bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault: run oidc config with sh

Browse Source
This commit is contained in:
Brad Stein 2026-01-14 02:28:38 -03:00
parent 55234f8536
commit c3541b72c3
2 changed files with 34 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
services/vault/oidc-config-cronjob.yaml
View File

@ -24,7 +24,7 @@ spec:
image: hashicorp/vault:1.17.6
imagePullPolicy: IfNotPresent
command:
- bash
- sh
- /scripts/vault_oidc_configure.sh
env:
- name: VAULT_ADDR

73
services/vault/scripts/vault_oidc_configure.sh
View File

@ -1,20 +1,20 @@
#!/usr/bin/env bash
set -euo pipefail
#!/usr/bin/env sh
set -eu
log() { echo "[vault-oidc] $*"; }
status_json="$(vault status -format=json || true)"
if [[ -z "${status_json}" ]]; then
if [ -z "${status_json}" ]; then
log "vault status failed; check VAULT_ADDR and VAULT_TOKEN"
exit 1
fi
if ! grep -q '"initialized":true' <<<"${status_json}"; then
if ! printf '%s' "${status_json}" | grep -q '"initialized":[[:space:]]*true'; then
log "vault not initialized; skipping"
exit 0
fi
if grep -q '"sealed":true' <<<"${status_json}"; then
if printf '%s' "${status_json}" | grep -q '"sealed":[[:space:]]*true'; then
log "vault sealed; skipping"
exit 0
fi
@ -53,59 +53,52 @@ vault write auth/oidc/config \
vault auth tune -listing-visibility=unauth oidc >/dev/null
build_bound_claims() {
local claim="$1"
local groups="$2"
local json
local first=1
claim="$1"
groups="$2"
json="{\"${claim}\":["
IFS=',' read -r -a group_items <<<"${groups}"
for item in "${group_items[@]}"; do
item="${item#"${item%%[![:space:]]*}"}"
item="${item%"${item##*[![:space:]]}"}"
if [[ -z "${item}" ]]; then
first=1
old_ifs=$IFS
IFS=,
for item in $groups; do
item="$(printf '%s' "$item" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')"
if [ -z "${item}" ]; then
continue
fi
if [[ ${first} -eq 0 ]]; then
json+=","
if [ "${first}" -eq 0 ]; then
json="${json},"
fi
json+="\"${item}\""
json="${json}\"${item}\""
first=0
done
json+="]}"
IFS=$old_ifs
json="${json}]}"
printf '%s' "${json}"
}
configure_role() {
local role_name="$1"
local role_groups="$2"
local role_policies="$3"
if [[ -z "${role_name}" || -z "${role_groups}" || -z "${role_policies}" ]]; then
role_name="$1"
role_groups="$2"
role_policies="$3"
if [ -z "${role_name}" ] || [ -z "${role_groups}" ] || [ -z "${role_policies}" ]; then
log "skipping role ${role_name} (missing groups or policies)"
return
fi
local claims
claims="$(build_bound_claims "${groups_claim}" "${role_groups}")"
local role_args=(
"user_claim=${user_claim}"
"oidc_scopes=${scopes}"
"token_policies=${role_policies}"
"bound_audiences=${bound_audiences}"
"bound_claims=${claims}"
"bound_claims_type=${bound_claims_type}"
)
if [[ -n "${groups_claim}" ]]; then
role_args+=("groups_claim=${groups_claim}")
role_args="user_claim=${user_claim} oidc_scopes=${scopes} token_policies=${role_policies} bound_audiences=${bound_audiences} bound_claims=${claims} bound_claims_type=${bound_claims_type}"
if [ -n "${groups_claim}" ]; then
role_args="${role_args} groups_claim=${groups_claim}"
fi
IFS=',' read -r -a redirect_items <<<"${redirect_uris}"
for uri in "${redirect_items[@]}"; do
trimmed="${uri#"${uri%%[![:space:]]*}"}"
trimmed="${trimmed%"${trimmed##*[![:space:]]}"}"
if [[ -n "${trimmed}" ]]; then
role_args+=("allowed_redirect_uris=${trimmed}")
old_ifs=$IFS
IFS=,
for uri in $redirect_uris; do
trimmed="$(printf '%s' "$uri" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')"
if [ -n "${trimmed}" ]; then
role_args="${role_args} allowed_redirect_uris=${trimmed}"
fi
done
IFS=$old_ifs
log "configuring oidc role ${role_name}"
vault write "auth/oidc/role/${role_name}" "${role_args[@]}"
vault write "auth/oidc/role/${role_name}" ${role_args}
}
configure_role "admin" "${admin_group}" "${admin_policies}"