vault: run oidc config with sh

services/vault/oidc-config-cronjob.yaml

@@ -24,7 +24,7 @@ spec:
               image: hashicorp/vault:1.17.6
               imagePullPolicy: IfNotPresent
               command:
-                - bash
+                - sh
                 - /scripts/vault_oidc_configure.sh
               env:
                 - name: VAULT_ADDR

services/vault/scripts/vault_oidc_configure.sh

@@ -1,20 +1,20 @@
-#!/usr/bin/env bash
+#!/usr/bin/env sh
-set -euo pipefail
+set -eu
 
 log() { echo "[vault-oidc] $*"; }
 
 status_json="$(vault status -format=json || true)"
-if [[ -z "${status_json}" ]]; then
+if [ -z "${status_json}" ]; then
   log "vault status failed; check VAULT_ADDR and VAULT_TOKEN"
   exit 1
 fi
 
-if ! grep -q '"initialized":true' <<<"${status_json}"; then
+if ! printf '%s' "${status_json}" | grep -q '"initialized":[[:space:]]*true'; then
   log "vault not initialized; skipping"
   exit 0
 fi
 
-if grep -q '"sealed":true' <<<"${status_json}"; then
+if printf '%s' "${status_json}" | grep -q '"sealed":[[:space:]]*true'; then
   log "vault sealed; skipping"
   exit 0
 fi
@@ -53,59 +53,52 @@ vault write auth/oidc/config \
 vault auth tune -listing-visibility=unauth oidc >/dev/null
 
 build_bound_claims() {
-  local claim="$1"
+  claim="$1"
-  local groups="$2"
+  groups="$2"
-  local json
-  local first=1
   json="{\"${claim}\":["
-  IFS=',' read -r -a group_items <<<"${groups}"
+  first=1
-  for item in "${group_items[@]}"; do
+  old_ifs=$IFS
-    item="${item#"${item%%[![:space:]]*}"}"
+  IFS=,
-    item="${item%"${item##*[![:space:]]}"}"
+  for item in $groups; do
-    if [[ -z "${item}" ]]; then
+    item="$(printf '%s' "$item" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')"
+    if [ -z "${item}" ]; then
       continue
     fi
-    if [[ ${first} -eq 0 ]]; then
+    if [ "${first}" -eq 0 ]; then
-      json+=","
+      json="${json},"
     fi
-    json+="\"${item}\""
+    json="${json}\"${item}\""
     first=0
   done
-  json+="]}"
+  IFS=$old_ifs
+  json="${json}]}"
   printf '%s' "${json}"
 }
 
 configure_role() {
-  local role_name="$1"
+  role_name="$1"
-  local role_groups="$2"
+  role_groups="$2"
-  local role_policies="$3"
+  role_policies="$3"
-  if [[ -z "${role_name}" || -z "${role_groups}" || -z "${role_policies}" ]]; then
+  if [ -z "${role_name}" ] || [ -z "${role_groups}" ] || [ -z "${role_policies}" ]; then
     log "skipping role ${role_name} (missing groups or policies)"
     return
   fi
-  local claims
   claims="$(build_bound_claims "${groups_claim}" "${role_groups}")"
-  local role_args=(
+  role_args="user_claim=${user_claim} oidc_scopes=${scopes} token_policies=${role_policies} bound_audiences=${bound_audiences} bound_claims=${claims} bound_claims_type=${bound_claims_type}"
-    "user_claim=${user_claim}"
+  if [ -n "${groups_claim}" ]; then
-    "oidc_scopes=${scopes}"
+    role_args="${role_args} groups_claim=${groups_claim}"
-    "token_policies=${role_policies}"
-    "bound_audiences=${bound_audiences}"
-    "bound_claims=${claims}"
-    "bound_claims_type=${bound_claims_type}"
-  )
-  if [[ -n "${groups_claim}" ]]; then
-    role_args+=("groups_claim=${groups_claim}")
   fi
-  IFS=',' read -r -a redirect_items <<<"${redirect_uris}"
+  old_ifs=$IFS
-  for uri in "${redirect_items[@]}"; do
+  IFS=,
-    trimmed="${uri#"${uri%%[![:space:]]*}"}"
+  for uri in $redirect_uris; do
-    trimmed="${trimmed%"${trimmed##*[![:space:]]}"}"
+    trimmed="$(printf '%s' "$uri" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')"
-    if [[ -n "${trimmed}" ]]; then
+    if [ -n "${trimmed}" ]; then
-      role_args+=("allowed_redirect_uris=${trimmed}")
+      role_args="${role_args} allowed_redirect_uris=${trimmed}"
     fi
   done
+  IFS=$old_ifs
   log "configuring oidc role ${role_name}"
-  vault write "auth/oidc/role/${role_name}" "${role_args[@]}"
+  vault write "auth/oidc/role/${role_name}" ${role_args}
 }
 
 configure_role "admin" "${admin_group}" "${admin_policies}"