vault: align oidc roles with keycloak

2026-01-14 02:24:32 -03:00 · 2026-01-14 02:24:32 -03:00 · 55234f8536
commit 55234f8536
parent 50aec198a4
5 changed files with 256 additions and 30 deletions
--- a/services/keycloak/kustomization.yaml
+++ b/services/keycloak/kustomization.yaml
@ -20,6 +20,7 @@ resources:
  - synapse-oidc-secret-ensure-job.yaml
  - logs-oidc-secret-ensure-job.yaml
  - harbor-oidc-secret-ensure-job.yaml
+  - vault-oidc-secret-ensure-job.yaml
  - service.yaml
  - ingress.yaml
 generatorOptions:
@ -35,3 +36,6 @@ configMapGenerator:
  - name: harbor-oidc-secret-ensure-script
    files:
      - harbor_oidc_secret_ensure.sh=scripts/harbor_oidc_secret_ensure.sh
+  - name: vault-oidc-secret-ensure-script
+    files:
+      - vault_oidc_secret_ensure.sh=scripts/vault_oidc_secret_ensure.sh
--- a/services/keycloak/scripts/vault_oidc_secret_ensure.sh
+++ b/services/keycloak/scripts/vault_oidc_secret_ensure.sh
@ -0,0 +1,103 @@
+#!/usr/bin/env sh
+set -euo pipefail
+
+apk add --no-cache curl jq kubectl >/dev/null
+
+KC_URL="http://keycloak.sso.svc.cluster.local"
+ACCESS_TOKEN=""
+for attempt in 1 2 3 4 5; do
+  TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
+    -H 'Content-Type: application/x-www-form-urlencoded' \
+    -d "grant_type=password" \
+    -d "client_id=admin-cli" \
+    -d "username=${KEYCLOAK_ADMIN}" \
+    -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
+  ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
+  if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
+    break
+  fi
+  echo "Keycloak token request failed (attempt ${attempt})" >&2
+  sleep $((attempt * 2))
+done
+if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+  echo "Failed to fetch Keycloak admin token" >&2
+  exit 1
+fi
+
+CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+  "$KC_URL/admin/realms/atlas/clients?clientId=vault-oidc" || true)"
+CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
+
+if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
+  create_payload='{"clientId":"vault-oidc","enabled":true,"protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":false,"serviceAccountsEnabled":false,"redirectUris":["https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback","http://localhost:8250/oidc/callback"],"webOrigins":["https://secret.bstein.dev"],"rootUrl":"https://secret.bstein.dev","baseUrl":"/"}'
+  status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
+    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+    -H 'Content-Type: application/json' \
+    -d "${create_payload}" \
+    "$KC_URL/admin/realms/atlas/clients")"
+  if [ "$status" != "201" ] && [ "$status" != "204" ]; then
+    echo "Keycloak client create failed (status ${status})" >&2
+    exit 1
+  fi
+  CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+    "$KC_URL/admin/realms/atlas/clients?clientId=vault-oidc" || true)"
+  CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
+fi
+
+if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
+  echo "Keycloak client vault-oidc not found" >&2
+  exit 1
+fi
+
+SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+  "$KC_URL/admin/realms/atlas/client-scopes?search=groups" | jq -r '.[] | select(.name=="groups") | .id' 2>/dev/null | head -n1 || true)"
+if [ -z "$SCOPE_ID" ] || [ "$SCOPE_ID" = "null" ]; then
+  echo "Keycloak client scope groups not found" >&2
+  exit 1
+fi
+
+DEFAULT_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/default-client-scopes" || true)"
+OPTIONAL_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes" || true)"
+
+if ! echo "$DEFAULT_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1 \
+  && ! echo "$OPTIONAL_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1; then
+  status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
+    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+    "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
+  if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
+    status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
+      -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+      "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
+    if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
+      echo "Failed to attach groups client scope to vault-oidc (status ${status})" >&2
+      exit 1
+    fi
+  fi
+fi
+
+CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
+if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
+  echo "Keycloak client secret not found" >&2
+  exit 1
+fi
+
+kubectl -n vault create secret generic vault-oidc-config \
+  --from-literal=discovery_url="https://sso.bstein.dev/realms/atlas" \
+  --from-literal=client_id="vault-oidc" \
+  --from-literal=client_secret="${CLIENT_SECRET}" \
+  --from-literal=default_role="admin" \
+  --from-literal=scopes="openid profile email groups" \
+  --from-literal=user_claim="preferred_username" \
+  --from-literal=groups_claim="groups" \
+  --from-literal=redirect_uris="https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback" \
+  --from-literal=bound_audiences="vault-oidc" \
+  --from-literal=admin_group="admin" \
+  --from-literal=admin_policies="default,vault-admin" \
+  --from-literal=dev_group="dev" \
+  --from-literal=dev_policies="default,dev-kv" \
+  --from-literal=user_group="dev" \
+  --from-literal=user_policies="default,dev-kv" \
+  --dry-run=client -o yaml | kubectl -n vault apply -f - >/dev/null
--- a/services/keycloak/vault-oidc-secret-ensure-job.yaml
+++ b/services/keycloak/vault-oidc-secret-ensure-job.yaml
@ -0,0 +1,47 @@
+# services/keycloak/vault-oidc-secret-ensure-job.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: vault-oidc-secret-ensure-1
+  namespace: sso
+spec:
+  backoffLimit: 0
+  ttlSecondsAfterFinished: 3600
+  template:
+    spec:
+      serviceAccountName: mas-secrets-ensure
+      restartPolicy: Never
+      volumes:
+        - name: vault-oidc-secret-ensure-script
+          configMap:
+            name: vault-oidc-secret-ensure-script
+            defaultMode: 0555
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values: ["arm64"]
+                  - key: node-role.kubernetes.io/worker
+                    operator: Exists
+      containers:
+        - name: apply
+          image: alpine:3.20
+          command: ["/scripts/vault_oidc_secret_ensure.sh"]
+          env:
+            - name: KEYCLOAK_ADMIN
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-admin
+                  key: username
+            - name: KEYCLOAK_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-admin
+                  key: password
+          volumeMounts:
+            - name: vault-oidc-secret-ensure-script
+              mountPath: /scripts
+              readOnly: true
--- a/services/vault/oidc-config-cronjob.yaml
+++ b/services/vault/oidc-config-cronjob.yaml
@ -79,6 +79,42 @@ spec:
                      name: vault-oidc-config
                      key: token_policies
                      optional: true
+                - name: VAULT_OIDC_ADMIN_GROUP
+                  valueFrom:
+                    secretKeyRef:
+                      name: vault-oidc-config
+                      key: admin_group
+                      optional: true
+                - name: VAULT_OIDC_ADMIN_POLICIES
+                  valueFrom:
+                    secretKeyRef:
+                      name: vault-oidc-config
+                      key: admin_policies
+                      optional: true
+                - name: VAULT_OIDC_DEV_GROUP
+                  valueFrom:
+                    secretKeyRef:
+                      name: vault-oidc-config
+                      key: dev_group
+                      optional: true
+                - name: VAULT_OIDC_DEV_POLICIES
+                  valueFrom:
+                    secretKeyRef:
+                      name: vault-oidc-config
+                      key: dev_policies
+                      optional: true
+                - name: VAULT_OIDC_USER_GROUP
+                  valueFrom:
+                    secretKeyRef:
+                      name: vault-oidc-config
+                      key: user_group
+                      optional: true
+                - name: VAULT_OIDC_USER_POLICIES
+                  valueFrom:
+                    secretKeyRef:
+                      name: vault-oidc-config
+                      key: user_policies
+                      optional: true
                - name: VAULT_OIDC_REDIRECT_URIS
                  valueFrom:
                    secretKeyRef:
--- a/services/vault/scripts/vault_oidc_configure.sh
+++ b/services/vault/scripts/vault_oidc_configure.sh
@ -23,15 +23,20 @@ fi
 : "${VAULT_OIDC_CLIENT_ID:?set VAULT_OIDC_CLIENT_ID}"
 : "${VAULT_OIDC_CLIENT_SECRET:?set VAULT_OIDC_CLIENT_SECRET}"

