#!/usr/bin/env bash set -euo pipefail OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}" OPENBAO_RELEASE="${OPENBAO_RELEASE:-openbao}" KUBECTL="${KUBECTL:-kubectl}" TOKEN_FILE="${OPENBAO_TOKEN_FILE:-}" REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" POLICY_NAME="${WORKLOAD_KV_POLICY_NAME:-workload-kv-read-whynot-design-npm-publish}" POLICY_FILE="${WORKLOAD_KV_POLICY_FILE:-$REPO_DIR/openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl}" DRY_RUN=0 USE_TOKEN_HELPER=0 usage() { cat <<'USAGE' Usage: scripts/openbao-apply-workload-kv-lanes.sh [--dry-run] [--use-token-helper] Applies source-owned OpenBao workload KV read-lane policies. Current lane: - policy: workload-kv-read-whynot-design-npm-publish - path: platform/workloads/whynot-design/whynot-design/npm-publish - field: NPM_AUTH_TOKEN The script reads an OpenBao operator token from OPENBAO_TOKEN_FILE or an interactive hidden prompt unless --dry-run or --use-token-helper is set. It never prints or stores the token. This script intentionally does not create an OIDC role until the whynot-design KeyCape/NetKingdom bound claim is confirmed. USAGE } while [ "$#" -gt 0 ]; do case "$1" in --dry-run) DRY_RUN=1 shift ;; --use-token-helper) USE_TOKEN_HELPER=1 shift ;; -h|--help) usage exit 0 ;; *) echo "ERROR: unknown argument: $1" >&2 usage >&2 exit 2 ;; esac done pod="${OPENBAO_RELEASE}-0" read_token() { if [ "$DRY_RUN" -eq 1 ] || [ "$USE_TOKEN_HELPER" -eq 1 ]; then return fi if [ -n "$TOKEN_FILE" ]; then if [ ! -f "$TOKEN_FILE" ]; then echo "ERROR: OPENBAO_TOKEN_FILE does not exist: $TOKEN_FILE" >&2 exit 1 fi head -n 1 "$TOKEN_FILE" return fi local token read -r -s -p "OpenBao token: " token printf '\n' >&2 printf '%s\n' "$token" } remote_bao() { local token="$1" shift if [ "$DRY_RUN" -eq 1 ]; then printf 'DRY-RUN: bao %s\n' "$*" return 0 fi if [ "$USE_TOKEN_HELPER" -eq 1 ]; then # shellcheck disable=SC2086 $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- bao "$@" return fi # shellcheck disable=SC2086 printf '%s\n' "$token" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \ sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; exec bao "$@"' sh "$@" } write_policy() { local token="$1" if [ ! -f "$POLICY_FILE" ]; then echo "ERROR: missing policy file: $POLICY_FILE" >&2 exit 1 fi if [ "$DRY_RUN" -eq 1 ]; then printf 'DRY-RUN: bao policy write %s %s\n' "$POLICY_NAME" "$POLICY_FILE" return 0 fi if [ "$USE_TOKEN_HELPER" -eq 1 ]; then # shellcheck disable=SC2086 cat "$POLICY_FILE" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \ bao policy write "$POLICY_NAME" - return fi # shellcheck disable=SC2086 { printf '%s\n' "$token"; cat "$POLICY_FILE"; } | \ $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \ sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$POLICY_NAME" } token="$(read_token)" if [ "$DRY_RUN" -eq 0 ] && [ "$USE_TOKEN_HELPER" -eq 0 ] && [ -z "$token" ]; then echo "ERROR: empty OpenBao token" >&2 exit 1 fi remote_bao "$token" status write_policy "$token" remote_bao "$token" policy read "$POLICY_NAME" cat <<'NEXT' Workload KV read-lane policy apply path completed. Remaining live steps: 1. Confirm the whynot-design KeyCape/NetKingdom bound claim or service account. 2. Create auth/netkingdom/role/whynot-design-workload-kv-read with only the workload-kv-read-whynot-design-npm-publish policy. 3. Provision platform/workloads/whynot-design/whynot-design/npm-publish with field NPM_AUTH_TOKEN through approved OpenBao/operator custody. 4. Run positive and negative fetch verification without printing the token. NEXT