diff --git a/services/keycloak/kustomization.yaml b/services/keycloak/kustomization.yaml index 5222ee1..38da8bf 100644 --- a/services/keycloak/kustomization.yaml +++ b/services/keycloak/kustomization.yaml @@ -20,6 +20,7 @@ resources: - synapse-oidc-secret-ensure-job.yaml - logs-oidc-secret-ensure-job.yaml - harbor-oidc-secret-ensure-job.yaml + - vault-oidc-secret-ensure-job.yaml - service.yaml - ingress.yaml generatorOptions: @@ -35,3 +36,6 @@ configMapGenerator: - name: harbor-oidc-secret-ensure-script files: - harbor_oidc_secret_ensure.sh=scripts/harbor_oidc_secret_ensure.sh + - name: vault-oidc-secret-ensure-script + files: + - vault_oidc_secret_ensure.sh=scripts/vault_oidc_secret_ensure.sh diff --git a/services/keycloak/scripts/vault_oidc_secret_ensure.sh b/services/keycloak/scripts/vault_oidc_secret_ensure.sh new file mode 100755 index 0000000..f7b3261 --- /dev/null +++ b/services/keycloak/scripts/vault_oidc_secret_ensure.sh @@ -0,0 +1,103 @@ +#!/usr/bin/env sh +set -euo pipefail + +apk add --no-cache curl jq kubectl >/dev/null + +KC_URL="http://keycloak.sso.svc.cluster.local" +ACCESS_TOKEN="" +for attempt in 1 2 3 4 5; do + TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \ + -H 'Content-Type: application/x-www-form-urlencoded' \ + -d "grant_type=password" \ + -d "client_id=admin-cli" \ + -d "username=${KEYCLOAK_ADMIN}" \ + -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)" + ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)" + if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then + break + fi + echo "Keycloak token request failed (attempt ${attempt})" >&2 + sleep $((attempt * 2)) +done +if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then + echo "Failed to fetch Keycloak admin token" >&2 + exit 1 +fi + +CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/clients?clientId=vault-oidc" || true)" +CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)" + +if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then + create_payload='{"clientId":"vault-oidc","enabled":true,"protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":false,"serviceAccountsEnabled":false,"redirectUris":["https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback","http://localhost:8250/oidc/callback"],"webOrigins":["https://secret.bstein.dev"],"rootUrl":"https://secret.bstein.dev","baseUrl":"/"}' + status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \ + -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + -H 'Content-Type: application/json' \ + -d "${create_payload}" \ + "$KC_URL/admin/realms/atlas/clients")" + if [ "$status" != "201" ] && [ "$status" != "204" ]; then + echo "Keycloak client create failed (status ${status})" >&2 + exit 1 + fi + CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/clients?clientId=vault-oidc" || true)" + CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)" +fi + +if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then + echo "Keycloak client vault-oidc not found" >&2 + exit 1 +fi + +SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/client-scopes?search=groups" | jq -r '.[] | select(.name=="groups") | .id' 2>/dev/null | head -n1 || true)" +if [ -z "$SCOPE_ID" ] || [ "$SCOPE_ID" = "null" ]; then + echo "Keycloak client scope groups not found" >&2 + exit 1 +fi + +DEFAULT_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/default-client-scopes" || true)" +OPTIONAL_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes" || true)" + +if ! echo "$DEFAULT_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1 \ + && ! echo "$OPTIONAL_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1; then + status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \ + -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")" + if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then + status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \ + -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")" + if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then + echo "Failed to attach groups client scope to vault-oidc (status ${status})" >&2 + exit 1 + fi + fi +fi + +CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)" +if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then + echo "Keycloak client secret not found" >&2 + exit 1 +fi + +kubectl -n vault create secret generic vault-oidc-config \ + --from-literal=discovery_url="https://sso.bstein.dev/realms/atlas" \ + --from-literal=client_id="vault-oidc" \ + --from-literal=client_secret="${CLIENT_SECRET}" \ + --from-literal=default_role="admin" \ + --from-literal=scopes="openid profile email groups" \ + --from-literal=user_claim="preferred_username" \ + --from-literal=groups_claim="groups" \ + --from-literal=redirect_uris="https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback" \ + --from-literal=bound_audiences="vault-oidc" \ + --from-literal=admin_group="admin" \ + --from-literal=admin_policies="default,vault-admin" \ + --from-literal=dev_group="dev" \ + --from-literal=dev_policies="default,dev-kv" \ + --from-literal=user_group="dev" \ + --from-literal=user_policies="default,dev-kv" \ + --dry-run=client -o yaml | kubectl -n vault apply -f - >/dev/null diff --git a/services/keycloak/vault-oidc-secret-ensure-job.yaml b/services/keycloak/vault-oidc-secret-ensure-job.yaml new file mode 100644 index 0000000..ce3a1f0 --- /dev/null +++ b/services/keycloak/vault-oidc-secret-ensure-job.yaml @@ -0,0 +1,47 @@ +# services/keycloak/vault-oidc-secret-ensure-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: vault-oidc-secret-ensure-1 + namespace: sso +spec: + backoffLimit: 0 + ttlSecondsAfterFinished: 3600 + template: + spec: + serviceAccountName: mas-secrets-ensure + restartPolicy: Never + volumes: + - name: vault-oidc-secret-ensure-script + configMap: + name: vault-oidc-secret-ensure-script + defaultMode: 0555 + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] + - key: node-role.kubernetes.io/worker + operator: Exists + containers: + - name: apply + image: alpine:3.20 + command: ["/scripts/vault_oidc_secret_ensure.sh"] + env: + - name: KEYCLOAK_ADMIN + valueFrom: + secretKeyRef: + name: keycloak-admin + key: username + - name: KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: keycloak-admin + key: password + volumeMounts: + - name: vault-oidc-secret-ensure-script + mountPath: /scripts + readOnly: true diff --git a/services/vault/oidc-config-cronjob.yaml b/services/vault/oidc-config-cronjob.yaml index 15131a8..3960aad 100644 --- a/services/vault/oidc-config-cronjob.yaml +++ b/services/vault/oidc-config-cronjob.yaml @@ -79,6 +79,42 @@ spec: name: vault-oidc-config key: token_policies optional: true + - name: VAULT_OIDC_ADMIN_GROUP + valueFrom: + secretKeyRef: + name: vault-oidc-config + key: admin_group + optional: true + - name: VAULT_OIDC_ADMIN_POLICIES + valueFrom: + secretKeyRef: + name: vault-oidc-config + key: admin_policies + optional: true + - name: VAULT_OIDC_DEV_GROUP + valueFrom: + secretKeyRef: + name: vault-oidc-config + key: dev_group + optional: true + - name: VAULT_OIDC_DEV_POLICIES + valueFrom: + secretKeyRef: + name: vault-oidc-config + key: dev_policies + optional: true + - name: VAULT_OIDC_USER_GROUP + valueFrom: + secretKeyRef: + name: vault-oidc-config + key: user_group + optional: true + - name: VAULT_OIDC_USER_POLICIES + valueFrom: + secretKeyRef: + name: vault-oidc-config + key: user_policies + optional: true - name: VAULT_OIDC_REDIRECT_URIS valueFrom: secretKeyRef: diff --git a/services/vault/scripts/vault_oidc_configure.sh b/services/vault/scripts/vault_oidc_configure.sh index 3cd4a2d..380d772 100644 --- a/services/vault/scripts/vault_oidc_configure.sh +++ b/services/vault/scripts/vault_oidc_configure.sh @@ -23,15 +23,20 @@ fi : "${VAULT_OIDC_CLIENT_ID:?set VAULT_OIDC_CLIENT_ID}" : "${VAULT_OIDC_CLIENT_SECRET:?set