-role="${VAULT_OIDC_DEFAULT_ROLE:-atlas}"
+default_role="${VAULT_OIDC_DEFAULT_ROLE:-admin}"
 scopes="${VAULT_OIDC_SCOPES:-openid profile email groups}"
 user_claim="${VAULT_OIDC_USER_CLAIM:-preferred_username}"
 groups_claim="${VAULT_OIDC_GROUPS_CLAIM:-groups}"
-token_policies="${VAULT_OIDC_TOKEN_POLICIES:-default}"
 redirect_uris="${VAULT_OIDC_REDIRECT_URIS:-https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback}"
 bound_audiences="${VAULT_OIDC_BOUND_AUDIENCES:-${VAULT_OIDC_CLIENT_ID}}"
-bound_claims="${VAULT_OIDC_BOUND_CLAIMS:-}"
-bound_claims_type="${VAULT_OIDC_BOUND_CLAIMS_TYPE:-}"
+bound_claims_type="${VAULT_OIDC_BOUND_CLAIMS_TYPE:-string}"
+
+admin_group="${VAULT_OIDC_ADMIN_GROUP:-admin}"
+admin_policies="${VAULT_OIDC_ADMIN_POLICIES:-default,vault-admin}"
+dev_group="${VAULT_OIDC_DEV_GROUP:-dev}"
+dev_policies="${VAULT_OIDC_DEV_POLICIES:-default,dev-kv}"
+user_group="${VAULT_OIDC_USER_GROUP:-${dev_group}}"
+user_policies="${VAULT_OIDC_USER_POLICIES:-${VAULT_OIDC_TOKEN_POLICIES:-${dev_policies}}}"

