sso: verify metis oidc secret provisioning
This commit is contained in:
parent
6640de9b14
commit
aec3a797a7
@ -1,11 +1,11 @@
|
|||||||
# services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml
|
# services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml
|
||||||
# One-off job for sso/metis-oidc-secret-ensure-1.
|
# One-off job for sso/metis-oidc-secret-ensure-2.
|
||||||
# Purpose: ensure the Metis oauth2-proxy OIDC client and Vault secret exist.
|
# Purpose: ensure the Metis oauth2-proxy OIDC client and Vault secret exist.
|
||||||
# Keep this completed Job around; bump the suffix if it ever needs to be rerun.
|
# Keep this completed Job around; bump the suffix if it ever needs to be rerun.
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
metadata:
|
metadata:
|
||||||
name: metis-oidc-secret-ensure-1
|
name: metis-oidc-secret-ensure-2
|
||||||
namespace: sso
|
namespace: sso
|
||||||
spec:
|
spec:
|
||||||
backoffLimit: 0
|
backoffLimit: 0
|
||||||
@ -122,8 +122,17 @@ spec:
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
COOKIE_SECRET="$(curl -sS -H "X-Vault-Token: ${vault_token}" \
|
read_status="$(curl -sS -o /tmp/metis-oidc-read.json -w "%{http_code}" \
|
||||||
"${vault_addr}/v1/kv/data/atlas/maintenance/metis-oidc" | jq -r '.data.data.cookie_secret // empty')"
|
-H "X-Vault-Token: ${vault_token}" \
|
||||||
|
"${vault_addr}/v1/kv/data/atlas/maintenance/metis-oidc" || true)"
|
||||||
|
COOKIE_SECRET=""
|
||||||
|
if [ "${read_status}" = "200" ]; then
|
||||||
|
COOKIE_SECRET="$(jq -r '.data.data.cookie_secret // empty' /tmp/metis-oidc-read.json)"
|
||||||
|
elif [ "${read_status}" != "404" ]; then
|
||||||
|
echo "Vault read failed (status ${read_status})" >&2
|
||||||
|
cat /tmp/metis-oidc-read.json >&2 || true
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
if [ -n "${COOKIE_SECRET}" ]; then
|
if [ -n "${COOKIE_SECRET}" ]; then
|
||||||
length="$(printf '%s' "${COOKIE_SECRET}" | wc -c | tr -d ' ')"
|
length="$(printf '%s' "${COOKIE_SECRET}" | wc -c | tr -d ' ')"
|
||||||
if [ "${length}" != "16" ] && [ "${length}" != "24" ] && [ "${length}" != "32" ]; then
|
if [ "${length}" != "16" ] && [ "${length}" != "24" ] && [ "${length}" != "32" ]; then
|
||||||
@ -139,5 +148,23 @@ spec:
|
|||||||
--arg client_secret "${CLIENT_SECRET}" \
|
--arg client_secret "${CLIENT_SECRET}" \
|
||||||
--arg cookie_secret "${COOKIE_SECRET}" \
|
--arg cookie_secret "${COOKIE_SECRET}" \
|
||||||
'{data:{client_id:$client_id,client_secret:$client_secret,cookie_secret:$cookie_secret}}')"
|
'{data:{client_id:$client_id,client_secret:$client_secret,cookie_secret:$cookie_secret}}')"
|
||||||
curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
|
write_status="$(curl -sS -o /tmp/metis-oidc-write.json -w "%{http_code}" -X POST \
|
||||||
-d "${payload}" "${vault_addr}/v1/kv/data/atlas/maintenance/metis-oidc" >/dev/null
|
-H "X-Vault-Token: ${vault_token}" \
|
||||||
|
-H 'Content-Type: application/json' \
|
||||||
|
-d "${payload}" "${vault_addr}/v1/kv/data/atlas/maintenance/metis-oidc")"
|
||||||
|
if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then
|
||||||
|
echo "Vault write failed (status ${write_status})" >&2
|
||||||
|
cat /tmp/metis-oidc-write.json >&2 || true
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
verify_status="$(curl -sS -o /tmp/metis-oidc-verify.json -w "%{http_code}" \
|
||||||
|
-H "X-Vault-Token: ${vault_token}" \
|
||||||
|
"${vault_addr}/v1/kv/data/atlas/maintenance/metis-oidc" || true)"
|
||||||
|
if [ "${verify_status}" != "200" ]; then
|
||||||
|
echo "Vault verify failed (status ${verify_status})" >&2
|
||||||
|
cat /tmp/metis-oidc-verify.json >&2 || true
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Metis OIDC secret ready in Vault"
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user