diff --git a/services/vault/oidc-config-cronjob.yaml b/services/vault/oidc-config-cronjob.yaml index 3960aad..3ea7b53 100644 --- a/services/vault/oidc-config-cronjob.yaml +++ b/services/vault/oidc-config-cronjob.yaml @@ -24,7 +24,7 @@ spec: image: hashicorp/vault:1.17.6 imagePullPolicy: IfNotPresent command: - - bash + - sh - /scripts/vault_oidc_configure.sh env: - name: VAULT_ADDR diff --git a/services/vault/scripts/vault_oidc_configure.sh b/services/vault/scripts/vault_oidc_configure.sh index 380d772..0013866 100644 --- a/services/vault/scripts/vault_oidc_configure.sh +++ b/services/vault/scripts/vault_oidc_configure.sh @@ -1,20 +1,20 @@ -#!/usr/bin/env bash -set -euo pipefail +#!/usr/bin/env sh +set -eu log() { echo "[vault-oidc] $*"; } status_json="$(vault status -format=json || true)" -if [[ -z "${status_json}" ]]; then +if [ -z "${status_json}" ]; then log "vault status failed; check VAULT_ADDR and VAULT_TOKEN" exit 1 fi -if ! grep -q '"initialized":true' <<<"${status_json}"; then +if ! printf '%s' "${status_json}" | grep -q '"initialized":[[:space:]]*true'; then log "vault not initialized; skipping" exit 0 fi -if grep -q '"sealed":true' <<<"${status_json}"; then +if printf '%s' "${status_json}" | grep -q '"sealed":[[:space:]]*true'; then log "vault sealed; skipping" exit 0 fi @@ -53,59 +53,52 @@ vault write auth/oidc/config \ vault auth tune -listing-visibility=unauth oidc >/dev/null build_bound_claims() { - local claim="$1" - local groups="$2" - local json - local first=1 + claim="$1" + groups="$2" json="{\"${claim}\":[" - IFS=',' read -r -a group_items <<<"${groups}" - for item in "${group_items[@]}"; do - item="${item#"${item%%[![:space:]]*}"}" - item="${item%"${item##*[![:space:]]}"}" - if [[ -z "${item}" ]]; then + first=1 + old_ifs=$IFS + IFS=, + for item in $groups; do + item="$(printf '%s' "$item" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')" + if [ -z "${item}" ]; then continue fi - if [[ ${first} -eq 0 ]]; then - json+="," + if [ "${first}" -eq 0 ]; then + json="${json}," fi - json+="\"${item}\"" + json="${json}\"${item}\"" first=0 done - json+="]}" + IFS=$old_ifs + json="${json}]}" printf '%s' "${json}" } configure_role() { - local role_name="$1" - local role_groups="$2" - local role_policies="$3" - if [[ -z "${role_name}" || -z "${role_groups}" || -z "${role_policies}" ]]; then + role_name="$1" + role_groups="$2" + role_policies="$3" + if [ -z "${role_name}" ] || [ -z "${role_groups}" ] || [ -z "${role_policies}" ]; then log "skipping role ${role_name} (missing groups or policies)" return fi - local claims claims="$(build_bound_claims "${groups_claim}" "${role_groups}")" - local role_args=( - "user_claim=${user_claim}" - "oidc_scopes=${scopes}" - "token_policies=${role_policies}" - "bound_audiences=${bound_audiences}" - "bound_claims=${claims}" - "bound_claims_type=${bound_claims_type}" - ) - if [[ -n "${groups_claim}" ]]; then - role_args+=("groups_claim=${groups_claim}") + role_args="user_claim=${user_claim} oidc_scopes=${scopes} token_policies=${role_policies} bound_audiences=${bound_audiences} bound_claims=${claims} bound_claims_type=${bound_claims_type}" + if [ -n "${groups_claim}" ]; then + role_args="${role_args} groups_claim=${groups_claim}" fi - IFS=',' read -r -a redirect_items <<<"${redirect_uris}" - for uri in "${redirect_items[@]}"; do - trimmed="${uri#"${uri%%[![:space:]]*}"}" - trimmed="${trimmed%"${trimmed##*[![:space:]]}"}" - if [[ -n "${trimmed}" ]]; then - role_args+=("allowed_redirect_uris=${trimmed}") + old_ifs=$IFS + IFS=, + for uri in $redirect_uris; do + trimmed="$(printf '%s' "$uri" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')" + if [ -n "${trimmed}" ]; then + role_args="${role_args} allowed_redirect_uris=${trimmed}" fi done + IFS=$old_ifs log "configuring oidc role ${role_name}" - vault write "auth/oidc/role/${role_name}" "${role_args[@]}" + vault write "auth/oidc/role/${role_name}" ${role_args} } configure_role "admin" "${admin_group}" "${admin_policies}"