VAULT_OIDC_CLIENT_SECRET}" -role="${VAULT_OIDC_DEFAULT_ROLE:-atlas}" +default_role="${VAULT_OIDC_DEFAULT_ROLE:-admin}" scopes="${VAULT_OIDC_SCOPES:-openid profile email groups}" user_claim="${VAULT_OIDC_USER_CLAIM:-preferred_username}" groups_claim="${VAULT_OIDC_GROUPS_CLAIM:-groups}" -token_policies="${VAULT_OIDC_TOKEN_POLICIES:-default}" redirect_uris="${VAULT_OIDC_REDIRECT_URIS:-https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback}" bound_audiences="${VAULT_OIDC_BOUND_AUDIENCES:-${VAULT_OIDC_CLIENT_ID}}" -bound_claims="${VAULT_OIDC_BOUND_CLAIMS:-}" -bound_claims_type="${VAULT_OIDC_BOUND_CLAIMS_TYPE:-}" +bound_claims_type="${VAULT_OIDC_BOUND_CLAIMS_TYPE:-string}" + +admin_group="${VAULT_OIDC_ADMIN_GROUP:-admin}" +admin_policies="${VAULT_OIDC_ADMIN_POLICIES:-default,vault-admin}" +dev_group="${VAULT_OIDC_DEV_GROUP:-dev}" +dev_policies="${VAULT_OIDC_DEV_POLICIES:-default,dev-kv}" +user_group="${VAULT_OIDC_USER_GROUP:-${dev_group}}" +user_policies="${VAULT_OIDC_USER_POLICIES:-${VAULT_OIDC_TOKEN_POLICIES:-${dev_policies}}}" if ! vault auth list -format=json | grep -q '"oidc/"'; then log "enabling oidc auth method" @@ -43,35 +48,66 @@ vault write auth/oidc/config \ oidc_discovery_url="${VAULT_OIDC_DISCOVERY_URL}" \ oidc_client_id="${VAULT_OIDC_CLIENT_ID}" \ oidc_client_secret="${VAULT_OIDC_CLIENT_SECRET}" \ - default_role="${role}" + default_role="${default_role}" vault auth tune -listing-visibility=unauth oidc >/dev/null -role_args=( - "user_claim=${user_claim}" - "oidc_scopes=${scopes}" - "token_policies=${token_policies}" - "bound_audiences=${bound_audiences}" -) +build_bound_claims() { + local claim="$1" + local groups="$2" + local json + local first=1 + json="{\"${claim}\":[" + IFS=',' read -r -a group_items <<<"${groups}" + for item in "${group_items[@]}"; do + item="${item#"${item%%[![:space:]]*}"}" + item="${item%"${item##*[![:space:]]}"}" + if [[ -z "${item}" ]]; then + continue + fi + if [[ ${first} -eq 0 ]]; then + json+="," + fi + json+="\"${item}\"" + first=0 + done + json+="]}" + printf '%s' "${json}" +} -if [[ -n "${groups_claim}" ]]; then - role_args+=("groups_claim=${groups_claim}") -fi -if [[ -n "${bound_claims}" ]]; then - role_args+=("bound_claims=${bound_claims}") -fi -if [[ -n "${bound_claims_type}" ]]; then - role_args+=("bound_claims_type=${bound_claims_type}") -fi - -IFS=',' read -r -a redirect_items <<<"${redirect_uris}" -for uri in "${redirect_items[@]}"; do - trimmed="${uri#"${uri%%[![:space:]]*}"}" - trimmed="${trimmed%"${trimmed##*[![:space:]]}"}" - if [[ -n "${trimmed}" ]]; then - role_args+=("allowed_redirect_uris=${trimmed}") +configure_role() { + local role_name="$1" + local role_groups="$2" + local role_policies="$3" + if [[ -z "${role_name}" || -z "${role_groups}" || -z "${role_policies}" ]]; then + log "skipping role ${role_name} (missing groups or policies)" + return fi -done + local claims + claims="$(build_bound_claims "${groups_claim}" "${role_groups}")" + local role_args=( + "user_claim=${user_claim}" + "oidc_scopes=${scopes}" + "token_policies=${role_policies}" + "bound_audiences=${bound_audiences}" + "bound_claims=${claims}" + "bound_claims_type=${bound_claims_type}" + ) + if [[ -n "${groups_claim}" ]]; then + role_args+=("groups_claim=${groups_claim}") + fi + IFS=',' read -r -a redirect_items <<<"${redirect_uris}" + for uri in "${redirect_items[@]}"; do + trimmed="${uri#"${uri%%[![:space:]]*}"}" + trimmed="${trimmed%"${trimmed##*[![:space:]]}"}" + if [[ -n "${trimmed}" ]]; then + role_args+=("allowed_redirect_uris=${trimmed}") + fi + done + log "configuring oidc role ${role_name}" + vault write "auth/oidc/role/${role_name}" "${role_args[@]}" +} -log "configuring oidc role ${role}" -vault write "auth/oidc/role/${role}" "${role_args[@]}" +configure_role "admin" "${admin_group}" "${admin_policies}" +configure_role "dev" "${dev_group}" "${dev_policies}" +configure_role "user" "${user_group}" "${user_policies}"