoint did not respond via local port-forward" >&2
|
|
cat "$PF_LOG" >&2
|
|
exit 1
|