railiance-platform/scripts/openbao-apply-workload-kv-lanes.sh

#!/usr/bin/env bash
set -euo pipefail

OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
OPENBAO_RELEASE="${OPENBAO_RELEASE:-openbao}"
KUBECTL="${KUBECTL:-kubectl}"
TOKEN_FILE="${OPENBAO_TOKEN_FILE:-}"
REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
POLICY_NAME="${WORKLOAD_KV_POLICY_NAME:-workload-kv-read-whynot-design-npm-publish}"
POLICY_FILE="${WORKLOAD_KV_POLICY_FILE:-$REPO_DIR/openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl}"
DRY_RUN=0
USE_TOKEN_HELPER=0

usage() {
  cat <<'USAGE'
Usage: scripts/openbao-apply-workload-kv-lanes.sh [--dry-run] [--use-token-helper]

Applies source-owned OpenBao workload KV read-lane policies.

Current lane:
  - policy: workload-kv-read-whynot-design-npm-publish
  - path:   platform/workloads/coulomb/whynot-design/npm-publish
  - field:  NPM_AUTH_TOKEN

The script reads an OpenBao operator token from OPENBAO_TOKEN_FILE or an
interactive hidden prompt unless --dry-run or --use-token-helper is set. It
never prints or stores the token.

This script intentionally does not create an OIDC role until the whynot-design
KeyCape/NetKingdom bound claim is confirmed.
USAGE
}

while [ "$#" -gt 0 ]; do
  case "$1" in
    --dry-run)
      DRY_RUN=1
      shift
      ;;
    --use-token-helper)
      USE_TOKEN_HELPER=1
      shift
      ;;
    -h|--help)
      usage
      exit 0
      ;;
    *)
      echo "ERROR: unknown argument: $1" >&2
      usage >&2
      exit 2
      ;;
  esac
done

pod="${OPENBAO_RELEASE}-0"

read_token() {
  if [ "$DRY_RUN" -eq 1 ] || [ "$USE_TOKEN_HELPER" -eq 1 ]; then
    return
  fi
  if [ -n "$TOKEN_FILE" ]; then
    if [ ! -f "$TOKEN_FILE" ]; then
      echo "ERROR: OPENBAO_TOKEN_FILE does not exist: $TOKEN_FILE" >&2
      exit 1
    fi
    head -n 1 "$TOKEN_FILE"
    return
  fi

  local token
  read -r -s -p "OpenBao token: " token
  printf '\n' >&2
  printf '%s\n' "$token"
}

remote_bao() {
  local token="$1"
  shift
  if [ "$DRY_RUN" -eq 1 ]; then
    printf 'DRY-RUN: bao %s\n' "$*"
    return 0
  fi
  if [ "$USE_TOKEN_HELPER" -eq 1 ]; then
    # shellcheck disable=SC2086
    $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- bao "$@"
    return
  fi
  # shellcheck disable=SC2086
  printf '%s\n' "$token" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
    sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; exec bao "$@"' sh "$@"
}

write_policy() {
  local token="$1"
  if [ ! -f "$POLICY_FILE" ]; then
    echo "ERROR: missing policy file: $POLICY_FILE" >&2
    exit 1
  fi
  if [ "$DRY_RUN" -eq 1 ]; then
    printf 'DRY-RUN: bao policy write %s %s\n' "$POLICY_NAME" "$POLICY_FILE"
    return 0
  fi
  if [ "$USE_TOKEN_HELPER" -eq 1 ]; then
    # shellcheck disable=SC2086
    cat "$POLICY_FILE" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
      bao policy write "$POLICY_NAME" -
    return
  fi
  # shellcheck disable=SC2086
  { printf '%s\n' "$token"; cat "$POLICY_FILE"; } | \
    $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
      sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$POLICY_NAME"
}

token="$(read_token)"
if [ "$DRY_RUN" -eq 0 ] && [ "$USE_TOKEN_HELPER" -eq 0 ] && [ -z "$token" ]; then
  echo "ERROR: empty OpenBao token" >&2
  exit 1
fi

remote_bao "$token" status
write_policy "$token"
remote_bao "$token" policy read "$POLICY_NAME"

cat <<'NEXT'

Workload KV read-lane policy apply path completed.

Remaining live steps:
  1. Confirm the whynot-design KeyCape/NetKingdom bound claim or service account.
  2. Create auth/netkingdom/role/whynot-design-workload-kv-read with only the
     workload-kv-read-whynot-design-npm-publish policy.
  3. Provision platform/workloads/coulomb/whynot-design/npm-publish with
     field NPM_AUTH_TOKEN through approved OpenBao/operator custody.
  4. Run positive and negative fetch verification without printing the token.
NEXT