 if ! vault auth list -format=json | grep -q '"oidc/"'; then
  log "enabling oidc auth method"
@ -43,35 +48,66 @@ vault write auth/oidc/config \
  oidc_discovery_url="${VAULT_OIDC_DISCOVERY_URL}" \
  oidc_client_id="${VAULT_OIDC_CLIENT_ID}" \
  oidc_client_secret="${VAULT_OIDC_CLIENT_SECRET}" \
-  default_role="${role}"
+  default_role="${default_role}"

 vault auth tune -listing-visibility=unauth oidc >/dev/null

-role_args=(
+build_bound_claims() {
+  local claim="$1"
+  local groups="$2"
+  local json
+  local first=1
+  json="{\"${claim}\":["
+  IFS=',' read -r -a group_items <<<"${groups}"
+  for item in "${group_items[@]}"; do
+    item="${item#"${item%%[![:space:]]*}"}"
+    item="${item%"${item##*[![:space:]]}"}"
+    if [[ -z "${item}" ]]; then
+      continue
+    fi
+    if [[ ${first} -eq 0 ]]; then
+      json+=","
+    fi
+    json+="\"${item}\""
+    first=0
+  done
+  json+="]}"
+  printf '%s' "${json}"
+}
+
+configure_role() {
+  local role_name="$1"
+  local role_groups="$2"
+  local role_policies="$3"
+  if [[ -z "${role_name}" || -z "${role_groups}" || -z "${role_policies}" ]]; then
+    log "skipping role ${role_name} (missing groups or policies)"
+    return
+  fi
+  local claims
+  claims="$(build_bound_claims "${groups_claim}" "${role_groups}")"
+  local role_args=(
    "user_claim=${user_claim}"
    "oidc_scopes=${scopes}"
-  "token_policies=${token_policies}"
+    "token_policies=${role_policies}"
    "bound_audiences=${bound_audiences}"
-)
-
-if [[ -n "${groups_claim}" ]]; then
+    "bound_claims=${claims}"
+    "bound_claims_type=${bound_claims_type}"
+  )
+  if [[ -n "${groups_claim}" ]]; then
    role_args+=("groups_claim=${groups_claim}")
-fi
-if [[ -n "${bound_claims}" ]]; then
-  role_args+=("bound_claims=${bound_claims}")
-fi
-if [[ -n "${bound_claims_type}" ]]; then
-  role_args+=("bound_claims_type=${bound_claims_type}")
-fi
-
-IFS=',' read -r -a redirect_items <<<"${redirect_uris}"
-for uri in "${redirect_items[@]}"; do
+  fi
+  IFS=',' read -r -a redirect_items <<<"${redirect_uris}"
+  for uri in "${redirect_items[@]}"; do
    trimmed="${uri#"${uri%%[![:space:]]*}"}"
    trimmed="${trimmed%"${trimmed##*[![:space:]]}"}"
    if [[ -n "${trimmed}" ]]; then
      role_args+=("allowed_redirect_uris=${trimmed}")
    fi
-done
+  done
+  log "configuring oidc role ${role_name}"
+  vault write "auth/oidc/role/${role_name}" "${role_args[@]}"
+}

-log "configuring oidc role ${role}"
-vault write "auth/oidc/role/${role}" "${role_args[@]}"
+configure_role "admin" "${admin_group}" "${admin_policies}"
+configure_role "dev" "${dev_group}" "${dev_policies}"
+configure_role "user" "${user_group}" "${user_policies}"